File name:

33.exe

Full analysis: https://app.any.run/tasks/e7a47097-c968-4bca-b80e-56727863b59a
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Analysis date: January 10, 2025, 23:00:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
asyncrat
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

4E3A006CE15ACA43DA90672230A796C1

SHA1:

DFF8CA029E78D234B98D5E7D985023CFC082DC83

SHA256:

0A1F90B176650067E0D08E1C9D801D9A62F111D03147F4E031DC0B171414F0E9

SSDEEP:

98304:5J3eSS/UsyZkzKVfqvWj98WVeIg8S3qfJQ1knyuyskVRCPZovL2dyx3W5CF9GwKw:/fmUaDGckQBObnTysr0Cl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ASYNCRAT has been detected (MUTEX)

      • 0a6372bd.exe (PID: 6664)
    • ASYNCRAT has been detected (YARA)

      • 0a6372bd.exe (PID: 6664)
  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 33.exe (PID: 6520)
    • The process drops C-runtime libraries

      • 33.exe (PID: 6520)
    • Executable content was dropped or overwritten

      • 33.exe (PID: 6520)
      • 33.exe (PID: 6540)
    • Process drops python dynamic module

      • 33.exe (PID: 6520)
    • Loads Python modules

      • 33.exe (PID: 6540)
    • The executable file from the user directory is run by the CMD process

      • 0a6372bd.exe (PID: 6664)
    • Starts CMD.EXE for commands execution

      • 33.exe (PID: 6540)
    • Application launched itself

      • 33.exe (PID: 6520)
  • INFO

    • The sample compiled with english language support

      • 33.exe (PID: 6520)
    • Checks supported languages

      • 33.exe (PID: 6520)
      • 33.exe (PID: 6540)
      • 0a6372bd.exe (PID: 6664)
    • Reads the computer name

      • 33.exe (PID: 6520)
      • 0a6372bd.exe (PID: 6664)
    • Create files in a temporary directory

      • 33.exe (PID: 6520)
      • 33.exe (PID: 6540)
    • Reads the machine GUID from the registry

      • 0a6372bd.exe (PID: 6664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0xce20
UninitializedDataSize: -
InitializedDataSize: 154624
CodeSize: 172032
LinkerVersion: 14.41
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware
TimeStamp: 2025:01:10 22:51:39+00:00
MachineType: AMD AMD64
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 33.exe 33.exe cmd.exe no specs conhost.exe no specs #ASYNCRAT 0a6372bd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6520"C:\Users\admin\Desktop\33.exe" C:\Users\admin\Desktop\33.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\33.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6540"C:\Users\admin\Desktop\33.exe" C:\Users\admin\Desktop\33.exe
33.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\33.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6564C:\WINDOWS\system32\cmd.exe /c start /min C:\Users\admin\AppData\Local\Temp\0a6372bd.exeC:\Windows\System32\cmd.exe33.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
6572\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6664C:\Users\admin\AppData\Local\Temp\0a6372bd.exe C:\Users\admin\AppData\Local\Temp\0a6372bd.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\0a6372bd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
394
Read events
394
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
1
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_decimal.pydexecutable
MD5:AD4324E5CC794D626FFCCDA544A5A833
SHA256:040F361F63204B55C17A100C260C7DDFADD00866CC055FBD641B83A6747547D5
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_lzma.pydexecutable
MD5:66A9028EFD1BB12047DAFCE391FD6198
SHA256:E44DEA262A24DF69FD9B50B08D09AE6F8B051137CE0834640C977091A6F9FCA8
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_hashlib.pydexecutable
MD5:422E214CA76421E794B99F99A374B077
SHA256:78223AEF72777EFC93C739F5308A3FC5DE28B7D10E6975B8947552A62592772B
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\cryptography-44.0.0.dist-info\INSTALLERtext
MD5:365C9BFEB7D89244F2CE01C1DE44CB85
SHA256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\libffi-8.dllexecutable
MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
SHA256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\cryptography-44.0.0.dist-info\WHEELtext
MD5:A868F93FCF51C4F1C25658D54F994349
SHA256:1E7F5BCAD669386A11E8CE14E715131C2D402693C3F41D713EB338493C658C45
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_ctypes.pydexecutable
MD5:2BD5DABBB35398A506E3406BC01EBA26
SHA256:5C4C489AC052795C27AF063C96BC4DB5AB250144D4839050CFA9BB3836B87C32
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_bz2.pydexecutable
MD5:C17DCB7FC227601471A641EC90E6237F
SHA256:55894B2B98D01F37B9A8CF4DAF926D0161FF23C2FB31C56F9DBBAC3A61932712
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\base_library.zipcompressed
MD5:18C3F8BF07B4764D340DF1D612D28FAD
SHA256:6E30043DFA5FAF9C31BD8FB71778E8E0701275B620696D29AD274846676B7175
652033.exeC:\Users\admin\AppData\Local\Temp\_MEI65202\_cffi_backend.cp313-win_amd64.pydexecutable
MD5:5CBA92E7C00D09A55F5CBADC8D16CD26
SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1460
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1460
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1460
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.204.156:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1460
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1460
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.16.204.156
  • 2.16.204.138
  • 2.16.204.143
  • 2.16.204.134
  • 2.16.204.135
  • 2.16.204.150
  • 2.16.204.142
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted

Threats

No threats detected
No debug info