Malware Analysis Report

2025-01-02 12:15

Sample ID 240416-23vv8sfa63
Target AsyncClient.exe
SHA256 84a10e968ebf326f31f230f19bc4aced4388e87cecb3f08b7d9cadfec3627df4
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84a10e968ebf326f31f230f19bc4aced4388e87cecb3f08b7d9cadfec3627df4

Threat Level: Known bad

The file AsyncClient.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Asyncrat family

Async RAT payload

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 23:06

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 23:06

Reported

2024-04-16 23:10

Platform

win7-20240221-en

Max time kernel

162s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2552 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2552 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2552 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2552 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2552 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe
PID 2552 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe
PID 2552 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe
PID 2552 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA506.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Svchost.exe

"C:\Users\Admin\AppData\Roaming\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 report-dust.gl.at.ply.gg udp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp

Files

memory/2100-0-0x00000000003B0000-0x00000000003C2000-memory.dmp

memory/2100-1-0x0000000074250000-0x000000007493E000-memory.dmp

memory/2100-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA506.tmp.bat

MD5 379882b5c10e39492e34a1880f7e8e2c
SHA1 eb5d3bf30d3ec84f0bf94dd4e33f09efc12b8143
SHA256 eaa823732b6fca85ebf03fa114609bae3e602184cceb6628b3e575447e135bfb
SHA512 570e3c8a108b02589e30ae0fb4df493792890c9c90720f7d2dc7cc2587e22ac3fbec88396c96ffeef78eab3c2ea763870fd01f8738f026fbb3627fa3b26fecfa

memory/2100-11-0x0000000074250000-0x000000007493E000-memory.dmp

\Users\Admin\AppData\Roaming\Svchost.exe

MD5 d933c68464a25181fceeaf51aff27c7d
SHA1 c683186a615cc17e30a234e3a8ed666528c81998
SHA256 84a10e968ebf326f31f230f19bc4aced4388e87cecb3f08b7d9cadfec3627df4
SHA512 e62f70bc6437ec94bbab5b3f098b52861b7b7e4eaaafd4d82abb77df6e9c1307a771ee5a1fbdb3ca0afafd22a1cd5cee5b3cfaedc10f00af5b0715bf544c44aa

memory/2620-16-0x0000000000E30000-0x0000000000E42000-memory.dmp

memory/2620-17-0x0000000074150000-0x000000007483E000-memory.dmp

memory/2620-18-0x0000000000520000-0x0000000000560000-memory.dmp

memory/2620-19-0x0000000074150000-0x000000007483E000-memory.dmp

memory/2620-20-0x0000000000520000-0x0000000000560000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 23:06

Reported

2024-04-16 23:09

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3860 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3860 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3860 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2196 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2196 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2196 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe
PID 2196 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe
PID 2196 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4541.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Svchost.exe

"C:\Users\Admin\AppData\Roaming\Svchost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4020 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 report-dust.gl.at.ply.gg udp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp

Files

memory/5064-0-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/5064-1-0x0000000000140000-0x0000000000152000-memory.dmp

memory/5064-2-0x0000000004B20000-0x0000000004B30000-memory.dmp

memory/5064-3-0x0000000004E30000-0x0000000004ECC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4541.tmp.bat

MD5 fd97a97518adb73a8063cb441446c966
SHA1 7f52fe4b179fe0928f9520f07d4230fa0bb1ba6f
SHA256 1cd65d874c205120793348e381b2c482f8a39de147554a68b4d6a9c4ba787919
SHA512 ee482484ffa8c71abcd83bad10fcd33e5a73aa2089ede4b8f14e06b8c2b374355dc9a5340b3fbdd21ca7fba838e525e607e82a9a1989b891d362f2db7fcdb3d4

memory/5064-9-0x0000000074B70000-0x0000000075320000-memory.dmp

C:\Users\Admin\AppData\Roaming\Svchost.exe

MD5 d933c68464a25181fceeaf51aff27c7d
SHA1 c683186a615cc17e30a234e3a8ed666528c81998
SHA256 84a10e968ebf326f31f230f19bc4aced4388e87cecb3f08b7d9cadfec3627df4
SHA512 e62f70bc6437ec94bbab5b3f098b52861b7b7e4eaaafd4d82abb77df6e9c1307a771ee5a1fbdb3ca0afafd22a1cd5cee5b3cfaedc10f00af5b0715bf544c44aa

memory/4652-13-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4652-14-0x0000000074AF0000-0x00000000752A0000-memory.dmp