File name:	33.exe
Full analysis:	https://app.any.run/tasks/e7a47097-c968-4bca-b80e-56727863b59a
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	January 10, 2025, 23:00:03
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	python asyncrat rat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	4E3A006CE15ACA43DA90672230A796C1
SHA1:	DFF8CA029E78D234B98D5E7D985023CFC082DC83
SHA256:	0A1F90B176650067E0D08E1C9D801D9A62F111D03147F4E031DC0B171414F0E9
SSDEEP:	98304:5J3eSS/UsyZkzKVfqvWj98WVeIg8S3qfJQ1knyuyskVRCPZovL2dyx3W5CF9GwKw:/fmUaDGckQBObnTysr0Cl

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:01:10 22:51:39+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	172032
InitializedDataSize:	154624
UninitializedDataSize:	-
EntryPoint:	0xce20
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

PID	Process	Filename		Type
6520	33.exe	C:\Users\admin\AppData\Local\Temp\_MEI65202\VCRUNTIME140.dll		executable
		MD5:862F820C3251E4CA6FC0AC00E4092239	SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
6520	33.exe	C:\Users\admin\AppData\Local\Temp\_MEI65202\_bz2.pyd		executable
		MD5:C17DCB7FC227601471A641EC90E6237F	SHA256:55894B2B98D01F37B9A8CF4DAF926D0161FF23C2FB31C56F9DBBAC3A61932712
6520	33.exe	C:\Users\admin\AppData\Local\Temp\_MEI65202\_decimal.pyd		executable
		MD5:AD4324E5CC794D626FFCCDA544A5A833	SHA256:040F361F63204B55C17A100C260C7DDFADD00866CC055FBD641B83A6747547D5
6520	33.exe	C:\Users\admin\AppData\Local\Temp\_MEI65202\_cffi_backend.cp313-win_amd64.pyd		executable
		MD5:5CBA92E7C00D09A55F5CBADC8D16CD26	SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
6520	33.exe	C:\Users\admin\AppData\Local\Temp\_MEI65202\_hashlib.pyd		executable
		MD5:422E214CA76421E794B99F99A374B077	SHA256:78223AEF72777EFC93C739F5308A3FC5DE28B7D10E6975B8947552A62592772B
6520	33.exe	C:\Users\admin\AppData\Local\Temp\_MEI65202\_socket.pyd		executable
		MD5:ABF998769F3CBA685E90FA06E0EC8326	SHA256:62D0493CED6CA33E2FD8141649DD9889C23B2E9AFC5FDF56EDB4F888C88FB823
6520	33.exe	C:\Users\admin\AppData\Local\Temp\_MEI65202\_ctypes.pyd		executable
		MD5:2BD5DABBB35398A506E3406BC01EBA26	SHA256:5C4C489AC052795C27AF063C96BC4DB5AB250144D4839050CFA9BB3836B87C32
6520	33.exe	C:\Users\admin\AppData\Local\Temp\_MEI65202\python3.dll		executable
		MD5:AD2C4784C3240063EEAA646FD59BE62C	SHA256:C1DE4BFE57DC4A5BE8C72C865D617DC39DFD8162FCD2CE1FAC9F401CF9EFB504
6520	33.exe	C:\Users\admin\AppData\Local\Temp\_MEI65202\cryptography\hazmat\bindings\_rust.pyd		executable
		MD5:34293B976DA366D83C12D8EE05DE7B03	SHA256:A2285C3F2F7E63BA8A17AB5D0A302740E6ADF7E608E0707A7737C1EC3BD8CECC
6520	33.exe	C:\Users\admin\AppData\Local\Temp\_MEI65202\libcrypto-3.dll		executable
		MD5:123AD0908C76CCBA4789C084F7A6B8D0	SHA256:4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1460	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1460	svchost.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1460	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.16.204.156:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1460	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1460	svchost.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
www.bing.com	2.16.204.156 2.16.204.138 2.16.204.143 2.16.204.134 2.16.204.135 2.16.204.150 2.16.204.142	whitelisted
google.com	142.250.186.142	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	2.16.253.202	whitelisted
self.events.data.microsoft.com	20.189.173.9	whitelisted

General Info

33.exe

4E3A006CE15ACA43DA90672230A796C1

DFF8CA029E78D234B98D5E7D985023CFC082DC83

0A1F90B176650067E0D08E1C9D801D9A62F111D03147F4E031DC0B171414F0E9

98304:5J3eSS/UsyZkzKVfqvWj98WVeIg8S3qfJQ1knyuyskVRCPZovL2dyx3W5CF9GwKw:/fmUaDGckQBObnTysr0Cl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ASYNCRAT has been detected (MUTEX)

ASYNCRAT has been detected (YARA)

SUSPICIOUS

The process drops C-runtime libraries

Executable content was dropped or overwritten

Process drops legitimate windows executable

Process drops python dynamic module

Application launched itself

Loads Python modules

The executable file from the user directory is run by the CMD process

Starts CMD.EXE for commands execution

INFO

The sample compiled with english language support

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings