Malware Analysis Report

2025-08-10 19:33

Sample ID 231115-yjqkmaeh7v
Target LITIGALCAL20231108.rar
SHA256 94630838f483aeb0ea5255d20136f07430295dfbe6ada99c811543cd65c2103d
Tags
asyncrat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94630838f483aeb0ea5255d20136f07430295dfbe6ada99c811543cd65c2103d

Threat Level: Known bad

The file LITIGALCAL20231108.rar was found to be: Known bad.

Malicious Activity Summary

asyncrat persistence rat

AsyncRat

Async RAT payload

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-15 19:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-15 19:49

Reported

2023-11-15 19:51

Platform

win7-20231023-en

Max time kernel

122s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zjpelav = "C:\\Users\\Admin\\AppData\\Roaming\\Zjpelav.exe" C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2136 set thread context of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2136 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2136 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2136 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2136 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2136 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2136 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2136 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2136 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe

"C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 sebastianzapatadns.con-ip.com udp
CO 181.131.216.141:4040 sebastianzapatadns.con-ip.com tcp

Files

memory/2136-0-0x0000000000130000-0x00000000001AC000-memory.dmp

memory/2136-1-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/2136-2-0x0000000000270000-0x00000000002BA000-memory.dmp

memory/2136-3-0x0000000004940000-0x0000000004980000-memory.dmp

memory/2136-4-0x0000000000670000-0x00000000006A2000-memory.dmp

memory/2136-5-0x0000000001EF0000-0x0000000001F20000-memory.dmp

memory/2136-6-0x0000000004880000-0x00000000048CC000-memory.dmp

memory/2136-7-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/2136-8-0x0000000004940000-0x0000000004980000-memory.dmp

memory/3068-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3068-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3068-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3068-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3068-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3068-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2136-18-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/3068-19-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3068-21-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3068-22-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/3068-23-0x00000000006B0000-0x00000000006F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDB73.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/3068-40-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/3068-41-0x00000000006B0000-0x00000000006F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-15 19:49

Reported

2023-11-15 19:51

Platform

win10v2004-20231023-en

Max time kernel

137s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zjpelav = "C:\\Users\\Admin\\AppData\\Roaming\\Zjpelav.exe" C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2760 set thread context of 3772 N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe

"C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 48.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 evergonzalezdominio.con-ip.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CO 181.131.216.141:4040 evergonzalezdominio.con-ip.com tcp
US 8.8.8.8:53 141.216.131.181.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/2760-0-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/2760-1-0x00000000002A0000-0x000000000031C000-memory.dmp

memory/2760-2-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/2760-3-0x00000000053E0000-0x000000000542A000-memory.dmp

memory/2760-4-0x0000000002810000-0x0000000002842000-memory.dmp

memory/2760-5-0x0000000005530000-0x0000000005560000-memory.dmp

memory/2760-6-0x0000000005560000-0x00000000055AC000-memory.dmp

memory/2760-7-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/2760-8-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/2760-9-0x0000000005B60000-0x0000000006104000-memory.dmp

memory/3772-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2760-14-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/3772-13-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/3772-15-0x0000000005170000-0x0000000005180000-memory.dmp

memory/3772-18-0x00000000059E0000-0x0000000005A7C000-memory.dmp

memory/3772-19-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/3772-20-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/3772-21-0x0000000005170000-0x0000000005180000-memory.dmp