File name:	Nuova cartella.zip
Full analysis:	https://app.any.run/tasks/e5a00511-250e-479b-9f2e-7bd8551c3531
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 09:25:53
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-scr payload ta558 apt stegocampaign loader reverseloader rat asyncrat remote api-base64
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	EA51B1BFE12DF450C8B7F1E6BEDC4856
SHA1:	68314C6F2C46BBB855C2095CD7E8C36878DFC6A7
SHA256:	3854C328A6F6CD29D908ECFDA0FCD239B5C8503067CB8783B9D930677ECF38B3
SSDEEP:	24576:588kBdlr122mso7+8yXNH7r+PGXZed800W595OC0H3uwf7bxB7O8mG4vj:588kBdlrk2mso7+8yXNH7r+PGX8d800g

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2025:04:29 11:17:12
ZipCRC:	0x59c0296b
ZipCompressedSize:	35883
ZipUncompressedSize:	86016
ZipFileName:	0(1).ps1


(PID) Process:	(5968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Nuova cartella.zip
(PID) Process:	(5968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(5968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256

PID	Process	Filename		Type
5968	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5968.7671\0(1).ps1		text
		MD5:CBB3B80A84809277E36AB5A842CCAC39	SHA256:41D58D347820393187DC021D86CBF6926EA3BBC0D83590F4DDA2DE2B5D7CD283
5968	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5968.7671\Aleichem.js		binary
		MD5:12C5B820868440F4197E6FDCB1E61254	SHA256:239BCF64FC9D0B5DBCD7E1351444244695BD530E510846E0BB91055CA2E97ED1
5800	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BU14UQLCBOV8EDZPIB3T.temp		binary
		MD5:F09D95196745E25777DA0026FEF07D84	SHA256:95246F200E87B95C63FAC8C30846D2B2E95C0B3CB70569D51179C2AC45FD31D9
5968	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5968.7671\0..js		text
		MD5:E9C94D33539BFA16BC86D65AC6B49705	SHA256:E4846D770EB82608075D3E2D6C3A6754AE5E086327F5F9EA7FF6435B4B042AAD
5800	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hfp11xnh.kzx.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5968	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5968.7671\paste_2.js		text
		MD5:5A8E2C737A0B532840BE9474443617B6	SHA256:5BFEDB358B5EBE7DB6793DFB87885FD08D547CDEA786659654BC717C98825A00
5968	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5968.7671\paste_7.js		text
		MD5:EFA7DF546DC84E784F9F004EC201DC23	SHA256:D87C126BAEC640657FED03C6F493C2AD36B5E0F0483149B952E18688AB422276
5800	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:F09D95196745E25777DA0026FEF07D84	SHA256:95246F200E87B95C63FAC8C30846D2B2E95C0B3CB70569D51179C2AC45FD31D9
5968	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5968.7671\paste..js		text
		MD5:F1E1B193036890AE61AD7BDB82B4BB3B	SHA256:A0DEE795B9FE96554569C2854167647F630BE4399F294DD2CBAF58BB8ACB27D6
5968	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5968.7671\newfile.ps1		text
		MD5:B93A0C41ED0E1998FA879719DB1B1F3E	SHA256:27AE1B1A96165D0B2BAF1677C68CD26037D4646D3A7041D63FC7DA8F832D7ADF

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	302	207.241.224.2:443	https://archive.org/download/new_image_20250413/new_image.jpg	unknown	—	—	—
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	302	207.241.224.2:443	https://archive.org/download/new_image_20250413/new_image.jpg	unknown	—	—	—
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
7424	wscript.exe	GET	301	23.186.113.60:80	http://paste.ee/d/302dzPON/0	unknown	—	—	shared
1568	SIHClient.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1568	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1568	SIHClient.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
1568	SIHClient.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
—	—	POST	400	40.126.31.69:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5496	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	40.126.31.128:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 20.73.194.208	whitelisted
google.com	172.217.18.14	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.250	whitelisted
login.live.com	40.126.31.128 40.126.31.2 20.190.159.4 40.126.31.71 40.126.31.3 20.190.159.0 20.190.159.2 40.126.31.1	whitelisted
archive.org	207.241.224.2	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
ia801700.us.archive.org	207.241.233.30	whitelisted
paste.ee	23.32.238.107 23.32.238.112	shared
crl.microsoft.com	—	whitelisted
www.microsoft.com	2.23.181.156	whitelisted

PID	Process	Class	Message
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
2196	svchost.exe	Misc activity	ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7424	wscript.exe	Potential Corporate Privacy Violation	ET INFO Pastebin-style Service (paste .ee) in TLS SNI
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
—	—	A Network Trojan was detected	PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image
—	—	A Network Trojan was detected	PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
—	—	A Network Trojan was detected	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

General Info

Nuova cartella.zip

EA51B1BFE12DF450C8B7F1E6BEDC4856

68314C6F2C46BBB855C2095CD7E8C36878DFC6A7

3854C328A6F6CD29D908ECFDA0FCD239B5C8503067CB8783B9D930677ECF38B3

24576:588kBdlr122mso7+8yXNH7r+PGXZed800W595OC0H3uwf7bxB7O8mG4vj:588kBdlrk2mso7+8yXNH7r+PGX8d800g

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Run PowerShell with an invisible window

Opens an HTTP connection (SCRIPT)

Creates internet connection object (SCRIPT)

ASYNCRAT has been detected (SURICATA)

Starts Visual C# compiler

SUSPICIOUS

Runs shell command (SCRIPT)

Executes script without checking the security policy

Probably obfuscated PowerShell command line is found

Possibly malicious use of IEX has been detected

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Base64-obfuscated command line is found

Uses base64 encoding (POWERSHELL)

Potential Corporate Privacy Violation

Starts CMD.EXE for commands execution

Likely accesses (executes) a file from the Public directory

Connects to unusual port

Contacting a server suspected of hosting an CnC

INFO

Manual execution by a user

Script raised an exception (POWERSHELL)

Uses string replace method (POWERSHELL)

Converts byte array into Unicode string (POWERSHELL)

Disables trace logs

Checks proxy server information

Potential dynamic function import (Base64 Encoded 'GetProcAddress')

Potential library load (Base64 Encoded 'LoadLibrary')

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats