Analysis Overview
SHA256
0c48eda9bbbac547e4b4c17fdd2fa685695e5d20c5b0c1582e8e08879540780b
Threat Level: Known bad
The file Client.exe was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
AsyncRat
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-17 07:12
Signatures
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 07:12
Reported
2024-04-17 07:15
Platform
win10v2004-20240412-en
Max time kernel
126s
Max time network
114s
Command Line
Signatures
AsyncRat
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| RO | 5.12.198.225:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| RO | 5.12.198.225:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| RO | 5.12.198.225:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| RO | 5.12.198.225:4449 | tcp | |
| RO | 5.12.198.225:4449 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.144:4449 | tcp | |
| RO | 5.12.198.225:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| RO | 5.12.198.225:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp |
Files
memory/2220-0-0x00000000001E0000-0x00000000001F6000-memory.dmp
memory/2220-2-0x00007FFB242B0000-0x00007FFB24D71000-memory.dmp
memory/2220-3-0x000000001BD00000-0x000000001BD10000-memory.dmp
memory/2220-4-0x00007FFB242B0000-0x00007FFB24D71000-memory.dmp
memory/2220-5-0x000000001BD00000-0x000000001BD10000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/860-7-0x00007FFB242B0000-0x00007FFB24D71000-memory.dmp
memory/860-8-0x000000001C290000-0x000000001C2A0000-memory.dmp
memory/860-10-0x00007FFB242B0000-0x00007FFB24D71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/4668-12-0x00007FFB242B0000-0x00007FFB24D71000-memory.dmp
memory/4668-13-0x000000001BD50000-0x000000001BD60000-memory.dmp
memory/4668-14-0x00007FFB242B0000-0x00007FFB24D71000-memory.dmp