Analysis Overview
SHA256
a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82
Threat Level: Known bad
The file a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Detects executables attemping to enumerate video devices using WMI
Async RAT payload
Asyncrat family
Detects executables containing the string DcRatBy
Detects executables attemping to enumerate video devices using WMI
Detects executables containing the string DcRatBy
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 01:39
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Detects executables attemping to enumerate video devices using WMI
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing the string DcRatBy
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 01:39
Reported
2024-06-29 01:42
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
AsyncRat
Detects executables attemping to enumerate video devices using WMI
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing the string DcRatBy
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82.exe
"C:\Users\Admin\AppData\Local\Temp\a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82.exe"
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.20:36797 | tcp | |
| US | 147.185.221.20:36797 | tcp | |
| US | 147.185.221.20:36797 | tcp | |
| US | 147.185.221.20:36797 | tcp | |
| US | 147.185.221.20:36797 | tcp | |
| US | 147.185.221.20:36797 | tcp |
Files
memory/4600-1-0x00000000002A0000-0x00000000002B6000-memory.dmp
memory/4600-0-0x00007FF9A8013000-0x00007FF9A8015000-memory.dmp
memory/4600-2-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
memory/4600-3-0x00007FF9A8013000-0x00007FF9A8015000-memory.dmp
memory/4600-4-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 01:39
Reported
2024-06-29 01:42
Platform
win7-20240221-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
AsyncRat
Detects executables attemping to enumerate video devices using WMI
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing the string DcRatBy
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82.exe
"C:\Users\Admin\AppData\Local\Temp\a55c7ed8b626f509f1db86fb6be1823a6bdf54b47c73a348cfe70c36e8b45d82.exe"
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.20:36797 | tcp | |
| US | 147.185.221.20:36797 | tcp | |
| US | 147.185.221.20:36797 | tcp | |
| US | 147.185.221.20:36797 | tcp | |
| US | 147.185.221.20:36797 | tcp | |
| US | 147.185.221.20:36797 | tcp |
Files
memory/2276-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp
memory/2276-1-0x0000000000D90000-0x0000000000DA6000-memory.dmp
memory/2276-2-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
memory/2276-3-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
memory/2276-4-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
memory/2276-5-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp