Malware Analysis Report

2025-04-13 12:36

Sample ID 240803-byhr1atamf
Target 64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c.exe
SHA256 64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c
Tags
rat virustotal asyncrat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c

Threat Level: Known bad

The file 64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c.exe was found to be: Known bad.

Malicious Activity Summary

rat virustotal asyncrat discovery

Async RAT payload

Asyncrat family

AsyncRat

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 01:33

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 01:33

Reported

2024-08-03 01:35

Platform

win7-20240708-en

Max time kernel

128s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c.exe"

Signatures

AsyncRat

rat asyncrat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c.exe

"C:\Users\Admin\AppData\Local\Temp\64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trip-par.gl.at.ply.gg udp
US 147.185.221.19:59786 trip-par.gl.at.ply.gg tcp
US 147.185.221.19:59786 trip-par.gl.at.ply.gg tcp
US 147.185.221.19:59786 trip-par.gl.at.ply.gg tcp
US 147.185.221.19:59786 trip-par.gl.at.ply.gg tcp
US 147.185.221.19:59786 trip-par.gl.at.ply.gg tcp

Files

memory/1596-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

memory/1596-1-0x00000000000D0000-0x00000000000E2000-memory.dmp

memory/1596-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/1596-3-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

memory/1596-4-0x0000000073FB0000-0x000000007469E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 01:33

Reported

2024-08-03 01:35

Platform

win10v2004-20240802-en

Max time kernel

128s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c.exe"

Signatures

AsyncRat

rat asyncrat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c.exe

"C:\Users\Admin\AppData\Local\Temp\64539c58f1e8babc9f0e58212a8db5ef4242156da46471372e2b86460620e00c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 trip-par.gl.at.ply.gg udp
US 147.185.221.19:59786 trip-par.gl.at.ply.gg tcp
US 147.185.221.19:59786 trip-par.gl.at.ply.gg tcp
US 147.185.221.19:59786 trip-par.gl.at.ply.gg tcp
US 147.185.221.19:59786 trip-par.gl.at.ply.gg tcp
US 147.185.221.19:59786 trip-par.gl.at.ply.gg tcp

Files

memory/1176-0-0x000000007514E000-0x000000007514F000-memory.dmp

memory/1176-1-0x0000000000180000-0x0000000000192000-memory.dmp

memory/1176-2-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/1176-3-0x000000007514E000-0x000000007514F000-memory.dmp

memory/1176-4-0x0000000075140000-0x00000000758F0000-memory.dmp