Malware Analysis Report

2025-04-13 12:32

Sample ID 240406-bwt29ahb24
Target a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6.exe
SHA256 a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6
Tags
rat promesas new 05 asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6

Threat Level: Known bad

The file a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6.exe was found to be: Known bad.

Malicious Activity Summary

rat promesas new 05 asyncrat

Detects executables attemping to enumerate video devices using WMI

AsyncRat

Async RAT payload

Asyncrat family

Detects executables containing the string DcRatBy

Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.

Detects executables containing the string DcRatBy

Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.

Detects executables attemping to enumerate video devices using WMI

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-06 01:30

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing the string DcRatBy

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 01:30

Reported

2024-04-06 01:32

Platform

win7-20240221-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6.exe"

Signatures

AsyncRat

rat asyncrat

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing the string DcRatBy

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6.exe

"C:\Users\Admin\AppData\Local\Temp\a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 promesasalvaro1.duckdns.org udp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
US 8.8.8.8:53 promesasalvaro1.duckdns.org udp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp

Files

memory/2188-0-0x00000000001B0000-0x00000000001C2000-memory.dmp

memory/2188-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2188-2-0x0000000000240000-0x00000000002C0000-memory.dmp

memory/2188-3-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2188-4-0x0000000000240000-0x00000000002C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 01:30

Reported

2024-04-06 01:32

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6.exe"

Signatures

AsyncRat

rat asyncrat

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing the string DcRatBy

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6.exe

"C:\Users\Admin\AppData\Local\Temp\a89667a64a05760547dd5b7f8a87181fb145a48ed2492392918e653c7e5bb9a6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 promesasalvaro1.duckdns.org udp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 promesasalvaro1.duckdns.org udp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
CO 179.13.0.175:7091 promesasalvaro1.duckdns.org tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/2996-0-0x0000000000690000-0x00000000006A2000-memory.dmp

memory/2996-1-0x00007FF958640000-0x00007FF959101000-memory.dmp

memory/2996-2-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

memory/2996-3-0x00007FF958640000-0x00007FF959101000-memory.dmp

memory/2996-4-0x000000001B2B0000-0x000000001B2C0000-memory.dmp