Malware Analysis Report

2025-01-02 12:15

Sample ID 240416-25ratsgf6x
Target Svchost.exe
SHA256 3f5d4db207164b474b8db3b278f7d9646145181a8211e6c851f1a40aec05a9c4
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f5d4db207164b474b8db3b278f7d9646145181a8211e6c851f1a40aec05a9c4

Threat Level: Known bad

The file Svchost.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Asyncrat family

Async RAT payload

AsyncRat

Async RAT payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 23:10

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 23:10

Reported

2024-04-16 23:12

Platform

win7-20240220-en

Max time kernel

130s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Svchost.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2932 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2932 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2932 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2888 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe
PID 2932 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe
PID 2932 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe
PID 2932 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B16.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Svchost.exe

"C:\Users\Admin\AppData\Roaming\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 report-dust.gl.at.ply.gg udp
US 147.185.221.19:8188 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:8188 report-dust.gl.at.ply.gg tcp

Files

memory/2768-0-0x0000000000870000-0x0000000000882000-memory.dmp

memory/2768-1-0x0000000074880000-0x0000000074F6E000-memory.dmp

memory/2768-2-0x0000000004730000-0x0000000004770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2B16.tmp.bat

MD5 784b474e86b57a6bb8f94720762a716d
SHA1 133b7be4cac95a9a6f191dff492933fd478e53af
SHA256 bb3294443605215973837367c4934912c2f6d21e2be54caa7d38ca888d8af492
SHA512 8b8be5521a8f82942d44a03e57f0955516f4d9a77063a8e7a3cdf0dcb25444c6f1e27c3e1223f4eab8f6ac154a7055bd7f62b3dfa7ced4caebc14f09ae772356

memory/2768-12-0x0000000074880000-0x0000000074F6E000-memory.dmp

\Users\Admin\AppData\Roaming\Svchost.exe

MD5 2c01d39807db97c023bed5a537afc7d1
SHA1 fb5cae1a4c68278631803413a34182141b85c4a2
SHA256 3f5d4db207164b474b8db3b278f7d9646145181a8211e6c851f1a40aec05a9c4
SHA512 367256dd718596de7b89b0a910a96194dd7514eb83eb8670dea83326af63564dc1e9952142903203e2df876531ea034921c0e82616f7836f0125b8e3026744f7

memory/2552-16-0x0000000000140000-0x0000000000152000-memory.dmp

memory/2552-17-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2552-18-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

memory/2552-19-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2552-20-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 23:10

Reported

2024-04-16 23:12

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Svchost.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4692 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4692 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4692 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4692 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe
PID 4692 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe
PID 4692 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9172.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Svchost.exe

"C:\Users\Admin\AppData\Roaming\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 report-dust.gl.at.ply.gg udp
US 147.185.221.19:8188 report-dust.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 147.185.221.19:8188 report-dust.gl.at.ply.gg tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 147.185.221.19:28329 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:8188 report-dust.gl.at.ply.gg tcp
US 147.185.221.19:8188 report-dust.gl.at.ply.gg tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/1620-0-0x00000000005F0000-0x0000000000602000-memory.dmp

memory/1620-1-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/1620-2-0x00000000054E0000-0x000000000557C000-memory.dmp

memory/1620-7-0x0000000074EA0000-0x0000000075650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9172.tmp.bat

MD5 2716c60c7864fd71a835bca7427a0f5d
SHA1 a46e8a531f195a74ed42bdf6a898923cc96b6230
SHA256 13b7d8ce251b41beb9390867a4765063239a328bf730d363fdd915e021cd2f22
SHA512 d1e4675311d21657efc94c7c670900d28e5d0fcc9fbfa7b03eee0a5a6e9c3921050e27f816152485824c2c4eb76f6676c684967a96b2209fcfccd4330b5951eb

C:\Users\Admin\AppData\Roaming\Svchost.exe

MD5 2c01d39807db97c023bed5a537afc7d1
SHA1 fb5cae1a4c68278631803413a34182141b85c4a2
SHA256 3f5d4db207164b474b8db3b278f7d9646145181a8211e6c851f1a40aec05a9c4
SHA512 367256dd718596de7b89b0a910a96194dd7514eb83eb8670dea83326af63564dc1e9952142903203e2df876531ea034921c0e82616f7836f0125b8e3026744f7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Svchost.exe.log

MD5 acc9090417037dfa2a55b46ed86e32b8
SHA1 53fa6fb25fb3e88c24d2027aca6ae492b2800a4d
SHA256 2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b
SHA512 d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

memory/3616-13-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/3616-14-0x0000000074E20000-0x00000000755D0000-memory.dmp