Malware Analysis Report

2025-08-05 12:31

Sample ID 230505-bvf41ahg8w
Target 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491

Threat Level: Known bad

The file 35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-05 01:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-05 01:27

Reported

2023-05-05 01:30

Platform

win10v2004-20230220-en

Max time kernel

73s

Max time network

84s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5060 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4716 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4716 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1780 wrote to memory of 3804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1780 wrote to memory of 3804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1780 wrote to memory of 3804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4716 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 4716 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 4716 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe

"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFFF0.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'

C:\Users\Admin\AppData\Roaming\microsafte.exe

"C:\Users\Admin\AppData\Roaming\microsafte.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 133.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 milla.publicvm.com udp
NL 91.109.178.2:8808 milla.publicvm.com tcp
US 8.8.8.8:53 2.178.109.91.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp

Files

memory/5060-133-0x0000000000590000-0x0000000000678000-memory.dmp

memory/5060-134-0x0000000005490000-0x0000000005A34000-memory.dmp

memory/5060-135-0x0000000004EE0000-0x0000000004F72000-memory.dmp

memory/5060-136-0x0000000005020000-0x00000000050BC000-memory.dmp

memory/5060-137-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFFF0.tmp.bat

MD5 d26694bfd15acd5775c29d189045bbe6
SHA1 893b7defce5fe3988a4e8bf8a5d8e679b3edc5a6
SHA256 5e11081c672842b0a1906b6f060d98af815894bfc4fd163cbef736b76a5df590
SHA512 2b935482cfc469727d4446f6045c4d9d8ed08060f885a3d46ddfb0051e544f26ea5b1a695b5f05104249209c7c9d75ac9d5c47398b26f45e151c5548b6a8a873

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 c011326ff5f864290617144c3dddcc88
SHA1 257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 c011326ff5f864290617144c3dddcc88
SHA1 257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a

memory/2840-146-0x0000000005700000-0x0000000005710000-memory.dmp

memory/2840-149-0x00000000061C0000-0x0000000006226000-memory.dmp

memory/2840-150-0x0000000005700000-0x0000000005710000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-05 01:27

Reported

2023-05-05 01:30

Platform

win7-20230220-en

Max time kernel

58s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1736 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1736 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1736 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1728 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1736 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 1736 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 1736 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 1736 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe

"C:\Users\Admin\AppData\Local\Temp\35BC2054162C7288B55CAECC386D129B5B03E2A97985F.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E1D.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /ru system /rl highest /tn 35BC2054162C7288B55CAECC386D129B5B03E2A97985F /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'

C:\Users\Admin\AppData\Roaming\microsafte.exe

"C:\Users\Admin\AppData\Roaming\microsafte.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 seznam.zapto.org udp
NL 91.109.178.2:6606 seznam.zapto.org tcp

Files

memory/1444-54-0x0000000001290000-0x0000000001378000-memory.dmp

memory/1444-55-0x00000000003B0000-0x00000000003C2000-memory.dmp

memory/1444-56-0x0000000000A40000-0x0000000000A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8E1D.tmp.bat

MD5 e6f1ca00b0ae08bed9fc92efb6bd61f6
SHA1 95eb579b30275734831f20425ecadc806fbc3c70
SHA256 ff73f1801db2d5ada12bd96398e8751a9e0016f7b2adfc65af1e5250c2396e4c
SHA512 842478c85d79debb703383c653ae15428724d1f9100ab9ccdf7c372ea2c41072957919a612bba432ab596e11a4c9b8b00b32753509ccad12e36ee66cce86956f

C:\Users\Admin\AppData\Local\Temp\tmp8E1D.tmp.bat

MD5 e6f1ca00b0ae08bed9fc92efb6bd61f6
SHA1 95eb579b30275734831f20425ecadc806fbc3c70
SHA256 ff73f1801db2d5ada12bd96398e8751a9e0016f7b2adfc65af1e5250c2396e4c
SHA512 842478c85d79debb703383c653ae15428724d1f9100ab9ccdf7c372ea2c41072957919a612bba432ab596e11a4c9b8b00b32753509ccad12e36ee66cce86956f

\Users\Admin\AppData\Roaming\microsafte.exe

MD5 c011326ff5f864290617144c3dddcc88
SHA1 257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 c011326ff5f864290617144c3dddcc88
SHA1 257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 c011326ff5f864290617144c3dddcc88
SHA1 257d10e95aeec5d8c63e4d1369c5cbf244568bf7
SHA256 35bc2054162c7288b55caecc386d129b5b03e2a97985f659913338195be78491
SHA512 894e43a4265c396b0721ea3fb99991047cc33aa36fc9f2f8fb47c5f66813a8226589b8ed045a1edc2279654cf3b933f413a434cf42f1fcd11f52ff3d6bd2a07a

memory/540-69-0x0000000001290000-0x0000000001378000-memory.dmp

memory/540-70-0x0000000004B20000-0x0000000004B60000-memory.dmp

memory/540-85-0x0000000004B20000-0x0000000004B60000-memory.dmp