File name: | 33.exe |
Full analysis: | https://app.any.run/tasks/e7a47097-c968-4bca-b80e-56727863b59a |
Verdict: | Malicious activity |
Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
Analysis date: | January 10, 2025, 23:00:03 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32+ executable (GUI) x86-64, for MS Windows, 6 sections |
MD5: | 4E3A006CE15ACA43DA90672230A796C1 |
SHA1: | DFF8CA029E78D234B98D5E7D985023CFC082DC83 |
SHA256: | 0A1F90B176650067E0D08E1C9D801D9A62F111D03147F4E031DC0B171414F0E9 |
SSDEEP: | 98304:5J3eSS/UsyZkzKVfqvWj98WVeIg8S3qfJQ1knyuyskVRCPZovL2dyx3W5CF9GwKw:/fmUaDGckQBObnTysr0Cl |
.exe | | | Win64 Executable (generic) (87.3) |
---|---|---|
.exe | | | Generic Win/DOS Executable (6.3) |
.exe | | | DOS Executable Generic (6.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0xce20 |
UninitializedDataSize: | - |
InitializedDataSize: | 154624 |
CodeSize: | 172032 |
LinkerVersion: | 14.41 |
PEType: | PE32+ |
ImageFileCharacteristics: | Executable, Large address aware |
TimeStamp: | 2025:01:10 22:51:39+00:00 |
MachineType: | AMD AMD64 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6520 | "C:\Users\admin\Desktop\33.exe" | C:\Users\admin\Desktop\33.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
6540 | "C:\Users\admin\Desktop\33.exe" | C:\Users\admin\Desktop\33.exe | 33.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
6564 | C:\WINDOWS\system32\cmd.exe /c start /min C:\Users\admin\AppData\Local\Temp\0a6372bd.exe | C:\Windows\System32\cmd.exe | — | 33.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6572 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6664 | C:\Users\admin\AppData\Local\Temp\0a6372bd.exe | C:\Users\admin\AppData\Local\Temp\0a6372bd.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
6520 | 33.exe | C:\Users\admin\AppData\Local\Temp\_MEI65202\_decimal.pyd | executable | |
MD5:AD4324E5CC794D626FFCCDA544A5A833 | SHA256:040F361F63204B55C17A100C260C7DDFADD00866CC055FBD641B83A6747547D5 | |||
6520 | 33.exe | C:\Users\admin\AppData\Local\Temp\_MEI65202\_lzma.pyd | executable | |
MD5:66A9028EFD1BB12047DAFCE391FD6198 | SHA256:E44DEA262A24DF69FD9B50B08D09AE6F8B051137CE0834640C977091A6F9FCA8 | |||
6520 | 33.exe | C:\Users\admin\AppData\Local\Temp\_MEI65202\_hashlib.pyd | executable | |
MD5:422E214CA76421E794B99F99A374B077 | SHA256:78223AEF72777EFC93C739F5308A3FC5DE28B7D10E6975B8947552A62592772B | |||
6520 | 33.exe | C:\Users\admin\AppData\Local\Temp\_MEI65202\cryptography-44.0.0.dist-info\INSTALLER | text | |
MD5:365C9BFEB7D89244F2CE01C1DE44CB85 | SHA256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508 | |||
6520 | 33.exe | C:\Users\admin\AppData\Local\Temp\_MEI65202\libffi-8.dll | executable | |
MD5:0F8E4992CA92BAAF54CC0B43AACCCE21 | SHA256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A | |||
6520 | 33.exe | C:\Users\admin\AppData\Local\Temp\_MEI65202\cryptography-44.0.0.dist-info\WHEEL | text | |
MD5:A868F93FCF51C4F1C25658D54F994349 | SHA256:1E7F5BCAD669386A11E8CE14E715131C2D402693C3F41D713EB338493C658C45 | |||
6520 | 33.exe | C:\Users\admin\AppData\Local\Temp\_MEI65202\_ctypes.pyd | executable | |
MD5:2BD5DABBB35398A506E3406BC01EBA26 | SHA256:5C4C489AC052795C27AF063C96BC4DB5AB250144D4839050CFA9BB3836B87C32 | |||
6520 | 33.exe | C:\Users\admin\AppData\Local\Temp\_MEI65202\_bz2.pyd | executable | |
MD5:C17DCB7FC227601471A641EC90E6237F | SHA256:55894B2B98D01F37B9A8CF4DAF926D0161FF23C2FB31C56F9DBBAC3A61932712 | |||
6520 | 33.exe | C:\Users\admin\AppData\Local\Temp\_MEI65202\base_library.zip | compressed | |
MD5:18C3F8BF07B4764D340DF1D612D28FAD | SHA256:6E30043DFA5FAF9C31BD8FB71778E8E0701275B620696D29AD274846676B7175 | |||
6520 | 33.exe | C:\Users\admin\AppData\Local\Temp\_MEI65202\_cffi_backend.cp313-win_amd64.pyd | executable | |
MD5:5CBA92E7C00D09A55F5CBADC8D16CD26 | SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1460 | svchost.exe | GET | 200 | 2.16.253.202:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.253.202:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1460 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1460 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.16.204.156:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1460 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.253.202:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
1460 | svchost.exe | 2.16.253.202:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |