Malware Analysis Report

2025-06-16 02:15

Sample ID 240125-gjmejaheh3
Target 73e51598d70df9f164408abaaf346211
SHA256 238230eb6322dfb786b5e3054b44d1e0322aadfc44232111ec3db71e20503ee8
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

238230eb6322dfb786b5e3054b44d1e0322aadfc44232111ec3db71e20503ee8

Threat Level: Known bad

The file 73e51598d70df9f164408abaaf346211 was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 05:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 05:50

Reported

2024-01-25 05:52

Platform

win7-20231129-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 880 set thread context of 2296 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 880 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 880 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 880 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 880 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 880 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 880 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 880 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 880 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 880 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe

"C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EzliZea" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91F3.tmp"

C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe

"{path}"

Network

Country Destination Domain Proto
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp

Files

memory/880-0-0x0000000000B70000-0x0000000000BC0000-memory.dmp

memory/880-1-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/880-2-0x0000000004AC0000-0x0000000004B00000-memory.dmp

memory/880-3-0x00000000003D0000-0x00000000003D8000-memory.dmp

memory/880-4-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/880-5-0x0000000004AC0000-0x0000000004B00000-memory.dmp

memory/880-6-0x0000000005A40000-0x0000000005AA6000-memory.dmp

memory/880-7-0x00000000005A0000-0x00000000005B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp91F3.tmp

MD5 6b3207f25e436323c3d8fa06d175db09
SHA1 4e8ef9f9a8895537beae550cecfe652741c4abc4
SHA256 5ee6625f49079593002280669f88b7cca75f8232a6c82d4b69ba73e41af572a5
SHA512 933391cc9c28af19ebe7f7c4acf5b75c2a5b160ad035d94305828d6257b5aced05ea43691588b55bbd3bf157d1b134acf817d328c7de83edc754d1fe60266bce

memory/2296-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2296-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2296-15-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2296-17-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2296-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2296-21-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2296-23-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2296-25-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2296-27-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/880-26-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/2296-28-0x0000000004380000-0x00000000043C0000-memory.dmp

memory/2296-29-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/2296-30-0x0000000004380000-0x00000000043C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 05:50

Reported

2024-01-25 05:52

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 804 set thread context of 1624 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Windows\SysWOW64\schtasks.exe
PID 804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Windows\SysWOW64\schtasks.exe
PID 804 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Windows\SysWOW64\schtasks.exe
PID 804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe
PID 804 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe

"C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EzliZea" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp"

C:\Users\Admin\AppData\Local\Temp\73e51598d70df9f164408abaaf346211.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp
CH 79.134.225.44:7450 tcp

Files

memory/804-1-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/804-0-0x0000000000470000-0x00000000004C0000-memory.dmp

memory/804-2-0x00000000053D0000-0x0000000005974000-memory.dmp

memory/804-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

memory/804-4-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/804-5-0x0000000004F70000-0x0000000004F7A000-memory.dmp

memory/804-6-0x00000000079C0000-0x00000000079C8000-memory.dmp

memory/804-7-0x0000000007A70000-0x0000000007B0C000-memory.dmp

memory/804-8-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/804-9-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/804-10-0x00000000079E0000-0x0000000007A46000-memory.dmp

memory/804-11-0x0000000006360000-0x0000000006374000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp

MD5 698cd417636bf9d028fde264f43e0e63
SHA1 b7462f95fd2d5ea786ff73ed0323c60a33c67ca8
SHA256 eaced3f7fa33a6f5cfd35f11cf2dc9c4c936798c62e1ebbd343da535c6437528
SHA512 eb0239725d7da045ebf66dbdcbce0e1ffbb95644ef63c43597c0a875dbb6f997e2959cc442617ea711b7224a45ad9744c55d70605f6beb689159ec2465679a05

memory/1624-15-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\73e51598d70df9f164408abaaf346211.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1624-19-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/804-18-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/1624-20-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/1624-21-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/1624-22-0x00000000057C0000-0x00000000057D0000-memory.dmp