Malware Analysis Report

2025-01-02 12:09

Sample ID 240419-v855tsah94
Target a2163c100214cbfb13acab8601629a0cc0a6a65fe2454962f1d0d4e66a6bd713
SHA256 a2163c100214cbfb13acab8601629a0cc0a6a65fe2454962f1d0d4e66a6bd713
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2163c100214cbfb13acab8601629a0cc0a6a65fe2454962f1d0d4e66a6bd713

Threat Level: Known bad

The file a2163c100214cbfb13acab8601629a0cc0a6a65fe2454962f1d0d4e66a6bd713 was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Asyncrat family

AsyncRat

Async RAT payload

Async RAT payload

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 17:40

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 17:40

Reported

2024-04-19 17:43

Platform

win7-20240221-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsDefender.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 6.tcp.eu.ngrok.io N/A N/A
N/A 6.tcp.eu.ngrok.io N/A N/A
N/A 6.tcp.eu.ngrok.io N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsDefender.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe C:\Windows\System32\cmd.exe
PID 2344 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe C:\Windows\System32\cmd.exe
PID 2344 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe C:\Windows\System32\cmd.exe
PID 2344 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe C:\Windows\system32\cmd.exe
PID 1636 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1636 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1636 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2948 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2948 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2948 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2948 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
PID 2948 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
PID 2948 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WindowsDefender.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe

"C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA257.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\WindowsDefender.exe

"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 18.197.239.109:16234 6.tcp.eu.ngrok.io tcp
DE 18.197.239.109:16234 6.tcp.eu.ngrok.io tcp

Files

memory/2344-0-0x0000000000D30000-0x0000000000D42000-memory.dmp

memory/2344-1-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/2344-2-0x000000001AF30000-0x000000001AFB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA257.tmp.bat

MD5 659adeabd04a160da068a6ccc2fa9f29
SHA1 5a5a004aef7e94e5dcffe212c9e5aa04e48d43b1
SHA256 6b6e609e70ae90f6be40f25298064d2ad8f30cd9d9ea72c76071f09b029f3834
SHA512 6531a359567917208c2eeb1db4a017603dfc0f154f3b936ef4b2b88a29053f6657c4d58c47399944371448ff05c2fdd6c6b6cde5223eb7cc1144a6b99d481dd7

memory/2344-12-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

C:\Users\Admin\AppData\Roaming\WindowsDefender.exe

MD5 304d41baaa716a6d582877785f93ef68
SHA1 a2b16217d6326c54fbd7ca5586519d50ce3e20ca
SHA256 760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea
SHA512 2a1f1859bf1ee1ff3be5469d44daf96ba8e6f26e377a6e538e64be815d4e7eb87911b0cbd2cddd3135c2f0e6933151fc47f8aeefa22e7becfa1babb8d38f3a41

memory/2512-16-0x00000000008C0000-0x00000000008D2000-memory.dmp

memory/2512-17-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

memory/2512-18-0x000000001AF20000-0x000000001AFA0000-memory.dmp

memory/2512-19-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

memory/2512-20-0x000000001AF20000-0x000000001AFA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 17:40

Reported

2024-04-19 17:43

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsDefender.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 6.tcp.eu.ngrok.io N/A N/A
N/A 6.tcp.eu.ngrok.io N/A N/A
N/A 6.tcp.eu.ngrok.io N/A N/A
N/A 6.tcp.eu.ngrok.io N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsDefender.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe

"C:\Users\Admin\AppData\Local\Temp\760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp43CA.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\WindowsDefender.exe

"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 3.66.38.117:16234 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 249.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
DE 3.66.38.117:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 18.197.239.109:16234 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
DE 18.197.239.109:16234 6.tcp.eu.ngrok.io tcp
DE 18.197.239.109:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:8848 tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
N/A 127.0.0.1:8848 tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp
DE 52.28.247.255:16234 6.tcp.eu.ngrok.io tcp

Files

memory/1536-0-0x00000000007D0000-0x00000000007E2000-memory.dmp

memory/1536-1-0x00007FFC5FB90000-0x00007FFC60651000-memory.dmp

memory/1536-2-0x0000000002880000-0x0000000002890000-memory.dmp

memory/1536-7-0x00007FFC5FB90000-0x00007FFC60651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp43CA.tmp.bat

MD5 f1908c5e9b6ed73565e73d7f9bd3558f
SHA1 09d270c90e7b33647e2547ac719382c1dc5d12a5
SHA256 2c6afd539b177a42e82b4fe9006a6fdd6593a0e933c749c20516baa908ea6aec
SHA512 cbba7759c0f4dd5bde4ac3f6c9d6d3f9f5d9f8d2123acf95f878d4dc310c239c1a576f8ef2d8ce0ce768c87ccecf56332d6765b4d02eb530c9edafdaa9f047c0

C:\Users\Admin\AppData\Roaming\WindowsDefender.exe

MD5 304d41baaa716a6d582877785f93ef68
SHA1 a2b16217d6326c54fbd7ca5586519d50ce3e20ca
SHA256 760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea
SHA512 2a1f1859bf1ee1ff3be5469d44daf96ba8e6f26e377a6e538e64be815d4e7eb87911b0cbd2cddd3135c2f0e6933151fc47f8aeefa22e7becfa1babb8d38f3a41

memory/540-12-0x00007FFC5FB90000-0x00007FFC60651000-memory.dmp

memory/540-13-0x000000001B580000-0x000000001B590000-memory.dmp

memory/540-14-0x00007FFC5FB90000-0x00007FFC60651000-memory.dmp

memory/540-15-0x000000001B580000-0x000000001B590000-memory.dmp