Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2025, 08:00 UTC

General

  • Target

    AsyncClient.exe

  • Size

    45KB

  • MD5

    69030c7c0d7ed75f53081749da1e1c22

  • SHA1

    98623da151fdbe7f45ad806b0c002878b8a0b7ce

  • SHA256

    e438bbb7f03603305d8892121fc56e9d0327ca8ff34d56228cbfa198a438ede0

  • SHA512

    09e25d55f725f06af3c450ef04b8c89051655df422ab7db0dfa6b864575bf97b0c1f396b4cd3c619cf109e7e1451a9cbda1c84abbec31cbee080f60e9969bd02

  • SSDEEP

    768:luI1tT/w70kWUquzumo2qzEKjPGaG6PIyzjbFgX3ixDqokxD/eBDZWx:luI1tT/kW2tKTkDy3bCXSEodWx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

83.99.11.13:6606

83.99.11.13:7707

83.99.11.13:8808

Mutex

HTKBgEz9kLr9

Attributes
  • delay

    3

  • install

    true

  • install_file

    virus.exe

  • install_folder

    %AppData%

aes.plain
1
74gsW6xKSuXfeHpy4MU5DALzhWkdlzQr

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "virus" /tr '"C:\Users\Admin\AppData\Roaming\virus.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "virus" /tr '"C:\Users\Admin\AppData\Roaming\virus.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:1228
      • C:\Users\Admin\AppData\Roaming\virus.exe
        "C:\Users\Admin\AppData\Roaming\virus.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3768

Network

  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.238.56.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.238.56.23.in-addr.arpa
    IN PTR
    Response
    59.238.56.23.in-addr.arpa
    IN PTR
    a23-56-238-59deploystaticakamaitechnologiescom
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.153.16.2.in-addr.arpa
    IN PTR
    Response
    8.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-8deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    16.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    16.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 83.99.11.13:7707
    virus.exe
    260 B
    5
  • 83.99.11.13:6606
    virus.exe
    260 B
    5
  • 83.99.11.13:7707
    virus.exe
    260 B
    5
  • 83.99.11.13:6606
    virus.exe
    260 B
    5
  • 83.99.11.13:8808
    virus.exe
    260 B
    5
  • 83.99.11.13:8808
    virus.exe
    208 B
    4
  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    59.238.56.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    59.238.56.23.in-addr.arpa

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    180.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    8.153.16.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    8.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    16.173.189.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    16.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.bat

    Filesize

    149B

    MD5

    a6a56aa5c39837c497a76620f4032c00

    SHA1

    05cdc27487c83b39efdcde180738132a546c2e54

    SHA256

    793eae5a8d451d41648ddbe7e74e9f7efd224bae65194b333f039fa40ec2a7b4

    SHA512

    138eddb1bd0edbbdc62352fec8f5ff9968cb48552d62e34be7fbf8f507f7f8c98817ca11347d043e809f6b85ccb703a50ea50b95202be415d174079503dca01d

  • C:\Users\Admin\AppData\Roaming\virus.exe

    Filesize

    45KB

    MD5

    69030c7c0d7ed75f53081749da1e1c22

    SHA1

    98623da151fdbe7f45ad806b0c002878b8a0b7ce

    SHA256

    e438bbb7f03603305d8892121fc56e9d0327ca8ff34d56228cbfa198a438ede0

    SHA512

    09e25d55f725f06af3c450ef04b8c89051655df422ab7db0dfa6b864575bf97b0c1f396b4cd3c619cf109e7e1451a9cbda1c84abbec31cbee080f60e9969bd02

  • memory/3768-13-0x0000000075020000-0x00000000757D0000-memory.dmp

    Filesize

    7.7MB

  • memory/3768-14-0x0000000075020000-0x00000000757D0000-memory.dmp

    Filesize

    7.7MB

  • memory/3928-0-0x00000000750CE000-0x00000000750CF000-memory.dmp

    Filesize

    4KB

  • memory/3928-1-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/3928-2-0x00000000750C0000-0x0000000075870000-memory.dmp

    Filesize

    7.7MB

  • memory/3928-3-0x0000000004E40000-0x0000000004EDC000-memory.dmp

    Filesize

    624KB

  • memory/3928-9-0x00000000750C0000-0x0000000075870000-memory.dmp

    Filesize

    7.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.