Malware Analysis Report

2025-04-13 12:29

Sample ID 240312-b4tfpacd3s
Target 297942cdaf9c3efc3968bab08b2a69ea.bin
SHA256 09b1cb8d457625091e02d13c9f6323309a5652ed4e8b33eaf9c994ca9c849805
Tags
asyncrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09b1cb8d457625091e02d13c9f6323309a5652ed4e8b33eaf9c994ca9c849805

Threat Level: Known bad

The file 297942cdaf9c3efc3968bab08b2a69ea.bin was found to be: Known bad.

Malicious Activity Summary

asyncrat rat

AsyncRat

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 01:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 01:42

Reported

2024-03-12 01:45

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe

"C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\codbypass.exe

MD5 d49c5811f549dc2221c63fca40b8792b
SHA1 c7ae5dcfe9502018db1f82822a62dc42569cc1e1
SHA256 5fa6beb291c3de1089af04d5ddd0c6067b3e84edfa32e76dc1bc6b3a0f5b9272
SHA512 98a781be0b963b2e5bc67c8ae44d0ce775d2973ce347f9bb24be0f1c25be62f615789b08e2157f9ff4bcf729553a63c9db0c98f27c1626a965129aa6321da700

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\I3G4883T852C.exe

MD5 ae19c3ed9388a7e9eafdbcc56c737866
SHA1 1e321c053462406106f8876572f999fe7138ddd6
SHA256 00f4db0afe68619ec8d1a8b7755066104242c2943c946d4ef047ae15239fc15c
SHA512 ed858bc047275419f5361809fa251968b21f3126b056476c34e70aab709ddeb359c9f69227e635c18af0bba1848c0069c34c9cd7d89da595c09ca129197f0e12

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\icons8-call-of-duty-mobile-50.ico

MD5 7c003e672901b1ea6893338a2a16f7f0
SHA1 7f98e8c36c0dc8e4bc9d4ff66e3ac3c88bdf25db
SHA256 1f4da305805a9c6566b5ccead5a1f07b7acb0f04e0bd81def9babfc518c8e236
SHA512 94df266b72f5651c6a3a025eae6965df92e52cd85ee52e543bd126ccbaebfc025c608dc589dae34c7d5a52d450beb7f92206f2e1d2e32088fbdf4690dd4fb3c7

\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

MD5 a50edc0f5bf8d2034278940201ab2e06
SHA1 258e58a92b8ba81922e2cf1acb085d6411a5baf8
SHA256 bf35303f2ff0ee6161c24ec2bccf595d465bb51510d2a2b14622c9a87a9bd8c4
SHA512 9812bb1d473c094767bc1347b40c162f847c64e69fda6502d573c45567425989ff3f34e50b4c009626efdc7a43e6f284ede3282bdcfce8a2a70699b09fb9209e

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

MD5 5084da76102394b91cd562433f11d057
SHA1 c5811154e57b7c5d800904301cb6273ee685e27a
SHA256 a8dea7360924edb97a4f5eb5cc22bf76712b8c3b553a9214c24253d0a4ee5c08
SHA512 50ecf9446ec89089f305464afd8fc144eff52288397a98b33249ed5abadcb0bfa43b9c57052a9964405daae19df4843040a64b0a13d5834e0947d2f5c664a034

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

MD5 8d7cb260a1706efa29b344b8c39e465e
SHA1 9d00edcf9810712606a76c231fa475c16cfe6998
SHA256 369f05eaf2d0d9364da92a2947d640b061c7227e2fa824967ce202e12465ca35
SHA512 b9f5422e8cfc02ae099c727e6bd032e7b5ac61458e40f2c44c07e7768d098c1dbdcc2bde182260794f2699d5a510de657bceb3b6499d14dc169ff5487e2a17d5

\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

MD5 05ceb6d2e88a896d6ada0ab3f0dc40aa
SHA1 2b62cc437f5b3268acb3f569b43fd6c0a08e4e47
SHA256 b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a
SHA512 fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

MD5 f5c245a9c610699ab06a840fc28c7c79
SHA1 de6d6e497710438522170c143cbad6b8f85af54f
SHA256 d6875eace16cff4c276d23bc93e05c616db4d8851ccf3a407aae584b513db489
SHA512 5fada846b5258b8545b17a69cfb7184e363062f912113aab0affd30e2b06045789f9e3509292807298da1a6facfa9b824d1125df0fd41bb4190e9139f28f91fc

