Malware Analysis Report

2025-08-05 12:31

Sample ID 230505-bty87afh83
Target 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491

Threat Level: Known bad

The file 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-05 01:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-05 01:26

Reported

2023-05-05 01:29

Platform

win7-20230220-en

Max time kernel

59s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 740 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 740 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 740 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 740 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe

"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpABF9.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\microsafte.exe

"C:\Users\Admin\AppData\Roaming\microsafte.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 seznam.zapto.org udp
NL 91.109.178.2:6606 seznam.zapto.org tcp

Files

memory/1240-54-0x0000000000280000-0x0000000000368000-memory.dmp

memory/1240-55-0x0000000000370000-0x0000000000382000-memory.dmp

memory/1240-56-0x0000000004A10000-0x0000000004A50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpABF9.tmp.bat

MD5 47d6f66c4cb05a3cfa0971179dd19972
SHA1 8fec647f8c206a4bc41d1780b92010d7f97b903c
SHA256 36af6bddcf9cfb0147f47da5f7a9dbf4d5ffe7e1bee8d3af34fb7be1303d2fce
SHA512 d89a68be09075545f31cc3f9acf10e5acfb1f8b70ee50184d3dff16e5d664a790543453f1f7e50596401c2802f4e6b912da037b785d7d1c95949a1d2ace31997

C:\Users\Admin\AppData\Local\Temp\tmpABF9.tmp.bat

MD5 47d6f66c4cb05a3cfa0971179dd19972
SHA1 8fec647f8c206a4bc41d1780b92010d7f97b903c
SHA256 36af6bddcf9cfb0147f47da5f7a9dbf4d5ffe7e1bee8d3af34fb7be1303d2fce
SHA512 d89a68be09075545f31cc3f9acf10e5acfb1f8b70ee50184d3dff16e5d664a790543453f1f7e50596401c2802f4e6b912da037b785d7d1c95949a1d2ace31997

\Users\Admin\AppData\Roaming\microsafte.exe

MD5 c011326ff5f864290617144c3dddcc88
SHA1 257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 c011326ff5f864290617144c3dddcc88
SHA1 257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 c011326ff5f864290617144c3dddcc88
SHA1 257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a

memory/432-69-0x0000000000C20000-0x0000000000D08000-memory.dmp

memory/432-70-0x0000000004850000-0x0000000004890000-memory.dmp

memory/432-88-0x0000000004850000-0x0000000004890000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-05 01:26

Reported

2023-05-05 01:29

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3992 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3992 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3600 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3600 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3600 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3992 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 3992 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 3992 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe

"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC009.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'

C:\Users\Admin\AppData\Roaming\microsafte.exe

"C:\Users\Admin\AppData\Roaming\microsafte.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 104.208.16.89:443 tcp
US 8.8.8.8:53 milla.publicvm.com udp
NL 91.109.178.2:8808 milla.publicvm.com tcp
US 8.8.8.8:53 2.178.109.91.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 209.197.3.8:80 tcp

Files

memory/3628-133-0x0000000000C00000-0x0000000000CE8000-memory.dmp

memory/3628-134-0x0000000005C40000-0x00000000061E4000-memory.dmp

memory/3628-135-0x0000000005730000-0x00000000057C2000-memory.dmp

memory/3628-136-0x00000000057D0000-0x000000000586C000-memory.dmp

memory/3628-137-0x0000000005960000-0x0000000005970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC009.tmp.bat

MD5 26976e8e5aefac0a1bf0c90b8c471069
SHA1 e43de325e4c9b4f82fb512b8a8857c5dcee557c3
SHA256 8b5b78b519db60af171a76229361b14e67e6d6280ab450f154f439759ed9f1f8
SHA512 f4cd1b31ea5cd8c1d5d872580a064f6cec31eec87ea0eaef013090e210ddc96c481dbb6ff521c817933dac3db6c1a44b620de9422c664505ce4cd5daf402bad6

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 c011326ff5f864290617144c3dddcc88
SHA1 257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 c011326ff5f864290617144c3dddcc88
SHA1 257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a

memory/208-146-0x0000000005890000-0x00000000058A0000-memory.dmp

memory/208-147-0x00000000065F0000-0x0000000006656000-memory.dmp

memory/208-148-0x0000000005890000-0x00000000058A0000-memory.dmp