Malware Analysis Report

2025-01-02 12:09

Sample ID 240419-v4qvcaag48
Target acd3958131f7a29d582e8e06dbac8a00f95718668e0b6270603bc7f65b2a8224
SHA256 acd3958131f7a29d582e8e06dbac8a00f95718668e0b6270603bc7f65b2a8224
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

acd3958131f7a29d582e8e06dbac8a00f95718668e0b6270603bc7f65b2a8224

Threat Level: Known bad

The file acd3958131f7a29d582e8e06dbac8a00f95718668e0b6270603bc7f65b2a8224 was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 17:32

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 17:32

Reported

2024-04-19 17:35

Platform

win7-20240220-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2148 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2148 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2148 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2600 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2600 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2600 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2600 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe
PID 2600 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe
PID 2600 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe
PID 2600 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe

"C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dfdgfgfgfg" /tr '"C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "dfdgfgfgfg" /tr '"C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe

"C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe"

Network

Country Destination Domain Proto
IT 185.196.10.233:6606 tcp
IT 185.196.10.233:6606 tcp
IT 185.196.10.233:8808 tcp
IT 185.196.10.233:7707 tcp
IT 185.196.10.233:7707 tcp
IT 185.196.10.233:8808 tcp

Files

memory/2912-0-0x0000000001110000-0x0000000001122000-memory.dmp

memory/2912-1-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2912-2-0x0000000000520000-0x0000000000560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.bat

MD5 659b2027267e69d7026e33d005456fb6
SHA1 caef589256db949ca812291fb6331ba0a06e4f52
SHA256 3321777de5da7ac959a48869cd7ef9e6c6d6d0d526188a04f95cc742b8bc8509
SHA512 41725772a39ea8c149d3edf1a4526e59df517b9b675fbe585c6af629d52cedff360390e2cd2f96e373ffc490f39f385b9b09ff035881ab1fafe5c967ab69e5de

memory/2912-12-0x0000000074610000-0x0000000074CFE000-memory.dmp

C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe

MD5 0f6a7323fb09a98ee204e42a4695dfd9
SHA1 045f48f35159e232c0aa100e3fc566e0a4b4060f
SHA256 ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8
SHA512 b80fbb486f8a8c7ad8994909f2d4e9134dafeed8133c727e1c5b6e463608f6e10662b2fab883e9b1f4bedb71d86756140631d4d8a63c626ad5e7622f1ef1ddbb

memory/2560-16-0x0000000000D10000-0x0000000000D22000-memory.dmp

memory/2560-17-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/2560-18-0x0000000000520000-0x0000000000560000-memory.dmp

memory/2560-19-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/2560-20-0x0000000000520000-0x0000000000560000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 17:32

Reported

2024-04-19 17:36

Platform

win10v2004-20240226-en

Max time kernel

163s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2284 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2284 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3652 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4336 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4336 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4336 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe
PID 4336 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe
PID 4336 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe

"C:\Users\Admin\AppData\Local\Temp\ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dfdgfgfgfg" /tr '"C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "dfdgfgfgfg" /tr '"C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe"'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD298.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe

"C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe"

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
IT 185.196.10.233:6606 tcp

Files

memory/3652-0-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/3652-1-0x0000000000F00000-0x0000000000F12000-memory.dmp

memory/3652-2-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/3652-3-0x0000000005A80000-0x0000000005A90000-memory.dmp

memory/3652-4-0x0000000005A80000-0x0000000005A90000-memory.dmp

memory/3652-5-0x0000000005C50000-0x0000000005CEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD298.tmp.bat

MD5 f84b93cc61f03799c9548b29eae6f090
SHA1 d1d0e3b9abe9860272893f6093f8cb0436b3392b
SHA256 b6a7c254f459ead0f4764d47f7a205fff54856e894d16e3a4c7bc0553f0d43a4
SHA512 a22ac5e5aa1b277be154a41082812541f29db9c1db774f574a8f3f4501d0320144bcbf4f0d68ac11a10b8c39df90a8294752e0db0bed8f92eb7e6978da869f00

memory/3652-11-0x0000000075370000-0x0000000075B20000-memory.dmp

C:\Users\Admin\AppData\Roaming\dfdgfgfgfg.exe

MD5 0f6a7323fb09a98ee204e42a4695dfd9
SHA1 045f48f35159e232c0aa100e3fc566e0a4b4060f
SHA256 ab3033f608fadc0fb8b6cea666c8abb2015833552a202ed8fa8b79541c08e4a8
SHA512 b80fbb486f8a8c7ad8994909f2d4e9134dafeed8133c727e1c5b6e463608f6e10662b2fab883e9b1f4bedb71d86756140631d4d8a63c626ad5e7622f1ef1ddbb

memory/2424-15-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/2424-16-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/2424-17-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/2424-18-0x0000000002C00000-0x0000000002C10000-memory.dmp