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

MD5 3c3943cc084ffabf6871d23151fde41b
SHA1 0703655865f836b519ae69471fb512414a792f43
SHA256 b7d6d853006c41c2b5b2ad9144ff7e85a682b664a4251472522d799aa8137289
SHA512 c29c8527b530dca5b03e74d1bcd64288e125b33d2df172a4dd76d867e6e7aaab0cf27c2100e5bbaf36896efe08a985e1611b6c8e74db8bb2c6ad18537d8e7aaf

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

MD5 70603e1a1959caa82a5aa8c54b9fd49f
SHA1 0d2b6ee969335b95dc6d27fb1da755c68a66f4c6
SHA256 f667296a5b8ebd562b9d13e8a13c4c72db5a09912866549e5ca420569ec98b48
SHA512 7c749ab66f26e5e1aabee0189ae72ecb84c5f4aefc9290b30598e896a7ed085021711f0ef280d30447d673b72fb19abf6d54c636950b0d6d3564bce9e031a6e9

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Untitled-1.jpg

MD5 e544015298dada6854449107659f3205
SHA1 2edcc27354c69d90ad5c9e474a36fb14907523b6
SHA256 2261a538c76de796fbb3bf781bcbb283af056c12e3fd20d1007dac3bed1909bc
SHA512 d083debd9dcbac4c6289f88a7ea24b7f81c33694168e1f03219bf599806514159ba485881699ac3dde3fbd15b65a158c9a09dbdcd09ec62b04c72708553d0449

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0038.btn

MD5 5d2a07317aa10727b8cadf5a04e5ef9e
SHA1 18665d2e0adad26b7e186a34b5ab1390b0864cd0
SHA256 ad93742965a9e55ccfb0c77f8dca08e9b3ce3fc9a11e71d8c78793bf70f7cec8
SHA512 bf363a7e2bcd8e2a4d266cdb6e637c47da6da4a245d328572cc2da66fce3a77d601f6473ccdb3ed4a91f8f455ec25c2cfaaae274b2d2a0013ab943c4e927813a

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0039.btn

MD5 bb22e9223820ce8afe05ac0ae8dcd938
SHA1 18f534564a3780079ba56430d399c85988fd83d0
SHA256 6724c4e1d8436a220ceca390ff9823006f085482f0bb32ac5c3cf357d1d1dd40
SHA512 8d6c4b075d5e80b67cb558cc87825a261122dbeb12e435d28f6c1c414d9640fe1be3d9188aeb4fa5d3a6c802df8f21299f7e4286a1e80bb4fac3bc58a4851899

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0001.btn

MD5 ed10b465f6aa073919eca99074901ca9
SHA1 2ec3050dbf675b744d4775d84d8faed91a791236
SHA256 96b0dac105840fe31e8652a9b5acf4161e81938192ba825c9878a2bccd61ed1b
SHA512 8c69a2a9ee3cc7f6affbeb87c6252fd10fe5576c863fe615cbd105d2ee3d505692a45f02a2d98cfd0392e0fb9fe3bb42dfb2b5a571bb0d4e25a16eccbe43ddb3

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 01:42

Reported

2024-03-12 01:45

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe

"C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\297942cdaf9c3efc3968bab08b2a69ea.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x538 0x534

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\codbypass.exe

MD5 d49c5811f549dc2221c63fca40b8792b
SHA1 c7ae5dcfe9502018db1f82822a62dc42569cc1e1
SHA256 5fa6beb291c3de1089af04d5ddd0c6067b3e84edfa32e76dc1bc6b3a0f5b9272
SHA512 98a781be0b963b2e5bc67c8ae44d0ce775d2973ce347f9bb24be0f1c25be62f615789b08e2157f9ff4bcf729553a63c9db0c98f27c1626a965129aa6321da700

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\I3G4883T852C.exe

MD5 fcd5d57a9cc86b0ee04b8f06fa60375c
SHA1 4354dc41a1b70b0e6d38db8d27ef49d17bcdd1ff
SHA256 eadffcad2eb80be0f54c1b2e7b7031661a176a18bbd35c415ff6731f67d38a8e
SHA512 acc0496bf3f445434c63232fe9c792372c2a1fa190f4defa3fd63151d5745f2e749366f8a57a5cbbaa9b4493b4eda1b1557904bcd9d9fc2cf6d956777ed39ac2

