Malware Analysis Report

2025-06-16 02:15

Sample ID 240123-c1vd9afadn
Target 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639
SHA256 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639

Threat Level: Known bad

The file 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639 was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

Async RAT payload

AsyncRat

Asyncrat family

Async RAT payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 02:33

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 02:33

Reported

2024-01-23 02:40

Platform

win7-20231129-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Axenta.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Axenta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Axenta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1260 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1260 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1260 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1260 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1260 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Axenta.exe
PID 1260 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Axenta.exe
PID 1260 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Axenta.exe
PID 1260 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Axenta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe

"C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Axenta" /tr '"C:\Users\Admin\AppData\Roaming\Axenta.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Axenta" /tr '"C:\Users\Admin\AppData\Roaming\Axenta.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Axenta.exe

"C:\Users\Admin\AppData\Roaming\Axenta.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:8080 tcp
US 20.98.203.218:8080 tcp
N/A 127.0.0.1:8080 tcp
US 20.98.203.218:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 20.98.203.218:8080 tcp
N/A 127.0.0.1:8080 tcp
US 20.98.203.218:8080 tcp

Files

memory/1996-0-0x0000000001270000-0x0000000001282000-memory.dmp

memory/1996-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/1996-2-0x0000000001170000-0x00000000011B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp.bat

MD5 ccdbda6c146a55e7bd487c0086097773
SHA1 dc186d572413360e81a88ac5dac03f1962438622
SHA256 6fbbd04203909c50c5ffda444f62344b0f96aa43a51caca7d2d9920909a3eb24
SHA512 1e0595f5f94caf324adaf2a4f943ba9fae4cf3a325fc59c64cc0b72ecb53be9b2dd93ceff399147546b9fab21928f651f7f789214c76bd91674794945e22a2bf

memory/1996-12-0x0000000074C10000-0x00000000752FE000-memory.dmp

\Users\Admin\AppData\Roaming\Axenta.exe

MD5 1f58a5ef877adab164e528929729d3b0
SHA1 d1aa7ed83011d8b5c72c875f0e30ccc31d6c245d
SHA256 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639
SHA512 f7698c86454d034460946effb224c2922806b5c39686ef9817befecb033f72a9d03f400baaa69516396756e80ebfc63f7ed8f1b60eaf5f4702c4ccfc964ae03d

memory/2268-16-0x0000000000F40000-0x0000000000F52000-memory.dmp

memory/2268-17-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/2268-18-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2268-19-0x0000000074520000-0x0000000074C0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 02:33

Reported

2024-01-23 02:40

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Axenta.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Axenta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Axenta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 3768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3952 wrote to memory of 3768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3952 wrote to memory of 3768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4984 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4984 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4984 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4984 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Axenta.exe
PID 4984 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Axenta.exe
PID 4984 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Axenta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe

"C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Axenta" /tr '"C:\Users\Admin\AppData\Roaming\Axenta.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp57A5.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Axenta" /tr '"C:\Users\Admin\AppData\Roaming\Axenta.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Axenta.exe

"C:\Users\Admin\AppData\Roaming\Axenta.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 20.98.203.218:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 20.98.203.218:8080 tcp
US 20.98.203.218:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:8080 tcp
US 20.98.203.218:8080 tcp
US 20.98.203.218:8080 tcp

Files

memory/1468-1-0x0000000074A20000-0x00000000751D0000-memory.dmp

memory/1468-0-0x0000000000740000-0x0000000000752000-memory.dmp

memory/1468-2-0x0000000005100000-0x0000000005110000-memory.dmp

memory/1468-3-0x0000000005110000-0x00000000051AC000-memory.dmp

memory/1468-8-0x0000000074A20000-0x00000000751D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp57A5.tmp.bat

MD5 0f305e29a9ee82da1333dcae6c19301a
SHA1 132c532613a4c1e1b30c5d3360e42cfb58dc160b
SHA256 ee1c06179c2e6538f205e1aa463955751846bdcf75b60973f5dd2e5d341c0c62
SHA512 124024fba05d4ec931f0d45411d237ada8eced9523d9dcbcade1000b63fdc721ecc8ac92027f8303558a28b2d73050b645e5845dcb8cb2b7eed9ea9fde22002e

C:\Users\Admin\AppData\Roaming\Axenta.exe

MD5 e4f33f71cf19699c4a8ef0ef20ad2da7
SHA1 daddd8b29a70ff3c01ceffb4466c5b5a99a4d51a
SHA256 842d4a1bad855019b1054a9c4bc080fd21df560f21a95ab3e044f8125797443d
SHA512 8642b0a1433bf614b03cc0aac94ab39962b2584a9fd39a34c5f1c687c0706a8fbc65e4c86cebb4769870a4c6bafd0255c7253d091bc1bbad03b5199c974ca472

C:\Users\Admin\AppData\Roaming\Axenta.exe

MD5 1f58a5ef877adab164e528929729d3b0
SHA1 d1aa7ed83011d8b5c72c875f0e30ccc31d6c245d
SHA256 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639
SHA512 f7698c86454d034460946effb224c2922806b5c39686ef9817befecb033f72a9d03f400baaa69516396756e80ebfc63f7ed8f1b60eaf5f4702c4ccfc964ae03d

memory/4696-13-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4696-14-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/4696-15-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4696-16-0x00000000052A0000-0x00000000052B0000-memory.dmp