File name:

msg.exe

Full analysis: https://app.any.run/tasks/6e9d6a83-3d0d-4ce2-86a1-3f6672fd1ac5
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: June 17, 2024, 09:14:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
asyncrat
rat
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

5C04FA9617AD45948C36A5B78B3BC97A

SHA1:

A5F1C82BAE29D8DCF82D8ADBC8D7F2A23C314D1D

SHA256:

385449791B24A14FCF241E52E9F3737F407A1F7E733303E8994745225386FF09

SSDEEP:

1536:U+iiP4ZCnMAY30NwZEceAAEOgDbwPjwVGl3ba79dGx:U+iiP4ZCNY3ZbOgDbwmCx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msg.exe (PID: 3976)

    • ASYNCRAT has been detected (MUTEX)

      • msg.exe (PID: 3976)

    • ASYNCRAT has been detected (SURICATA)

      • msg.exe (PID: 3976)

    • Actions looks like stealing of personal data

      • msg.exe (PID: 3976)

    • ASYNCRAT has been detected (YARA)

      • msg.exe (PID: 3976)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • msg.exe (PID: 3976)

    • Reads the Internet Settings

      • msg.exe (PID: 3976)

    • Contacting a server suspected of hosting an CnC

      • msg.exe (PID: 3976)

    • Connects to unusual port

      • msg.exe (PID: 3976)

  • INFO

    • Reads Environment values

      • msg.exe (PID: 3976)

    • Reads the machine GUID from the registry

      • msg.exe (PID: 3976)

    • Reads the computer name

      • msg.exe (PID: 3976)
      • wmpnscfg.exe (PID: 928)

    • Checks supported languages

      • msg.exe (PID: 3976)
      • wmpnscfg.exe (PID: 928)

    • Reads the software policy settings

      • msg.exe (PID: 3976)

    • Create files in a temporary directory

      • msg.exe (PID: 3976)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(3976) msg.exe
C2 (1)eazy.webredirect.org
Ports (4)1000
6606
7707
8808
VersionAWS | 3Losh
Options
AutoRunfalse
MutexAsyncMutex_eazy
InstallFolder%AppData%
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGva...
Server_Signaturea9Ehcanus8YJ8lFvrHwBPRzEhvtoJeSs0V++Qx9UFyg7PArpTgtaumZAKfBc2plBcitGooLhnXTM9q8dDlgX+Sw1OvjWyhCaqOJY+JvmLICXyQ74mGL6FgNgs8q5pnIYpT74LUGhtt3Vs0GKUR67BebzCmmx1IFHZj8FTCohlbCnWKYT+duKKwLMsMO5TGmUu5IOUZUKDii+xk9FhKXwKQ99LEQhT/YLlEKTBfgvYem66K618eGSLQPGOGr/nkuSli82w84nEBFNW3MdTzQPR7I6WddOjugv/4eiGOLoDDmX...
Keys
AES00a3856a6d65465d81800e680ab3ffb78bba178647eca5a792513278634a7dae
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:02:13 23:35:09+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 62976
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x114fe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: Stub.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: Stub.exe
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ASYNCRAT msg.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
928"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3976"C:\Users\admin\AppData\Local\Temp\msg.exe" C:\Users\admin\AppData\Local\Temp\msg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\msg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
AsyncRat
(PID) Process(3976) msg.exe
C2 (1)eazy.webredirect.org
Ports (4)1000
6606
7707
8808
VersionAWS | 3Losh
Options
AutoRunfalse
MutexAsyncMutex_eazy
InstallFolder%AppData%
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGva...
Server_Signaturea9Ehcanus8YJ8lFvrHwBPRzEhvtoJeSs0V++Qx9UFyg7PArpTgtaumZAKfBc2plBcitGooLhnXTM9q8dDlgX+Sw1OvjWyhCaqOJY+JvmLICXyQ74mGL6FgNgs8q5pnIYpT74LUGhtt3Vs0GKUR67BebzCmmx1IFHZj8FTCohlbCnWKYT+duKKwLMsMO5TGmUu5IOUZUKDii+xk9FhKXwKQ99LEQhT/YLlEKTBfgvYem66K618eGSLQPGOGr/nkuSli82w84nEBFNW3MdTzQPR7I6WddOjugv/4eiGOLoDDmX...
Keys
AES00a3856a6d65465d81800e680ab3ffb78bba178647eca5a792513278634a7dae
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Total events
4 760
Read events
4 746
Write events
14
Delete events
0

Modification events

(PID) Process:(3976) msg.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976msg.exeC:\Users\admin\AppData\Local\Temp\Tar40A6.tmpbinary
MD5:4EA6026CF93EC6338144661BF1202CD1
SHA256:8EFBC21559EF8B1BCF526800D8070BAAD42474CE7198E26FA771DBB41A76B1D8
3976msg.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
3976msg.exeC:\Users\admin\AppData\Local\Temp\Log.tmptext
MD5:DD639C1E027204F330254365625874BC
SHA256:3896DF3B044C24FC300C97CF0DCA56DBBC20A4A3921441B48FFDAE9D71C4A1F1
3976msg.exeC:\Users\admin\AppData\Local\Temp\Cab40A5.tmpcompressed
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
3976msg.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:62B2C19CD963F4A3DC7DDB615BBFA94C
SHA256:60E52EB35B554EA77A779B4087079A3D8F47802F43F2E35A28DEE027C22AEE78
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
2
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3976
msg.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?31d9d57bfb4c63d7
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
3976
msg.exe
163.5.169.248:1000
eazy.webredirect.org
Bursabil Teknoloji A.S.
FR
unknown
3976
msg.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
eazy.webredirect.org
  • 163.5.169.248
unknown
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.webredirect .org Domain
3976
msg.exe
Domain Observed Used for C2 Detected
REMOTE [ANY.RUN] AsyncRAT SSL certificate
3976
msg.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT Style SSL Cert
3976
msg.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
3976
msg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
msg.exe