Malware Analysis Report

2025-04-13 12:31

Sample ID 240402-nklyqagd8v
Target 447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.zip
SHA256 8ba94e3e5f1254c6181879dd1110221c3d88b0caefd316282a7c71a2a8384bc0
Tags
asyncrat exodus_market rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ba94e3e5f1254c6181879dd1110221c3d88b0caefd316282a7c71a2a8384bc0

Threat Level: Known bad

The file 447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat exodus_market rat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 11:27

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 11:27

Reported

2024-04-02 11:29

Platform

win7-20231129-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchos.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2484 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchos.exe
PID 2484 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchos.exe
PID 2484 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchos.exe
PID 2484 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe

"C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp23E5.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\svchos.exe

"C:\Users\Admin\AppData\Roaming\svchos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 leetboy.dynuddns.net udp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp
US 8.8.8.8:53 leetboy.dynuddns.net udp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp

Files

memory/2860-0-0x0000000000AF0000-0x0000000000B06000-memory.dmp

memory/2860-1-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2860-2-0x0000000004700000-0x0000000004740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp23E5.tmp.bat

MD5 4c60902816ee99bfeffd142e19715994
SHA1 816fe83948134a64621803ba89c7a1ce56d0bc48
SHA256 16dc73674accf1b56eb4d7c96a7c077b19de1abb2e1b6ee9a07a64dd5ceff415
SHA512 c337e52292042c7d847e38c0bc0da6bab67e51c177833b5a41db668f7f9a74d2e717247c7b2a7aaa60c0e45ed034df133b5e63aa7db7b121da773af5b0bc9142

memory/2860-12-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2616-16-0x00000000001A0000-0x00000000001B6000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchos.exe

MD5 c1ade258f05c512e98ebc4d9d1165f8a
SHA1 acf20f6a7dc7841ae06f801b887289fdc99e0488
SHA256 447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759
SHA512 5b652e0ef6293d7baeb7e9d8b79322ec65e98d748e1df492099fa6692d0bbc78f032df68e7028a28af06b5c27394456159351a6469fdaf777e6eb98609331076

memory/2616-17-0x0000000073EE0000-0x00000000745CE000-memory.dmp

memory/2616-18-0x0000000004B00000-0x0000000004B40000-memory.dmp

memory/2616-19-0x0000000073EE0000-0x00000000745CE000-memory.dmp

memory/2616-20-0x0000000004B00000-0x0000000004B40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 11:27

Reported

2024-04-02 11:29

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchos.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchos.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2204 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2204 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3916 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3916 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3916 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchos.exe
PID 2204 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchos.exe
PID 2204 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe

"C:\Users\Admin\AppData\Local\Temp\447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp42E5.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\Admin\AppData\Roaming\svchos.exe"'

C:\Users\Admin\AppData\Roaming\svchos.exe

"C:\Users\Admin\AppData\Roaming\svchos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 leetboy.dynuddns.net udp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp
US 8.8.8.8:53 leetboy.dynuddns.net udp
NL 91.92.249.94:1339 leetboy.dynuddns.net tcp

Files

memory/3176-0-0x00000000005D0000-0x00000000005E6000-memory.dmp

memory/3176-1-0x0000000075420000-0x0000000075BD0000-memory.dmp

memory/3176-2-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3176-3-0x0000000004FE0000-0x000000000507C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp42E5.tmp.bat

MD5 ecdc16c0a2869c185de63ddf163f264a
SHA1 45a548f97abd016b1fdb7f1086029ccc6cc74a8b
SHA256 8bee01464cfdb8b2524fcf30f4cf3fe3a09b9cd409387b0c121862654b9de98c
SHA512 5164b7c7865c7f72f8f1ad7dd97f4ec5cb95be47f07d34b11739420853010b79096c1e5c6e9f8b1147328f16bbfba805cbee097af376a5dc3c0173ee2d97cc07

memory/3176-9-0x0000000075420000-0x0000000075BD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchos.exe

MD5 c1ade258f05c512e98ebc4d9d1165f8a
SHA1 acf20f6a7dc7841ae06f801b887289fdc99e0488
SHA256 447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759
SHA512 5b652e0ef6293d7baeb7e9d8b79322ec65e98d748e1df492099fa6692d0bbc78f032df68e7028a28af06b5c27394456159351a6469fdaf777e6eb98609331076

memory/3428-13-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/3428-14-0x0000000000920000-0x0000000000930000-memory.dmp

memory/3428-15-0x0000000005110000-0x00000000056B4000-memory.dmp

memory/3428-16-0x0000000004D40000-0x0000000004DD2000-memory.dmp

memory/3428-17-0x0000000004D30000-0x0000000004D3A000-memory.dmp

memory/3428-18-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/3428-19-0x0000000000920000-0x0000000000930000-memory.dmp