File name:	1c168219f487ed2749eac61d8564ba214670a535fc4277b10773f4d4d8299e8a
Full analysis:	https://app.any.run/tasks/5734b400-ce46-40e6-950d-7d8ce03001e9
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	May 17, 2025, 01:57:42
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg pyinstaller python asyncrat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:	7A88F024575EFDB8A034FEDEA19C9C11
SHA1:	7BDC95B0A4016DDF5EA19E557429CB0DB16514D7
SHA256:	1C168219F487ED2749EAC61D8564BA214670A535FC4277B10773F4D4D8299E8A
SSDEEP:	98304:BkVH6KaNz9hl4T9TB6XzDL7ChuABolDPGTy9T1cMRo+o8D7VFtrQ/3L//OLBUOJS:Z/yBrSq90jSi6r986CFtpnx56f

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:02:26 09:01:47+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.33
CodeSize:	288768
InitializedDataSize:	171520
UninitializedDataSize:	-
EntryPoint:	0x32e60
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI


(PID) Process:	(7992) efgk.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Antimalware Core Servicex
Value: "C:\Users\admin\AppData\Roaming\Antimalware Core Servicex.exe"

PID	Process	Filename		Type
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\VCRUNTIME140_1.dll		executable
		MD5:C0C0B4C611561F94798B62EB43097722	SHA256:497A280550443E3E9F89E428E51CB795139CA8944D5DEDD54A7083C00E7164E5
7876	1c168219f487ed2749eac61d8564ba214670a535fc4277b10773f4d4d8299e8a.exe	C:\Windows\Temp\短信轰炸器.exe		executable
		MD5:F68AA26FF1817FD095429E380A8D755C	SHA256:BDED591497224DDF09D9137D5AC41521654ADA8426D75BF0E7C71165C20D4DF1
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_ssl.pyd		executable
		MD5:689F1ABAC772C9E4C2D3BAD3758CB398	SHA256:D3A89AA7E4A1DF1151632A8A5CAF338C4DDDB674EC093BFDBC122ADC9DB28A97
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_ctypes.pyd		executable
		MD5:29873384E13B0A78EE9857604161514B	SHA256:3CC8500A958CC125809B0467930EBCCE88A09DCC0CEDD7A45FACF3E332F7DB33
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_tcl_data\auto.tcl		text
		MD5:97EFA9EBE840EA051F9706504C8BD783	SHA256:08113823951619D659EB03A1F6ACD2F9500E1264795219125A5DF7B83CABCB99
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_bz2.pyd		executable
		MD5:684D656AADA9F7D74F5A5BDCF16D0EDB	SHA256:A5DFB4A663DEF3D2276B88866F6D220F6D30CC777B5D841CF6DBB15C6858017C
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_hashlib.pyd		executable
		MD5:3E540EF568215561590DF215801B0F59	SHA256:0ED7A6ED080499BC6C29D7113485A8A61BDBA93087B010FCA67D9B8289CBE6FA
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_lzma.pyd		executable
		MD5:D63E2E743EA103626D33B3C1D882F419	SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_queue.pyd		executable
		MD5:CC0F4A77CCFE39EFC8019FA8B74C06D0	SHA256:DEE7D19A9FCAB0DF043DC56F2CDC32F1A2A968AB229679B38B378C61CA0CBA53
7972	短信轰炸器.exe	C:\Users\admin\AppData\Local\Temp\_MEI79722\_overlapped.pyd		executable
		MD5:363409FBACB1867F2CE45E3C6922DDB4	SHA256:F154AC9D5CA0646D18F6197C0406F7541B6E0752B2D82A330036C1E39D3A49E7

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
8188	Antimalware Core Servicex.exe	110.42.61.91:8995	—	NINGBO, ZHEJIANG Province, P.R.China.	CN	malicious
7244	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
7244	SIHClient.exe	40.69.42.241:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7760	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6544	svchost.exe	20.190.160.66:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6004	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.142	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted
nexusrules.officeapps.live.com	52.111.243.29	whitelisted
login.live.com	20.190.160.66 20.190.160.130 40.126.32.136 20.190.160.2 20.190.160.131 40.126.32.134 40.126.32.72 20.190.160.132	whitelisted
dns.msftncsi.com	131.107.255.255	whitelisted

General Info

1c168219f487ed2749eac61d8564ba214670a535fc4277b10773f4d4d8299e8a

7A88F024575EFDB8A034FEDEA19C9C11

7BDC95B0A4016DDF5EA19E557429CB0DB16514D7

1C168219F487ED2749EAC61D8564BA214670A535FC4277B10773F4D4D8299E8A

98304:BkVH6KaNz9hl4T9TB6XzDL7ChuABolDPGTy9T1cMRo+o8D7VFtrQ/3L//OLBUOJS:Z/yBrSq90jSi6r986CFtpnx56f

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

The executable file from the user directory is run by the CMD process

Uses TIMEOUT.EXE to delay execution

Connects to unusual port

Process drops legitimate windows executable

The process drops C-runtime libraries

Executing commands from a ".bat" file

Process drops python dynamic module

Application launched itself

There is functionality for taking screenshot (YARA)

Loads Python modules

Executes application which crashes

INFO

Reads the computer name

Process checks computer location settings

The sample compiled with english language support

Checks supported languages

Create files in a temporary directory

Auto-launch of the file from Registry key

Creates files or folders in the user directory

Reads the machine GUID from the registry

Manual execution by a user

PyInstaller has been detected (YARA)

Reads the software policy settings

Checks proxy server information

Malware configuration

AsyncRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests