File name:	1c168219f487ed2749eac61d8564ba214670a535fc4277b10773f4d4d8299e8a
Full analysis:	https://app.any.run/tasks/5734b400-ce46-40e6-950d-7d8ce03001e9
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	May 17, 2025, 01:57:42
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg pyinstaller python asyncrat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:	7A88F024575EFDB8A034FEDEA19C9C11
SHA1:	7BDC95B0A4016DDF5EA19E557429CB0DB16514D7
SHA256:	1C168219F487ED2749EAC61D8564BA214670A535FC4277B10773F4D4D8299E8A
SSDEEP:	98304:BkVH6KaNz9hl4T9TB6XzDL7ChuABolDPGTy9T1cMRo+o8D7VFtrQ/3L//OLBUOJS:Z/yBrSq90jSi6r986CFtpnx56f

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:02:26 09:01:47+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.33
CodeSize:	288768
InitializedDataSize:	171520
UninitializedDataSize:	-
EntryPoint:	0x32e60
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI


(PID) Process:	(7992) efgk.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Antimalware Core Servicex
Value: "C:\Users\admin\AppData\Roaming\Antimalware Core Servicex.exe"

PID	Process	Filename		Type
7876	1c168219f487ed2749eac61d8564ba214670a535fc4277b10773f4d4d8299e8a.exe	C:\Windows\Temp\baili.png		binary
		MD5:27512435DA794092E0A3DD363B721AEA	SHA256:D7F222C345A950FD8CA41814694479041C87CC00E86B1CCFE80146691B755013
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_asyncio.pyd		executable
		MD5:56F958EEBBC62305B4BF690D61C78E28	SHA256:50631361EF074BE42D788818AF91D0301D22FA24A970F41F496D8272B92CFE31
7876	1c168219f487ed2749eac61d8564ba214670a535fc4277b10773f4d4d8299e8a.exe	C:\Windows\Temp\短信轰炸器.exe		executable
		MD5:F68AA26FF1817FD095429E380A8D755C	SHA256:BDED591497224DDF09D9137D5AC41521654ADA8426D75BF0E7C71165C20D4DF1
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_hashlib.pyd		executable
		MD5:3E540EF568215561590DF215801B0F59	SHA256:0ED7A6ED080499BC6C29D7113485A8A61BDBA93087B010FCA67D9B8289CBE6FA
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\VCRUNTIME140.dll		executable
		MD5:32DA96115C9D783A0769312C0482A62D	SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\VCRUNTIME140_1.dll		executable
		MD5:C0C0B4C611561F94798B62EB43097722	SHA256:497A280550443E3E9F89E428E51CB795139CA8944D5DEDD54A7083C00E7164E5
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_bz2.pyd		executable
		MD5:684D656AADA9F7D74F5A5BDCF16D0EDB	SHA256:A5DFB4A663DEF3D2276B88866F6D220F6D30CC777B5D841CF6DBB15C6858017C
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_ctypes.pyd		executable
		MD5:29873384E13B0A78EE9857604161514B	SHA256:3CC8500A958CC125809B0467930EBCCE88A09DCC0CEDD7A45FACF3E332F7DB33
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_lzma.pyd		executable
		MD5:D63E2E743EA103626D33B3C1D882F419	SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_multiprocessing.pyd		executable
		MD5:807DD90BE59EA971DAC06F3AAB4F2A7E	SHA256:B20DD6F5FAB31476D3D8D7F40CB5AB098117FA5612168C0FF4044945B6156D47

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
8188	Antimalware Core Servicex.exe	110.42.61.91:8995	—	NINGBO, ZHEJIANG Province, P.R.China.	CN	malicious
7244	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
7244	SIHClient.exe	40.69.42.241:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7760	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6544	svchost.exe	20.190.160.66:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6004	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.142	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted
nexusrules.officeapps.live.com	52.111.243.29	whitelisted
login.live.com	20.190.160.66 20.190.160.130 40.126.32.136 20.190.160.2 20.190.160.131 40.126.32.134 40.126.32.72 20.190.160.132	whitelisted
dns.msftncsi.com	131.107.255.255	whitelisted

General Info

1c168219f487ed2749eac61d8564ba214670a535fc4277b10773f4d4d8299e8a

7A88F024575EFDB8A034FEDEA19C9C11

7BDC95B0A4016DDF5EA19E557429CB0DB16514D7

1C168219F487ED2749EAC61D8564BA214670A535FC4277B10773F4D4D8299E8A

98304:BkVH6KaNz9hl4T9TB6XzDL7ChuABolDPGTy9T1cMRo+o8D7VFtrQ/3L//OLBUOJS:Z/yBrSq90jSi6r986CFtpnx56f

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the date of Windows installation

Process drops legitimate windows executable

The process drops C-runtime libraries

Process drops python dynamic module

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Connects to unusual port

Executes application which crashes

There is functionality for taking screenshot (YARA)

Application launched itself

Loads Python modules

Uses TIMEOUT.EXE to delay execution

INFO

Process checks computer location settings

Reads the computer name

Checks supported languages

The sample compiled with english language support

Reads the machine GUID from the registry

Create files in a temporary directory

Creates files or folders in the user directory

Auto-launch of the file from Registry key

Manual execution by a user

PyInstaller has been detected (YARA)

Checks proxy server information

Reads the software policy settings

Malware configuration

AsyncRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests