File name: | f559c085934e6e7d98e6d520684196eb |
Full analysis: | https://app.any.run/tasks/739fedc3-c1a1-4692-83e7-4d5e464e4742 |
Verdict: | Malicious activity |
Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
Analysis date: | December 05, 2022, 17:46:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | F559C085934E6E7D98E6D520684196EB |
SHA1: | 3A829E2FAEAA5A48556770CC159A4E291A91A9C3 |
SHA256: | 198886528A13C0F7F03536BAC4A5C449D3B21131887EFA7595C9E9A56A2CFC0E |
SSDEEP: | 768:SubrdT5UohzWUfpdBmo2qV6KjGKG6PIyzjbFgX3iUqaPkMapBDZHx:SubrdT5Pf2FKYDy3bCXSUqQE3dHx |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2020-May-10 05:24:51 |
Comments: | - |
CompanyName: | - |
FileDescription: | - |
FileVersion: | 1.0.0.0 |
InternalName: | Stub.exe |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFilename: | Stub.exe |
ProductName: | - |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2020-May-10 05:24:51 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 43012 | 43520 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.47405 |
.rsrc | 57344 | 2047 | 2048 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.88507 |
.reloc | 65536 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0611629 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.15228 | 716 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#2) | 5.22615 | 1171 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2708 | "C:\Users\admin\AppData\Local\Temp\f559c085934e6e7d98e6d520684196eb.exe" | C:\Users\admin\AppData\Local\Temp\f559c085934e6e7d98e6d520684196eb.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 Modules
AsyncRat(PID) Process(2708) f559c085934e6e7d98e6d520684196eb.exe C2 (5)127.0.0.1 185.246.220.26 5.tcp.ngrok.io disownnet.duckdns.org 7.tcp.eu.ngrok.io Ports (6)6606 7707 8808 51115 26993 19624 Version0.5.7B Autorunfalse MutexAsyncMutex_6SI8OkPnk CertificateMIIE5jCCAs6gAwIBAgIQAPI53jb4ULzAubdYCVf+VTANBgkqhkiG9w0BAQ0FADAUMRIwEAYDVQQDDAlib29tc3Rpa3MwIBcNMjIxMTIyMDQyOTAyWhgPOTk5OTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMMCWJvb21zdGlrczCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPil+3ZAmbLp2e5iWmi4Jc8TSaDSVJDKQ9qqtqHn1xIqLOpAi02Z82GD9AEha8DoRlgpR5EPZ+mB720T+CTgn7UNlQhs... Server_SignaturePPqD1aMRY4uDekbEIim5F4vOk6hhS/ouvkwlzP3QY26zuSuR5xkW2W4PZIhyiMPNgg+SjKSEoFNn+m1Ld6d+S4zYgBvQY7qyiDSqt1GnwjI8sNMNdCmEVYpjDi9xOGd7AOiJRRYcmyXWRfJI2L1oCNi/Fa2QpfWHni9P8XaRtWQ7yzAGmWrGPCq/jasY9d7HE3AvOCGtOvcrOux/FAdCorgNqc/SkrSoxNxgDER+ekI987ocNKECcMwn/aPrARRk+cDiFJYbkvIeJlH8TFmJAY4QTvFHdDpbqGlwMh6uOw9G... AntiVMfalse PasteBinnull bdosfalse BotnetDefault Aes_Key47ed71be3a9819c172ab5ccb3346638aa5294a6cbb2e11bae2a1a024734c203a Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941 Install_Folder%AppData% |
(PID) Process: | (2708) f559c085934e6e7d98e6d520684196eb.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
2708 | f559c085934e6e7d98e6d520684196eb.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:FC4666CBCA561E864E7FDF883A9E6661 | SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B | |||
2708 | f559c085934e6e7d98e6d520684196eb.exe | C:\Users\admin\AppData\Local\Temp\Cab2185.tmp | compressed | |
MD5:FC4666CBCA561E864E7FDF883A9E6661 | SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B | |||
2708 | f559c085934e6e7d98e6d520684196eb.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:CD900A0F9B0B8FBB84D51C2258F4996C | SHA256:FA7E5A00F4314CFC5CD0A260BE1128CAE82FB48C76F4002E34E142FF83BC6410 | |||
2708 | f559c085934e6e7d98e6d520684196eb.exe | C:\Users\admin\AppData\Local\Temp\Tar2186.tmp | cat | |
MD5:73B4B714B42FC9A6AAEFD0AE59ADB009 | SHA256:C0CF8CC04C34B5B80A2D86AD0EAFB2DD71436F070C86B0321FBA0201879625FD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2708 | f559c085934e6e7d98e6d520684196eb.exe | GET | 200 | 41.63.96.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?65506f2b8dec47b6 | ZA | compressed | 61.4 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2708 | f559c085934e6e7d98e6d520684196eb.exe | 75.177.105.113:51115 | disownnet.duckdns.org | TWC-11426-CAROLINAS | US | unknown |
2708 | f559c085934e6e7d98e6d520684196eb.exe | 41.63.96.128:80 | ctldl.windowsupdate.com | LLNW | ZA | suspicious |
2708 | f559c085934e6e7d98e6d520684196eb.exe | 3.142.157.76:51115 | 5.tcp.ngrok.io | AMAZON-02 | US | unknown |
2708 | f559c085934e6e7d98e6d520684196eb.exe | 185.246.220.26:7707 | — | Delis LLC | BG | malicious |
2708 | f559c085934e6e7d98e6d520684196eb.exe | 35.157.111.131:19624 | 7.tcp.eu.ngrok.io | AMAZON-02 | DE | malicious |
Domain | IP | Reputation |
---|---|---|
5.tcp.ngrok.io |
| malicious |
dns.msftncsi.com |
| shared |
disownnet.duckdns.org |
| malicious |
7.tcp.eu.ngrok.io |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Potential Corporate Privacy Violation | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |
2708 | f559c085934e6e7d98e6d520684196eb.exe | A Network Trojan was detected | ET TROJAN Generic AsyncRAT Style SSL Cert |