Malware Analysis Report

2025-01-02 12:10

Sample ID 240419-t31gqaab7v
Target c7ab96e036b7716b5e482eefa4fe6b2b39982ed189b6c8e5e6c1d7156e006e87
SHA256 c7ab96e036b7716b5e482eefa4fe6b2b39982ed189b6c8e5e6c1d7156e006e87
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7ab96e036b7716b5e482eefa4fe6b2b39982ed189b6c8e5e6c1d7156e006e87

Threat Level: Known bad

The file c7ab96e036b7716b5e482eefa4fe6b2b39982ed189b6c8e5e6c1d7156e006e87 was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 16:35

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 16:35

Reported

2024-04-19 16:38

Platform

win7-20231129-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\666.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe C:\Windows\System32\cmd.exe
PID 3048 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe C:\Windows\System32\cmd.exe
PID 3048 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe C:\Windows\System32\cmd.exe
PID 3048 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2884 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2884 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2292 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2292 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2292 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2292 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\666.exe
PID 2292 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\666.exe
PID 2292 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\666.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe

"C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "666" /tr '"C:\Users\Admin\AppData\Roaming\666.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2108.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "666" /tr '"C:\Users\Admin\AppData\Roaming\666.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\666.exe

"C:\Users\Admin\AppData\Roaming\666.exe"

Network

Country Destination Domain Proto
CN 175.24.197.196:53576 tcp
US 8.8.8.8:53 qiefuwuqi.20242525.xyz udp
CN 175.24.197.196:53576 qiefuwuqi.20242525.xyz tcp
CN 175.24.197.196:53576 qiefuwuqi.20242525.xyz tcp
CN 175.24.197.196:53576 qiefuwuqi.20242525.xyz tcp
N/A 127.0.0.1:53576 tcp
N/A 127.0.0.1:53576 tcp
CN 175.24.197.196:53576 qiefuwuqi.20242525.xyz tcp
CN 175.24.197.196:53576 qiefuwuqi.20242525.xyz tcp

Files

memory/3048-0-0x0000000001360000-0x0000000001378000-memory.dmp

memory/3048-1-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/3048-3-0x000000001A810000-0x000000001A890000-memory.dmp

memory/3048-4-0x0000000077C10000-0x0000000077DB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2108.tmp.bat

MD5 d3f67bb5e4b1b116d74eb4c7919d7dd1
SHA1 bfcfc9c64fb71daadf01a427da45ed52686e1de8
SHA256 a4937d7b3e4da55b5c9208df0f62ef3c03dbb15abe1ac015361e6910a5b58606
SHA512 83aae78af37de24aa1fabe225a4c0102d87835325663f8f106cf68a59a0cc51bf4426807efa7eb29a5aa807aaf67a7c6c040bc05b38c9a20b5c202825f4f18ab

memory/3048-14-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/3048-15-0x0000000077C10000-0x0000000077DB9000-memory.dmp

C:\Users\Admin\AppData\Roaming\666.exe

MD5 61570c8c0df19c62b674c1e477730a87
SHA1 3da25ca5f272d2408ce47f4ff848f220217ad040
SHA256 67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a
SHA512 537e04350c6aede8793b30874b55b9a016a825e189f50c07918b93a6bbca87c2c48f4c5cf00fad71d9fe11283ee56750dca87e98633e648ecab3a0815520b194

memory/2652-22-0x000000001B100000-0x000000001B180000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/2652-20-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

memory/2652-19-0x0000000000BC0000-0x0000000000BD8000-memory.dmp

memory/2652-23-0x0000000077C10000-0x0000000077DB9000-memory.dmp

memory/2652-24-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

memory/2652-25-0x000000001B100000-0x000000001B180000-memory.dmp

memory/2652-26-0x0000000077C10000-0x0000000077DB9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 16:35

Reported

2024-04-19 16:38

Platform

win10v2004-20240412-en

Max time kernel

132s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\666.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\666.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe

"C:\Users\Admin\AppData\Local\Temp\67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "666" /tr '"C:\Users\Admin\AppData\Roaming\666.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp35A6.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "666" /tr '"C:\Users\Admin\AppData\Roaming\666.exe"'

C:\Users\Admin\AppData\Roaming\666.exe

"C:\Users\Admin\AppData\Roaming\666.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:53576 tcp
CN 175.24.197.196:53576 tcp
US 8.8.8.8:53 qiefuwuqi.20242525.xyz udp
CN 175.24.197.196:53576 qiefuwuqi.20242525.xyz tcp
CN 175.24.197.196:53576 qiefuwuqi.20242525.xyz tcp
CN 175.24.197.196:53576 qiefuwuqi.20242525.xyz tcp
CN 175.24.197.196:53576 qiefuwuqi.20242525.xyz tcp
CN 175.24.197.196:53576 qiefuwuqi.20242525.xyz tcp

Files

memory/2064-0-0x00000000008C0000-0x00000000008D8000-memory.dmp

memory/2064-2-0x00007FFD83500000-0x00007FFD83FC1000-memory.dmp

memory/2064-3-0x000000001B5C0000-0x000000001B5D0000-memory.dmp

memory/2064-8-0x00007FFDA16D0000-0x00007FFDA18C5000-memory.dmp

memory/2064-9-0x00007FFD83500000-0x00007FFD83FC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp35A6.tmp.bat

MD5 ddbcff7b8f582231595f1e1b230eba03
SHA1 b95c961209c8579bdcbbd6550e732ec01313f610
SHA256 9b1caeeecdf3a1fb6d04898f00f169d675df51cd2a2472dbfad7f8121db034f9
SHA512 4a635bf5cb0d2aad1a253849bbe3e35dd851214457f3e10729b2504690adff24036de9d5930c3d6a848b16bf10fa8fa6b226866a0708768ed8f0626ef66335e7

C:\Users\Admin\AppData\Roaming\666.exe

MD5 61570c8c0df19c62b674c1e477730a87
SHA1 3da25ca5f272d2408ce47f4ff848f220217ad040
SHA256 67579963b6060fe6549091481dbb7808bebcf21b3c994fa6791d656786773c9a
SHA512 537e04350c6aede8793b30874b55b9a016a825e189f50c07918b93a6bbca87c2c48f4c5cf00fad71d9fe11283ee56750dca87e98633e648ecab3a0815520b194

memory/3636-15-0x00007FFD83500000-0x00007FFD83FC1000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/3636-16-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

memory/3636-17-0x00007FFD83500000-0x00007FFD83FC1000-memory.dmp

memory/3636-18-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

memory/3636-19-0x00007FFDA16D0000-0x00007FFDA18C5000-memory.dmp

memory/3636-20-0x00007FFDA16D0000-0x00007FFDA18C5000-memory.dmp