Analysis Overview
SHA256
5a7af45895bf65bd39edbb7d0a524294c4ba54cb162f4e673dd184337a49ba97
Threat Level: Known bad
The file c80f44f67aa862099f67866a26e84253.bin.bin was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
Async RAT payload
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-05-05 19:32
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-05 19:32
Reported
2023-05-05 20:53
Platform
win7-20230220-en
Max time kernel
151s
Max time network
164s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa.exe
"C:\Users\Admin\AppData\Local\Temp\cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bahrdevo.endoftheinternet.org | udp |
| CA | 192.99.180.181:6606 | bahrdevo.endoftheinternet.org | tcp |
| CA | 192.99.180.181:7707 | bahrdevo.endoftheinternet.org | tcp |
| CA | 192.99.180.181:6606 | bahrdevo.endoftheinternet.org | tcp |
| US | 8.8.8.8:53 | bahrdevo.endoftheinternet.org | udp |
| CA | 192.99.180.181:8808 | bahrdevo.endoftheinternet.org | tcp |
| CA | 192.99.180.181:6606 | bahrdevo.endoftheinternet.org | tcp |
| CA | 192.99.180.181:6606 | bahrdevo.endoftheinternet.org | tcp |
Files
memory/1988-54-0x0000000001310000-0x0000000001326000-memory.dmp
memory/1988-55-0x0000000000260000-0x00000000002A0000-memory.dmp
memory/1988-56-0x0000000000260000-0x00000000002A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-05 19:32
Reported
2023-05-05 20:56
Platform
win10v2004-20230221-en
Max time kernel
262s
Max time network
316s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa.exe
"C:\Users\Admin\AppData\Local\Temp\cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| NL | 8.253.208.120:80 | tcp | |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.253.208.120:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bahrdevo.endoftheinternet.org | udp |
| CA | 192.99.180.181:8808 | bahrdevo.endoftheinternet.org | tcp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/3860-133-0x0000000000F40000-0x0000000000F56000-memory.dmp
memory/3860-134-0x0000000005970000-0x0000000005980000-memory.dmp
memory/3860-135-0x0000000005970000-0x0000000005980000-memory.dmp
memory/3860-136-0x0000000006270000-0x0000000006814000-memory.dmp
memory/3860-137-0x0000000005E60000-0x0000000005EF2000-memory.dmp
memory/3860-138-0x0000000003300000-0x000000000330A000-memory.dmp