Malware Analysis Report

2025-05-05 22:18

Sample ID 231012-xh5sgsbb85
Target NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe
SHA256 49281ec5f3bdbbe86268bddcdd59909573420a7d751639d9d10d66a48f3d5d4c
Tags
agilenet rat asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49281ec5f3bdbbe86268bddcdd59909573420a7d751639d9d10d66a48f3d5d4c

Threat Level: Known bad

The file NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe was found to be: Known bad.

Malicious Activity Summary

agilenet rat asyncrat

Asyncrat family

Async RAT payload

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 18:52

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 18:52

Reported

2023-10-17 11:11

Platform

win7-20230831-en

Max time kernel

140s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe C:\Windows\System32\cmd.exe
PID 2052 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe C:\Windows\System32\cmd.exe
PID 2052 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe C:\Windows\System32\cmd.exe
PID 2052 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe C:\Windows\system32\cmd.exe
PID 2052 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe C:\Windows\system32\cmd.exe
PID 2052 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2648 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2648 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2792 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2792 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2792 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2792 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 2792 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 2792 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B5E.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
DE 84.182.130.233:4782 tcp
DE 84.182.130.233:4782 tcp
DE 84.182.130.233:4782 tcp
DE 84.182.130.233:4782 tcp
DE 84.182.130.233:4782 tcp
DE 84.182.130.233:4782 tcp

Files

memory/2052-0-0x0000000000880000-0x00000000008AE000-memory.dmp

memory/2052-1-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2052-3-0x000000001B350000-0x000000001B3D0000-memory.dmp

memory/2052-4-0x00000000778D0000-0x0000000077A79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8B5E.tmp.bat

MD5 78c287b210a9df0935a5d5f8a49c8e41
SHA1 bd9b789cbe737825505aa7c005907a481fd17af8
SHA256 2885c359a29cc9c8eac90f72ac06a7aff73174289ce394cb151559fb289c2c09
SHA512 c8d898d9f0bf73a6e679662dfcaaa44873d9a829f2df8799d45244e405846dd3efa9121297e4855223ce49cf2534cef51d7f25555196013b960a0a66af558e58

C:\Users\Admin\AppData\Local\Temp\tmp8B5E.tmp.bat

MD5 78c287b210a9df0935a5d5f8a49c8e41
SHA1 bd9b789cbe737825505aa7c005907a481fd17af8
SHA256 2885c359a29cc9c8eac90f72ac06a7aff73174289ce394cb151559fb289c2c09
SHA512 c8d898d9f0bf73a6e679662dfcaaa44873d9a829f2df8799d45244e405846dd3efa9121297e4855223ce49cf2534cef51d7f25555196013b960a0a66af558e58

memory/2052-14-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2052-15-0x00000000778D0000-0x0000000077A79000-memory.dmp

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 0ff4ee90b781b9f295724ef48a10de70
SHA1 77a57b29f1aab01ffe89d7ab9778035a393456e8
SHA256 49281ec5f3bdbbe86268bddcdd59909573420a7d751639d9d10d66a48f3d5d4c
SHA512 f29f8cd0ad8e27f579d0c787b84dfdcfab2e33601cb8f79469af1be3ec680e5c0a0e565dd47f3ce89b9b549885aebff3bd517155355bef2a731e5738e9e7ba78

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 0ff4ee90b781b9f295724ef48a10de70
SHA1 77a57b29f1aab01ffe89d7ab9778035a393456e8
SHA256 49281ec5f3bdbbe86268bddcdd59909573420a7d751639d9d10d66a48f3d5d4c
SHA512 f29f8cd0ad8e27f579d0c787b84dfdcfab2e33601cb8f79469af1be3ec680e5c0a0e565dd47f3ce89b9b549885aebff3bd517155355bef2a731e5738e9e7ba78

memory/2608-19-0x0000000000AB0000-0x0000000000ADE000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/2608-21-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

memory/2608-22-0x000000001B0F0000-0x000000001B170000-memory.dmp

memory/2608-23-0x00000000778D0000-0x0000000077A79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAB20.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarAB52.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2608-58-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

memory/2608-59-0x00000000778D0000-0x0000000077A79000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 18:52

Reported

2023-10-17 11:14

Platform

win10v2004-20230915-en

Max time kernel

212s

Max time network

235s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.0ff4ee90b781b9f295724ef48a10de70_JC.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4915.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
DE 84.182.130.233:4782 tcp
DE 84.182.130.233:4782 tcp
DE 84.182.130.233:4782 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
DE 84.182.130.233:4782 tcp

Files

memory/4556-0-0x0000000000130000-0x000000000015E000-memory.dmp

memory/4556-2-0x00007FFB48500000-0x00007FFB48FC1000-memory.dmp

memory/4556-3-0x000000001B0F0000-0x000000001B100000-memory.dmp

memory/4556-4-0x00007FFB65B90000-0x00007FFB65D85000-memory.dmp

memory/4556-9-0x00007FFB48500000-0x00007FFB48FC1000-memory.dmp

memory/4556-10-0x00007FFB65B90000-0x00007FFB65D85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4915.tmp.bat

MD5 c272458fe2dc22ce9eb6fcd6d721b280
SHA1 820ffc70a003d25da8646f44e8a6d039ebcf2343
SHA256 1244a726739de62ef0fbc4cbadf688e861f1daf1fc4b929cdb530f68d752638e
SHA512 e95e460946047c5ae06f8331e419761d8e6cda724f4fce0c44861e79fe2ba0471eb352b45fad3d3f4eeac824af3bb96bb594502bee097056aad14b0670556ee0

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 0ff4ee90b781b9f295724ef48a10de70
SHA1 77a57b29f1aab01ffe89d7ab9778035a393456e8
SHA256 49281ec5f3bdbbe86268bddcdd59909573420a7d751639d9d10d66a48f3d5d4c
SHA512 f29f8cd0ad8e27f579d0c787b84dfdcfab2e33601cb8f79469af1be3ec680e5c0a0e565dd47f3ce89b9b549885aebff3bd517155355bef2a731e5738e9e7ba78

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 0ff4ee90b781b9f295724ef48a10de70
SHA1 77a57b29f1aab01ffe89d7ab9778035a393456e8
SHA256 49281ec5f3bdbbe86268bddcdd59909573420a7d751639d9d10d66a48f3d5d4c
SHA512 f29f8cd0ad8e27f579d0c787b84dfdcfab2e33601cb8f79469af1be3ec680e5c0a0e565dd47f3ce89b9b549885aebff3bd517155355bef2a731e5738e9e7ba78

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/4796-16-0x00007FFB477B0000-0x00007FFB48271000-memory.dmp

memory/4796-17-0x00007FFB477B0000-0x00007FFB48271000-memory.dmp

memory/4796-18-0x00007FFB65B90000-0x00007FFB65D85000-memory.dmp

memory/4796-19-0x00007FFB65B90000-0x00007FFB65D85000-memory.dmp