Malware Analysis Report

2024-09-22 07:01

Sample ID 240617-gvr46axfme
Target Infected.exe
SHA256 19bd695a55a24a90fba5251cfaf638c4b1d8c92518414db907a79e33ae9e5b43
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19bd695a55a24a90fba5251cfaf638c4b1d8c92518414db907a79e33ae9e5b43

Threat Level: Known bad

The file Infected.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

AsyncRat

Async RAT payload

Asyncrat family

Deletes itself

Unsigned PE

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 06:07

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 06:07

Reported

2024-06-17 06:10

Platform

win7-20240611-en

Max time kernel

140s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

Signatures

AsyncRat

rat asyncrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1692 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1692 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2C4A.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 147.185.221.19:25944 environmental-blank.gl.at.ply.gg tcp
US 147.185.221.19:25944 environmental-blank.gl.at.ply.gg tcp
US 147.185.221.19:25944 environmental-blank.gl.at.ply.gg tcp

Files

memory/3044-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

memory/3044-1-0x0000000000A70000-0x0000000000A86000-memory.dmp

memory/3044-2-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

memory/3044-3-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab20CC.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

memory/3044-18-0x0000000000640000-0x0000000000674000-memory.dmp

memory/3044-35-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

memory/3044-36-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

memory/3044-37-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

memory/3044-39-0x00000000021E0000-0x0000000002292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2B8C.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\Local\Temp\tmp2C4A.tmp.bat

MD5 a758fa8ffce76171f45e7580fcc609a5
SHA1 e309896f6fb347881f31e9e783bd3ce437fd6ebc
SHA256 9262486be287a352194bedbdf3fa915bb21b471d1fba6f9b968c4584291733ef
SHA512 4ee0c89582a63f1afa51b9b3519a2ad4ebd3802afeded1434c977600cc977dcd74803da1deef3561d65b8e1f42706312db40b4357f7b4aff65d273f417060b2e

memory/3044-64-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 06:07

Reported

2024-06-17 06:10

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

Signatures

AsyncRat

rat asyncrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3824,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp
US 8.8.8.8:53 environmental-blank.gl.at.ply.gg udp

Files

memory/3268-1-0x00007FFE86A93000-0x00007FFE86A95000-memory.dmp

memory/3268-0-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

memory/3268-2-0x00007FFE86A90000-0x00007FFE87551000-memory.dmp

memory/3268-3-0x00007FFE86A90000-0x00007FFE87551000-memory.dmp

memory/3268-4-0x00007FFE86A90000-0x00007FFE87551000-memory.dmp