Malware Analysis Report

2024-12-07 03:34

Sample ID 241113-hjvlkszqbr
Target COMPILED.zip
SHA256 0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c
Tags
rat asyncrat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

Threat Level: Known bad

The file COMPILED.zip was found to be: Known bad.

Malicious Activity Summary

rat asyncrat discovery

AsyncRat

Async RAT payload

Asyncrat family

Executes dropped EXE

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 06:46

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\FileSearcher.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\FileSearcher.dll,#1

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

91s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\LimeLogger.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\LimeLogger.dll,#1

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

91s

Max time network

93s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Options.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Options.dll,#1

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\ProcessManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\ProcessManager.dll,#1

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

90s

Max time network

95s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31143405" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1687892800" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe.xml

Network

Files

memory/5084-0-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp

memory/5084-3-0x00007FFEDFB63000-0x00007FFEDFB64000-memory.dmp

memory/5084-4-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp

memory/5084-1-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp

memory/5084-2-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp

memory/5084-6-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-5-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp

memory/5084-8-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-7-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-9-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-10-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-11-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-12-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-13-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-14-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-16-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-21-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp

memory/5084-20-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp

memory/5084-22-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-19-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp

memory/5084-18-0x00007FFE9FB50000-0x00007FFE9FB60000-memory.dmp

memory/5084-17-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

memory/5084-15-0x00007FFEDFAC0000-0x00007FFEDFCC9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

143s

Max time network

94s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\COMPILED.zip"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 1100 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe
PID 4908 wrote to memory of 1100 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\COMPILED.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe

"C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Files

C:\Users\Admin\AppData\Local\Temp\7zOC23FF4E7\AsyncRAT.exe

MD5 97a429c4b6a2cb95ece0ddb24c3c2152
SHA1 6fcc26793dd474c0c7113b3360ff29240d9a9020
SHA256 06899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5
SHA512 524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89

memory/1100-12-0x00007FF9AD6E3000-0x00007FF9AD6E5000-memory.dmp

memory/1100-13-0x0000021789500000-0x0000021789B6A000-memory.dmp

memory/1100-15-0x00000217A4240000-0x00000217A4492000-memory.dmp

memory/1100-16-0x00007FF9AD6E0000-0x00007FF9AE1A2000-memory.dmp

memory/1100-17-0x00007FF9AD6E3000-0x00007FF9AD6E5000-memory.dmp

memory/1100-18-0x00007FF9AD6E0000-0x00007FF9AE1A2000-memory.dmp

memory/1100-20-0x00007FF9AD6E0000-0x00007FF9AE1A2000-memory.dmp

C:\Users\Admin\Downloads\AsyncRAT\AsyncRAT.exe.config

MD5 cb1f2dcfeb5cbb5af8efa7ea40b8e908
SHA1 ceb040761554040cac2fc7ca18623498d3bfc7ce
SHA256 58f956abe9d717683f4a1cfa6f70e256c80461315a8d47b6456116b3d3075372
SHA512 f0d805bb7983a111b7083e08d5e53c30dd78a0a5fa2baa2af6c5d3395475a3399fd085d151cc8cce312c7eb3e11ac7c2cc78c49ff8a9bfba4b6ad6585caeaeea

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AsyncRAT.exe.log

MD5 b4e91d2e5f40d5e2586a86cf3bb4df24
SHA1 31920b3a41aa4400d4a0230a7622848789b38672
SHA256 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

memory/4600-90-0x000002927BB30000-0x000002927BB3A000-memory.dmp

memory/4600-91-0x000002927BAA0000-0x000002927BAB2000-memory.dmp

memory/4600-92-0x000002927DCE0000-0x000002927DF60000-memory.dmp

memory/4600-100-0x000002927BCA0000-0x000002927BDA2000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

90s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Recovery.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Recovery.dll,#1

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

91s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Miscellaneous.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Miscellaneous.dll,#1

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

91s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\RemoteCamera.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\RemoteCamera.dll,#1

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\SendFile.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\SendFile.dll,#1

Network

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\SendMemory.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\SendMemory.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Stub\Stub.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Stub\Stub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Stub\Stub.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Stub\Stub.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1140 -ip 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 824

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1140-0-0x000000007460E000-0x000000007460F000-memory.dmp

memory/1140-1-0x00000000006D0000-0x00000000006E0000-memory.dmp

memory/1140-2-0x00000000055A0000-0x00000000056A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/2740-0-0x00007FFD6EF13000-0x00007FFD6EF15000-memory.dmp

memory/2740-1-0x0000029707B10000-0x000002970817A000-memory.dmp

memory/2740-3-0x0000029722AB0000-0x0000029722D02000-memory.dmp

memory/2740-4-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp

memory/2740-5-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp

memory/2740-6-0x00000297229D0000-0x00000297229DA000-memory.dmp

memory/2740-7-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp

memory/2740-10-0x00000297229A0000-0x00000297229B2000-memory.dmp

memory/2740-11-0x0000029725800000-0x0000029725A80000-memory.dmp

memory/2740-12-0x00007FFD6EF13000-0x00007FFD6EF15000-memory.dmp

memory/2740-13-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp

C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_bsozgjfh10ettuvlzzecwz2b2kv3ubbv\0.5.8.0\user.config

MD5 f71f55112253acc1ef2ecd0a61935970
SHA1 faa9d50656e386e460278d31b1d9247fdd947bb7
SHA256 d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179
SHA512 761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44

memory/2740-32-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp

memory/2740-33-0x00007FFD6EF10000-0x00007FFD6F9D2000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\FileManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\FileManager.dll,#1

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

90s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\RemoteDesktop.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\RemoteDesktop.dll,#1

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Chat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Chat.dll,#1

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 06:46

Reported

2024-11-13 06:49

Platform

win11-20241007-es

Max time kernel

91s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Extra.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AsyncRAT\Plugins\Extra.dll,#1

Network

Files

N/A