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\icons8-call-of-duty-mobile-50.ico

MD5 7c003e672901b1ea6893338a2a16f7f0
SHA1 7f98e8c36c0dc8e4bc9d4ff66e3ac3c88bdf25db
SHA256 1f4da305805a9c6566b5ccead5a1f07b7acb0f04e0bd81def9babfc518c8e236
SHA512 94df266b72f5651c6a3a025eae6965df92e52cd85ee52e543bd126ccbaebfc025c608dc589dae34c7d5a52d450beb7f92206f2e1d2e32088fbdf4690dd4fb3c7

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

MD5 5506831a5fb820b09bb5ec571974183e
SHA1 2ba8ff3a4030e24cf11c10ba97daa356a2dd6720
SHA256 9d41fc4e3537ebcf840e949a98241504969a6a85136c1e3e5130653801712fa5
SHA512 1e52f21c346779075787961d6fe11af38c0a096d9fecc2cf5cf14cbf023aa4f73ba2276288a3b7f12582b573fa37d25d4e1913a821690d45817bacad0436fd4b

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

MD5 aaa7fa3e98c413f54646c8eef4f59a38
SHA1 09b77155cf858c9d5234a22fd36f769634a29e90
SHA256 fd1a072d77ce73ddf5ad3cacf53d80e500dfdfd97ad6649cb2f9d9a8d67a7ce0
SHA512 1ca640461ddba1eeb8a33fc9101cb2c0b06a8e7a9eb05c063c6d1872011f692189f7039644f59bc2be56e08f9836c359a3455d0024d661a959bdd81574c91fd8

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

MD5 05ceb6d2e88a896d6ada0ab3f0dc40aa
SHA1 2b62cc437f5b3268acb3f569b43fd6c0a08e4e47
SHA256 b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a
SHA512 fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

MD5 d6f01bc8b4f1a6e8d1967017332c4b5a
SHA1 4b2b1fcafb7e2de35899825967eac7d9410261eb
SHA256 ff51927c2c925ffada2cbaf0da2898368ebcd6d6798d46a91d5cad544130f6a5
SHA512 63107812103edc6c580b76344fe0a6cce8321e77caf26218384ea9a7ff1b56f0f076600a602cc73f773051b199eaedc638b24dd3ef3088e7c70c78a78ebcc6b2

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Untitled-1.jpg

MD5 e544015298dada6854449107659f3205
SHA1 2edcc27354c69d90ad5c9e474a36fb14907523b6
SHA256 2261a538c76de796fbb3bf781bcbb283af056c12e3fd20d1007dac3bed1909bc
SHA512 d083debd9dcbac4c6289f88a7ea24b7f81c33694168e1f03219bf599806514159ba485881699ac3dde3fbd15b65a158c9a09dbdcd09ec62b04c72708553d0449

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0038.btn

MD5 5d2a07317aa10727b8cadf5a04e5ef9e
SHA1 18665d2e0adad26b7e186a34b5ab1390b0864cd0
SHA256 ad93742965a9e55ccfb0c77f8dca08e9b3ce3fc9a11e71d8c78793bf70f7cec8
SHA512 bf363a7e2bcd8e2a4d266cdb6e637c47da6da4a245d328572cc2da66fce3a77d601f6473ccdb3ed4a91f8f455ec25c2cfaaae274b2d2a0013ab943c4e927813a

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0001.btn

MD5 ed10b465f6aa073919eca99074901ca9
SHA1 2ec3050dbf675b744d4775d84d8faed91a791236
SHA256 96b0dac105840fe31e8652a9b5acf4161e81938192ba825c9878a2bccd61ed1b
SHA512 8c69a2a9ee3cc7f6affbeb87c6252fd10fe5576c863fe615cbd105d2ee3d505692a45f02a2d98cfd0392e0fb9fe3bb42dfb2b5a571bb0d4e25a16eccbe43ddb3

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1041_0039.btn

MD5 bb22e9223820ce8afe05ac0ae8dcd938
SHA1 18f534564a3780079ba56430d399c85988fd83d0
SHA256 6724c4e1d8436a220ceca390ff9823006f085482f0bb32ac5c3cf357d1d1dd40
SHA512 8d6c4b075d5e80b67cb558cc87825a261122dbeb12e435d28f6c1c414d9640fe1be3d9188aeb4fa5d3a6c802df8f21299f7e4286a1e80bb4fac3bc58a4851899