Malware Analysis Report

2025-08-10 19:35

Sample ID 231115-t49f1scf33
Target NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe
SHA256 2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70
Tags
rat test paid not crypted asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70

Threat Level: Known bad

The file NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe was found to be: Known bad.

Malicious Activity Summary

rat test paid not crypted asyncrat

AsyncRat

Asyncrat family

Async RAT payload

Async RAT payload

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-15 16:37

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-15 16:37

Reported

2023-11-15 16:40

Platform

win7-20231025-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\KDFManager.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDFManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe C:\Windows\System32\cmd.exe
PID 2136 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe C:\Windows\System32\cmd.exe
PID 2136 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe C:\Windows\System32\cmd.exe
PID 2136 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe C:\Windows\system32\cmd.exe
PID 2136 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe C:\Windows\system32\cmd.exe
PID 2136 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 2716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2112 wrote to memory of 2716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2112 wrote to memory of 2716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2120 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\KDFManager.exe
PID 2120 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\KDFManager.exe
PID 2120 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\KDFManager.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "KDFManager" /tr '"C:\Users\Admin\AppData\Roaming\KDFManager.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E0F.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "KDFManager" /tr '"C:\Users\Admin\AppData\Roaming\KDFManager.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\KDFManager.exe

"C:\Users\Admin\AppData\Roaming\KDFManager.exe"

Network

Country Destination Domain Proto
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp

Files

memory/2136-0-0x0000000000290000-0x00000000002A6000-memory.dmp

memory/2136-1-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/2136-2-0x000000001B060000-0x000000001B0E0000-memory.dmp

memory/2136-3-0x0000000077A20000-0x0000000077BC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6E0F.tmp.bat

MD5 f5f3fbe565bcf372a7cf93e0e9afd1ad
SHA1 f3e1523f3d951319cebc998ad0f9a3b456f87ccf
SHA256 706839335cdd9a4b7cd7290b872918139584292f37073cf9925679a24b18f704
SHA512 b997d41321edbd1ee7d9c0086531eaae022e8a197c34a41ba27f633869f83e1a96b5e50868530a68c96412a6763cbee5ec7faf96939c25b2d79177799b3b8605

C:\Users\Admin\AppData\Local\Temp\tmp6E0F.tmp.bat

MD5 f5f3fbe565bcf372a7cf93e0e9afd1ad
SHA1 f3e1523f3d951319cebc998ad0f9a3b456f87ccf
SHA256 706839335cdd9a4b7cd7290b872918139584292f37073cf9925679a24b18f704
SHA512 b997d41321edbd1ee7d9c0086531eaae022e8a197c34a41ba27f633869f83e1a96b5e50868530a68c96412a6763cbee5ec7faf96939c25b2d79177799b3b8605

memory/2136-13-0x0000000077A20000-0x0000000077BC9000-memory.dmp

memory/2136-12-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

C:\Users\Admin\AppData\Roaming\KDFManager.exe

MD5 9c65c31fa60a7490db9ac229f88aeaec
SHA1 1165267dfffa7ac1443002fb331fd573d34132ae
SHA256 2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70
SHA512 f18cde1280543d32b442df89edb53420b5b40e1075cd3001bfe255557d9fe70670467e3005e68dc9e4bd0a2835a99bb7850eb4eefc866bb2bdd6dd177292eb61

C:\Users\Admin\AppData\Roaming\KDFManager.exe

MD5 9c65c31fa60a7490db9ac229f88aeaec
SHA1 1165267dfffa7ac1443002fb331fd573d34132ae
SHA256 2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70
SHA512 f18cde1280543d32b442df89edb53420b5b40e1075cd3001bfe255557d9fe70670467e3005e68dc9e4bd0a2835a99bb7850eb4eefc866bb2bdd6dd177292eb61

memory/2608-18-0x0000000000B60000-0x0000000000B76000-memory.dmp

memory/2608-19-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

memory/2608-20-0x000000001A9F0000-0x000000001AA70000-memory.dmp

memory/2608-21-0x0000000077A20000-0x0000000077BC9000-memory.dmp

memory/2608-22-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

memory/2608-23-0x000000001A9F0000-0x000000001AA70000-memory.dmp

memory/2608-24-0x0000000077A20000-0x0000000077BC9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-15 16:37

Reported

2023-11-15 16:40

Platform

win10v2004-20231023-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\KDFManager.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDFManager.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "KDFManager" /tr '"C:\Users\Admin\AppData\Roaming\KDFManager.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "KDFManager" /tr '"C:\Users\Admin\AppData\Roaming\KDFManager.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\KDFManager.exe

"C:\Users\Admin\AppData\Roaming\KDFManager.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 142.202.188.173:9953 tcp
US 8.8.8.8:53 254.43.238.8.in-addr.arpa udp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp
US 8.8.8.8:53 10.73.50.20.in-addr.arpa udp
US 142.202.188.173:9953 tcp
US 142.202.188.173:9953 tcp

Files

memory/4772-0-0x0000000000900000-0x0000000000916000-memory.dmp

memory/4772-1-0x00007FFE6FF40000-0x00007FFE70A01000-memory.dmp

memory/4772-2-0x000000001B700000-0x000000001B710000-memory.dmp

memory/4772-7-0x00007FFE8DDB0000-0x00007FFE8DFA5000-memory.dmp

memory/4772-8-0x00007FFE6FF40000-0x00007FFE70A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.bat

MD5 ad6edcab391ae9397b0408137d00e762
SHA1 38c7d33de6d04a405f32b3c805594f05208e332a
SHA256 9ed994d6e4dbf1c632753cce6337ff4a42d2b8374a08fb12a94bc827fc9c68d4
SHA512 9e22f5263bfe851610a0c46a55476cfed38a763fb06626eb094235382655f52aa6b606c064706949bd7a3ac38e9fd1ce99f5f9c9aaef3758669ff6bc0d077f75

C:\Users\Admin\AppData\Roaming\KDFManager.exe

MD5 9c65c31fa60a7490db9ac229f88aeaec
SHA1 1165267dfffa7ac1443002fb331fd573d34132ae
SHA256 2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70
SHA512 f18cde1280543d32b442df89edb53420b5b40e1075cd3001bfe255557d9fe70670467e3005e68dc9e4bd0a2835a99bb7850eb4eefc866bb2bdd6dd177292eb61

C:\Users\Admin\AppData\Roaming\KDFManager.exe

MD5 9c65c31fa60a7490db9ac229f88aeaec
SHA1 1165267dfffa7ac1443002fb331fd573d34132ae
SHA256 2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70
SHA512 f18cde1280543d32b442df89edb53420b5b40e1075cd3001bfe255557d9fe70670467e3005e68dc9e4bd0a2835a99bb7850eb4eefc866bb2bdd6dd177292eb61

memory/4788-13-0x00007FFE6EFD0000-0x00007FFE6FA91000-memory.dmp

memory/4788-14-0x000000001B950000-0x000000001B960000-memory.dmp

memory/4788-15-0x00007FFE6EFD0000-0x00007FFE6FA91000-memory.dmp

memory/4788-16-0x000000001B950000-0x000000001B960000-memory.dmp