Malware Analysis Report

2025-01-02 12:11

Sample ID 240419-wx1awace9y
Target f8590e30885a7ab138613a0747d69830715d6f4d656274cf0a613f56741a9f0a
SHA256 f8590e30885a7ab138613a0747d69830715d6f4d656274cf0a613f56741a9f0a
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8590e30885a7ab138613a0747d69830715d6f4d656274cf0a613f56741a9f0a

Threat Level: Known bad

The file f8590e30885a7ab138613a0747d69830715d6f4d656274cf0a613f56741a9f0a was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 18:18

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 18:18

Reported

2024-04-19 18:22

Platform

win7-20231129-en

Max time kernel

126s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe C:\Windows\System32\cmd.exe
PID 1724 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe C:\Windows\System32\cmd.exe
PID 1724 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe C:\Windows\System32\cmd.exe
PID 1724 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe C:\Windows\system32\cmd.exe
PID 852 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 852 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 852 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1124 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1124 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1124 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1124 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Registry.exe
PID 1124 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Registry.exe
PID 1124 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Registry.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe

"C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Registry" /tr '"C:\Users\Admin\AppData\Roaming\Registry.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B8C.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Registry" /tr '"C:\Users\Admin\AppData\Roaming\Registry.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Registry.exe

"C:\Users\Admin\AppData\Roaming\Registry.exe"

Network

Country Destination Domain Proto
VN 171.233.98.70:18274 tcp
VN 171.233.98.70:18274 tcp
VN 171.233.98.70:18274 tcp
VN 171.233.98.70:18274 tcp
VN 171.233.98.70:18274 tcp
VN 171.233.98.70:18274 tcp

Files

memory/1724-0-0x0000000001330000-0x0000000001348000-memory.dmp

memory/1724-2-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

memory/1724-3-0x000000001AFF0000-0x000000001B070000-memory.dmp

memory/1724-4-0x00000000770C0000-0x0000000077269000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1B8C.tmp.bat

MD5 8c08b19eff6775d6da016c1dcb0a0e9b
SHA1 017aa5e05eb236cb03ec329abd8f9ed6cfebc4f3
SHA256 22692fcff086d44257f00781b9aa30106bcfec7c7319a666fe02fd7e226f93fb
SHA512 7d0ee7be1c97fd529c5d5cebf07703aaa408ff13a3a500d758657c3ee1d8c1cd6322260e989c7300dfb4667dc2a332b73be537427cf15e2389d0d760d86607dc

memory/1724-14-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

memory/1724-15-0x00000000770C0000-0x0000000077269000-memory.dmp

C:\Users\Admin\AppData\Roaming\Registry.exe

MD5 97aa6075af6cb1417f4e7b50773c3e56
SHA1 9493bde5bae684164091394f435a516769358073
SHA256 bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b
SHA512 1594ccc44012486b7f7d4e3f3dd7dd83132f2825ce8871b28b3b851a59f41dbe946912c5ff88b5afaed09f9a119f51b2bc5f5a4bf854239f193c950164c94cff

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/2728-20-0x000007FEF4A20000-0x000007FEF540C000-memory.dmp

memory/2728-19-0x0000000000830000-0x0000000000848000-memory.dmp

memory/2728-22-0x000000001AFB0000-0x000000001B030000-memory.dmp

memory/2728-23-0x00000000770C0000-0x0000000077269000-memory.dmp

memory/2728-24-0x000007FEF4A20000-0x000007FEF540C000-memory.dmp

memory/2728-25-0x00000000770C0000-0x0000000077269000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 18:18

Reported

2024-04-19 18:22

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Registry.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe

"C:\Users\Admin\AppData\Local\Temp\bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Registry" /tr '"C:\Users\Admin\AppData\Roaming\Registry.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF637.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Registry" /tr '"C:\Users\Admin\AppData\Roaming\Registry.exe"'

C:\Users\Admin\AppData\Roaming\Registry.exe

"C:\Users\Admin\AppData\Roaming\Registry.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4352 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
VN 171.233.98.70:18274 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
VN 171.233.98.70:18274 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
VN 171.233.98.70:18274 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
VN 171.233.98.70:18274 tcp
VN 171.233.98.70:18274 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
VN 171.233.98.70:18274 tcp

Files

memory/3404-0-0x0000000000F30000-0x0000000000F48000-memory.dmp

memory/3404-1-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/3404-3-0x000000001BD50000-0x000000001BD60000-memory.dmp

memory/3404-4-0x00007FF99AA90000-0x00007FF99AC85000-memory.dmp

memory/3404-9-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF637.tmp.bat

MD5 f4efa0922f09dd50022fb83da7f40406
SHA1 ce16aa64d92a0b99cb99d5f5e2edb025b002f60f
SHA256 af367f574c58556f352f306b358c963dd50a33ab18caf326722010a82944e4d6
SHA512 75088b7df5c0cb1222536b7aeed1cb94ddf411f74a5223641c4e895a92cae05ef634e19396e766b369da6553eb3addd5abf9ce29d9f49c43f00bdcbfe06d99d0

memory/3404-11-0x00007FF99AA90000-0x00007FF99AC85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Registry.exe

MD5 97aa6075af6cb1417f4e7b50773c3e56
SHA1 9493bde5bae684164091394f435a516769358073
SHA256 bc6005c0a53f37d259323fd3aeb2682b914050f20409fcfd21da5b31474a908b
SHA512 1594ccc44012486b7f7d4e3f3dd7dd83132f2825ce8871b28b3b851a59f41dbe946912c5ff88b5afaed09f9a119f51b2bc5f5a4bf854239f193c950164c94cff

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/4272-16-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/4272-17-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/4272-18-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

memory/4272-19-0x0000000002CD0000-0x0000000002CE0000-memory.dmp