Overview

overview

10

Static

static

10

3ae3b3c0ef...06.exe

windows10-2004-x64

10

3ae3b3c0ef...06.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    57s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/04/2025, 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ae3b3c0ef49720738acebeaa7ea58d511d28261e98fb95f30706e3be568e206.exe

  • Size

    47KB

  • MD5

    7f80e0ba8d535a408b950cca1c5653ae

  • SHA1

    33805fe2b1e00a4b065f5960b35aa9f3247b1a0e

  • SHA256

    3ae3b3c0ef49720738acebeaa7ea58d511d28261e98fb95f30706e3be568e206

  • SHA512

    879fa9218f907f51b01aa488ace41047d51054fc1819aace05d4fd471d01a76281e5ad234644df0a921473b88fe1cf9ee6e8d4be866e683d33993023a6ee401e

  • SSDEEP

    768:9uf09THIzbFGiWUUneomo2qXBjx32JUuHk3PIw8enoP0bnZ4DCzmX/A0v2Iu7k1H:9uf09TH2w24h5wjw8enpbnZS8mvIIuAp

Score
10/10
asyncratevetdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Evet

C2

188.240.81.233:3131

Mutex

dlKNZ2MxZjW2

Attributes
  • delay

    3

  • install

    true

  • install_file

    system32.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ae3b3c0ef49720738acebeaa7ea58d511d28261e98fb95f30706e3be568e206.exe
    "C:\Users\Admin\AppData\Local\Temp\3ae3b3c0ef49720738acebeaa7ea58d511d28261e98fb95f30706e3be568e206.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5420
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system32" /tr '"C:\Users\Admin\AppData\Roaming\system32.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "system32" /tr '"C:\Users\Admin\AppData\Roaming\system32.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:5984
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5304
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:3336
      • C:\Users\Admin\AppData\Roaming\system32.exe
        "C:\Users\Admin\AppData\Roaming\system32.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4972

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.bat
    Filesize

    152B

    MD5

    948689d42ed52ee4730051753194fdc1

    SHA1

    dcb65480edabd3439338536b80e32065f4c24e4f

    SHA256

    2f14f3edf843a484c2b7543fab213bc8c857de7f7a81f57c7af7531fe9c0963a

    SHA512

    63ea518ab8d1a34279ab10eba261321e12f0103aacc3270ca4b3fa0cbf0a5996825327b61dc41173d237513b164148ed2fc9ecc62ba2bab67e875cd47c7414ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\system32.exe
    Filesize

    47KB

    MD5

    7f80e0ba8d535a408b950cca1c5653ae

    SHA1

    33805fe2b1e00a4b065f5960b35aa9f3247b1a0e

    SHA256

    3ae3b3c0ef49720738acebeaa7ea58d511d28261e98fb95f30706e3be568e206

    SHA512

    879fa9218f907f51b01aa488ace41047d51054fc1819aace05d4fd471d01a76281e5ad234644df0a921473b88fe1cf9ee6e8d4be866e683d33993023a6ee401e

    Download Submit

  • memory/4972-14-0x0000000074C80000-0x0000000075431000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4972-17-0x0000000005D40000-0x00000000062E6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4972-18-0x0000000074C80000-0x0000000075431000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5420-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5420-1-0x0000000000120000-0x0000000000132000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5420-2-0x0000000074D20000-0x00000000754D1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5420-3-0x0000000004B90000-0x0000000004BF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5420-4-0x0000000005020000-0x00000000050BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5420-9-0x0000000074D20000-0x00000000754D1000-memory.dmp

    Filesize

    7.7MB

    Download