Malware Analysis Report

2025-08-05 12:32

Sample ID 230505-bwmceafh88
Target 1240-55-0x0000000000370000-0x0000000000382000-memory.dmp
SHA256 5bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6

Threat Level: Known bad

The file 1240-55-0x0000000000370000-0x0000000000382000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

AsyncRat

Asyncrat family

Async RAT payload

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-05 01:29

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-05 01:29

Reported

2023-05-05 01:32

Platform

win7-20230220-en

Max time kernel

38s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe C:\Windows\System32\cmd.exe
PID 2016 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe C:\Windows\System32\cmd.exe
PID 2016 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe C:\Windows\System32\cmd.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe C:\Windows\system32\cmd.exe
PID 516 wrote to memory of 1876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 516 wrote to memory of 1876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 516 wrote to memory of 1876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1432 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1432 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1432 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1432 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 1432 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe
PID 1432 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\microsafte.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 1240-55-0x0000000000370000-0x0000000000382000-memory /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp45F7.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /ru system /rl highest /tn 1240-55-0x0000000000370000-0x0000000000382000-memory /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\microsafte.exe

"C:\Users\Admin\AppData\Roaming\microsafte.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 seznam.zapto.org udp
NL 91.109.178.2:6606 seznam.zapto.org tcp

Files

memory/2016-54-0x0000000001080000-0x0000000001092000-memory.dmp

memory/2016-55-0x000000001B0E0000-0x000000001B160000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp45F7.tmp.bat

MD5 f1379a15061e6b5df40db3da283bff5b
SHA1 51ac1db18747ada4cdef9ffe38ed1af4a4133671
SHA256 34f58e05abbda98901492e9153408bf3996c024d3b2eb3a4262d64a207332fdb
SHA512 71265fce9479f8206683249c4e9af66e765f0ebf0ee67fb6f582e443f51d39b46944799bf9319dce8bef8ef299f3dbab6b15ad7e2add814a60a05ea9d969ec57

C:\Users\Admin\AppData\Local\Temp\tmp45F7.tmp.bat

MD5 f1379a15061e6b5df40db3da283bff5b
SHA1 51ac1db18747ada4cdef9ffe38ed1af4a4133671
SHA256 34f58e05abbda98901492e9153408bf3996c024d3b2eb3a4262d64a207332fdb
SHA512 71265fce9479f8206683249c4e9af66e765f0ebf0ee67fb6f582e443f51d39b46944799bf9319dce8bef8ef299f3dbab6b15ad7e2add814a60a05ea9d969ec57

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 6ddcee176a864b67cd4cff577c28cdf1
SHA1 c69292e4ec9128ccc4de351f39a48d1bd3f439e6
SHA256 5bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
SHA512 3482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 6ddcee176a864b67cd4cff577c28cdf1
SHA1 c69292e4ec9128ccc4de351f39a48d1bd3f439e6
SHA256 5bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
SHA512 3482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4

memory/1544-68-0x0000000000A50000-0x0000000000A62000-memory.dmp

memory/1544-69-0x000000001B1D0000-0x000000001B250000-memory.dmp

memory/1544-87-0x000000001B1D0000-0x000000001B250000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-05 01:29

Reported

2023-05-05 01:32

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsafte.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\1240-55-0x0000000000370000-0x0000000000382000-memory.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 1240-55-0x0000000000370000-0x0000000000382000-memory /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE004.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /ru system /rl highest /tn 1240-55-0x0000000000370000-0x0000000000382000-memory /tr '"C:\Users\Admin\AppData\Roaming\microsafte.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\microsafte.exe

"C:\Users\Admin\AppData\Roaming\microsafte.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 seznam.zapto.org udp
NL 91.109.178.2:6606 seznam.zapto.org tcp
US 8.8.8.8:53 2.178.109.91.in-addr.arpa udp
US 20.42.72.131:443 tcp
US 40.125.122.176:443 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

memory/3476-133-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

memory/3476-134-0x000000001C4B0000-0x000000001C4C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE004.tmp.bat

MD5 4ac1dd2cc7b2bc47577cb14c9f733d6a
SHA1 eeadef940caee9c16b93de6c4ce360524497e2b2
SHA256 b7fe65bd264f3f8ea4d9ce73040233efa7edb474f669bd44320a56b62b31a0bb
SHA512 5ade27ec7af9dc2246894dbd24fa27ab52517a669881e24a9ed56d50a4e9f553d67283e9a062181fcd4cdb0d47c870e773daa2c1277d70af1bef55c1a18b5378

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 6ddcee176a864b67cd4cff577c28cdf1
SHA1 c69292e4ec9128ccc4de351f39a48d1bd3f439e6
SHA256 5bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
SHA512 3482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4

C:\Users\Admin\AppData\Roaming\microsafte.exe

MD5 6ddcee176a864b67cd4cff577c28cdf1
SHA1 c69292e4ec9128ccc4de351f39a48d1bd3f439e6
SHA256 5bf8102edefe3e55a0e33207fdbf359f71477f70856745bc4e626cc72d498cd6
SHA512 3482d4da78c96ca3d404d97547ee21ff1651339bb5ae01f107399705f6a73bbd26e1f0a0761b0625427373cc688812e43483774a754c1f9a0bce9ff16e322ff4

memory/1156-143-0x000000001BFA0000-0x000000001BFB0000-memory.dmp

memory/1156-144-0x000000001BFA0000-0x000000001BFB0000-memory.dmp