File name:

33.exe

Full analysis: https://app.any.run/tasks/e7a47097-c968-4bca-b80e-56727863b59a
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Analysis date: January 10, 2025, 23:00:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
asyncrat
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

4E3A006CE15ACA43DA90672230A796C1

SHA1:

DFF8CA029E78D234B98D5E7D985023CFC082DC83

SHA256:

0A1F90B176650067E0D08E1C9D801D9A62F111D03147F4E031DC0B171414F0E9

SSDEEP:

98304:5J3eSS/UsyZkzKVfqvWj98WVeIg8S3qfJQ1knyuyskVRCPZovL2dyx3W5CF9GwKw:/fmUaDGckQBObnTysr0Cl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ASYNCRAT has been detected (YARA)

      • 0a6372bd.exe (PID: 6664)
    • ASYNCRAT has been detected (MUTEX)

      • 0a6372bd.exe (PID: 6664)
  • SUSPICIOUS

    • The process drops C-runtime libraries

      • 33.exe (PID: 6520)
    • Loads Python modules

      • 33.exe (PID: 6540)
    • Executable content was dropped or overwritten

      • 33.exe (PID: 6540)
      • 33.exe (PID: 6520)
    • Process drops legitimate windows executable

      • 33.exe (PID: 6520)
    • Starts CMD.EXE for commands execution

      • 33.exe (PID: 6540)
    • The executable file from the user directory is run by the CMD process

      • 0a6372bd.exe (PID: 6664)
    • Process drops python dynamic module

      • 33.exe (PID: 6520)
    • Application launched itself

      • 33.exe (PID: 6520)
  • INFO

    • Reads the computer name

      • 0a6372bd.exe (PID: 6664)
      • 33.exe (PID: 6520)
    • Checks supported languages

      • 33.exe (PID: 6520)
      • 0a6372bd.exe (PID: 6664)
      • 33.exe (PID: 6540)
    • Create files in a temporary directory

      • 33.exe (PID: 6540)
      • 33.exe (PID: 6520)
    • The sample compiled with english language support

      • 33.exe (PID: 6520)
    • Reads the machine GUID from the registry

      • 0a6372bd.exe (PID: 6664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:10 22:51:39+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 172032
InitializedDataSize: 154624
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 33.exe 33.exe cmd.exe no specs conhost.exe no specs #ASYNCRAT 0a6372bd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6520"C:\Users\admin\Desktop\33.exe" C:\Users\admin\Desktop\33.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\33.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6540"C:\Users\admin\Desktop\33.exe" C:\Users\admin\Desktop\33.exe
33.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\33.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6564C:\WINDOWS\system32\cmd.exe /c start /min C:\Users\admin\AppData\Local\Temp\0a6372bd.exeC:\Windows\System32\cmd.exe33.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
6572\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6664C:\Users\admin\AppData\Local\Temp\0a6372bd.exe C:\Users\admin\AppData\Local\Temp\0a6372bd.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\0a6372bd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
394
Read events
394
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
1
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_bz2.pydexecutable
MD5:C17DCB7FC227601471A641EC90E6237F
SHA256:55894B2B98D01F37B9A8CF4DAF926D0161FF23C2FB31C56F9DBBAC3A61932712
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_ctypes.pydexecutable
MD5:2BD5DABBB35398A506E3406BC01EBA26
SHA256:5C4C489AC052795C27AF063C96BC4DB5AB250144D4839050CFA9BB3836B87C32
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_decimal.pydexecutable
MD5:AD4324E5CC794D626FFCCDA544A5A833
SHA256:040F361F63204B55C17A100C260C7DDFADD00866CC055FBD641B83A6747547D5
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_cffi_backend.cp313-win_amd64.pydexecutable
MD5:5CBA92E7C00D09A55F5CBADC8D16CD26
SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\VCRUNTIME140.dllexecutable
MD5:862F820C3251E4CA6FC0AC00E4092239
SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\cryptography-44.0.0.dist-info\WHEELtext
MD5:A868F93FCF51C4F1C25658D54F994349
SHA256:1E7F5BCAD669386A11E8CE14E715131C2D402693C3F41D713EB338493C658C45
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_socket.pydexecutable
MD5:ABF998769F3CBA685E90FA06E0EC8326
SHA256:62D0493CED6CA33E2FD8141649DD9889C23B2E9AFC5FDF56EDB4F888C88FB823
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\cryptography-44.0.0.dist-info\METADATAtext
MD5:526D9AC9D8150602EC9ED8B9F4DE7102
SHA256:D95F491ED418DC302DB03804DAF9335CE21B2DF4704587E6851EF03E1F84D895
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\base_library.zipcompressed
MD5:18C3F8BF07B4764D340DF1D612D28FAD
SHA256:6E30043DFA5FAF9C31BD8FB71778E8E0701275B620696D29AD274846676B7175
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\cryptography\hazmat\bindings\_rust.pydexecutable
MD5:34293B976DA366D83C12D8EE05DE7B03
SHA256:A2285C3F2F7E63BA8A17AB5D0A302740E6ADF7E608E0707A7737C1EC3BD8CECC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1460
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1460
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1460
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.204.156:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1460
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1460
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.16.204.156
  • 2.16.204.138
  • 2.16.204.143
  • 2.16.204.134
  • 2.16.204.135
  • 2.16.204.150
  • 2.16.204.142
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted

Threats

No threats detected
No debug info