Malware Analysis Report

2025-08-05 14:28

Sample ID 231123-ceweesgc4t
Target b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7
SHA256 b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7
Tags
rat asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7

Threat Level: Known bad

The file b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7 was found to be: Known bad.

Malicious Activity Summary

rat asyncrat

Async RAT payload

Asyncrat family

Checks computer location settings

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-23 02:07

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-23 01:59

Reported

2023-11-23 02:10

Platform

win7-20231025-en

Max time kernel

121s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7.exe

"C:\Users\Admin\AppData\Local\Temp\b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1676 -s 876

Network

N/A

Files

memory/1676-0-0x0000000002BC0000-0x0000000002FE0000-memory.dmp

memory/1676-4-0x00000000123E0000-0x00000000133E0000-memory.dmp

memory/1676-9-0x0000000001C10000-0x0000000001C30000-memory.dmp

memory/1676-12-0x000000013FDC0000-0x00000001406EB000-memory.dmp

memory/1676-14-0x0000000000570000-0x0000000000580000-memory.dmp

memory/1676-18-0x0000000001D60000-0x0000000001DE0000-memory.dmp

memory/1676-22-0x0000000001F80000-0x0000000001F90000-memory.dmp

memory/1676-26-0x0000000001FE0000-0x0000000002030000-memory.dmp

memory/1676-30-0x00000000020C0000-0x00000000020D0000-memory.dmp

memory/1676-34-0x0000000002100000-0x0000000002130000-memory.dmp

memory/1676-38-0x0000000002FE0000-0x00000000030A0000-memory.dmp

memory/1676-42-0x0000000002160000-0x0000000002190000-memory.dmp

memory/1676-46-0x0000000003480000-0x00000000035E0000-memory.dmp

memory/1676-50-0x00000000030F0000-0x0000000003130000-memory.dmp

memory/1676-54-0x0000000002600000-0x0000000002610000-memory.dmp

memory/1676-58-0x0000000002610000-0x0000000002620000-memory.dmp

memory/1676-62-0x0000000003170000-0x0000000003180000-memory.dmp

memory/1676-186-0x000000013FDC0000-0x00000001406EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-23 01:59

Reported

2023-11-23 02:11

Platform

win10v2004-20231023-en

Max time kernel

126s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7.exe

"C:\Users\Admin\AppData\Local\Temp\b8f7edf7cd45b23dd4b32afdcc0baee277e57f8284dc533ebc1a68d12a6839b7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

N/A