Edit tour
Windows
Analysis Report
MAdjnpU2Xp.exe
Overview
General Information
| Sample name: | MAdjnpU2Xp.exerenamed because original name is a hash value |
| Original sample name: | 157a3f7a20b22e78c4d3f7ea88538ff7.exe |
| Analysis ID: | 1628657 |
| MD5: | 157a3f7a20b22e78c4d3f7ea88538ff7 |
| SHA1: | 5289f49becfab4122f62ac5dc5f4ed4a6430d1e3 |
| SHA256: | 0ffd5b54317e01a658684577fee5d5c5f53d5b2e105e7cf8c1cdfd9bd8fee780 |
| Tags: | AsyncRATexeRATuser-abuse_ch |
| Infos: |  |
 | |
Detection
AsyncRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match
Classification
- System is w10x64
MAdjnpU2Xp.exe (PID: 6104 cmdline: "C:\Users\ user\Deskt op\MAdjnpU 2Xp.exe" MD5: 157A3F7A20B22E78C4D3F7EA88538FF7) - RegAsm.exe (PID: 6660 cmdline:
#system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
{
"Server": "164.92.163.239",
"Ports": "3898",
"Version": "0.5.8",
"Autorun": "false",
"Install_Folder": "%AppData%",
"AES_key": "M8gFCqrOJJZqCx1JYq0tXKezzud1GklJ",
"Mutex": "AbDUeHz1cUxL",
"Certificate": "MIIE8jCCAtqgAwIBAgIQAMgufplwZXWUObORbETzPTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwMjI3MTIyNTM3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALAXG8I0Oda301Kb/b25SFQ5fFLOjXPGpbnc1CFJU8j8YhBdWRJtt4UXy19hKnAK188qpk8h4v6syQ4KPMmnMh87xdEs1BDkVcZoICVNHxqoffFLr6kVbwlVpseLHkyKlHAmnIfM9DwRZih0UQPvPn+rq0j9e7dAVZ6q5UbC/XvuGnJvG0N76oxm62TpMzrFp8aSSPLUjnb7cK0K9SnJTeuHKXuCzBz6ybHPeZrIGceNKzNdMwFM6f6Fv7XW33Y+TrfBJ5YcxULk8zbAaR32pXsS9PA+sQh3Hlq+bRBYLwXJtzu6Xf6cDvNL9XOzA41i7vQnhU0B70HCjZmsnKDqWbIlne6MWasnpTAHIFlcGnvfVom7ST0nQIFkFEfvTdxR5cEn4bnIOVoYZJ3dobf3xeAJ57XflyEHQFW0hUPN3UHRH+DqX5Xztf3U+HRgRyBNUAszcBIaSCJFTYq6GlZU0Hf0ICcVROCEBapE5ey0GwV4eGqDIIs47su1bmVwUt8U8dtVz+urOHKNw6EmC5uP71znTIxry4C/ypAZWG1LxcYxid/zKVNMZB+E0MFXZZfdz1Hn1FRSWskf7jN0hSMrD+dj4EruaIoBHtcwvuQHfWBLDeaqnTWgxZV7mwciOb5PwBDwCV/gnW4l4Jmc5fWU0djS0DxWY1Ay0nysXkHA78m3AgMBAAGjMjAwMB0GA1UdDgQWBBRnnlfc8PeW+7qR5y9AYLUe9ltaUjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQB/eReV/2V7aX+2wFV5wiRlIKUXEIenLdJtbuYSByqD0b0+Zhbm9MJtmSLVf1GwPCH+QUNJvqPe880VnuprYb726nCFeOX87hrofCKyxjO5CpSoo2/mT+ysOqyykdAnvkCbw8kyXu7UBXw7vIZIxW3etoK+JFrwpy1u0jJ6llnnj9Z6kdYibFrzKwmJYbJbdGHk3Ah0LgQrYwnEvt9RmgD3WsXAoHItBtXmzW8Cd4lMpfH4OZFESZf031MfVBAlXXuJHW4KxDy5/wFRFAGd5afl6lfzflqXmnXeG9LvGs28MclqDRmaEaZAnos5YEy7caXtD79bHOC6sAj4WPso2X+h97Cx7LMuXiVE5t+kVrnzNxgUUl9dmPrNu3Sf0NCfOvJZkrutScadynVqxGLQ3LPHURALsMQNUGhE7dSzxGTIw9FUzwPbE1IGuO0KzOCkRqBjzRqEEXXXjd2tckpAnPH91rGh8rC+Nre83Quhyupcs9XfClahlLTpVht/eZvkAQLJ4RD33bksoeVKsKtcxYvzodbu3Zny+aWeF89Ford0wvLoAPzbGBdpzPvsqax63HQJCql5h98ovIfG1wnBylDi7XR+f4LQm5KWJxMH2ovJH6xOZM1HVSCQO+Fvd3OWR5cLBthKHk0fqJXOjSf50OZSQOERTt6xq9biTUkjEdI4MA==",
"ServerSignature": "r0sDxZc/+EUUY+4fptcRe+9FfNLkjcGro3dc3o1aL9ZdI8pcpfQygNIG53NXBStkXm/NXRbXYt46U6ylRZ9nVb/RCSRbTXBa5IPAB9E0ezv4H0QayUESX7efOkhTmc5dHCIjtzJeEGhqz5Eqjv2agJXQka1UPmnrHDvt5eSMP2cprqTX7ZNhjT4wIXoQbC0i7Wbqw1/EVxiLkF+Lah2t5lnZUD3o/WZoM9c24NeBxxH95LLZwIpC/tQUEVRtvGd4GKTfIRtdIAqmmMmnUW/LpszCATvrorHzOXNpUwMhJ0ByvGbaRdx+WC2mnBWEsbcA1C3Ycf1MtWD6vzTLTcrrxR9trQnPM1SMxdRjCXxJtIRoEjhVO3+5Tp8KXbq7r5Md6ipGyGHgqCIj343/WJWxuJo46EJSl3J1ukduhoiprTcncLUkDuTf5VFMuUxJ140K/0dmJGdTNCVZYSXHDX7+7oOoRZ/gDBZEzII0OfwN+JkZUuxYSgckQ0i8f0CxB7bxyVDqXwkBGtYvNN6Sqlr0028bWY3YVSlvtO4xzFA9nhGp29paQWjdMYdyDhR4Qy8FFtoJr1hOkUHRLf0Y5VX2p774v5Coukgv0dLJqKfgWEBfGuy2J3dg8WxxryWR6mCdpu6CU+vUdMZZb4cdLmzE/sRjX4yBGfqzvP8udzb5twM=",
"BDOS": "false",
"External_config_on_Pastebin": "null"
}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
| rat_win_asyncrat | Detect AsyncRAT based on specific strings | Sekoia.io |
| |
| INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Click to see the 23 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-04T01:52:15.261108+0100 | 2035595 | 1 | Domain Observed Used for C2 Detected | 164.92.163.239 | 3898 | 192.168.2.5 | 49704 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-04T01:52:15.261108+0100 | 2035607 | 1 | Domain Observed Used for C2 Detected | 164.92.163.239 | 3898 | 192.168.2.5 | 49704 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-04T01:52:15.261108+0100 | 2842478 | 1 | Malware Command and Control Activity Detected | 164.92.163.239 | 3898 | 192.168.2.5 | 49704 | TCP |
- • AV Detection
- • Compliance
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • System Summary
- • Data Obfuscation
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||