Malware analysis xxx.ps1 Malicious activity | ANY.RUN - Malware Sandbox Online

Add for printing

File name:	xxx.ps1
Full analysis:	https://app.any.run/tasks/222fe8d3-9686-42c6-8bf4-473f99736b64
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	December 18, 2024, 09:23:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	asyncrat rat crypto-regex
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (65279), with CRLF line terminators
MD5:	4E71954AB5A47DE9F74938DC0CD3C84F
SHA1:	781B4CFFEAD59D083D301C7EEC7D55250B5A4317
SHA256:	3B8FC9046C06420B3382CF851595370E4BB75AD0330C44515AD6BEDB286DBFC7
SSDEEP:	24576:bSgmuyXfET5YN3b2LLG1z/7E4/KpdMJczdsrbIm:biMSNKLq1zjAU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 150 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: on
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Add for printing

MALICIOUS
- Bypass execution policy to execute commands
  - powershell.exe (PID: 4716)
- Uses Task Scheduler to run other applications
  - powershell.exe (PID: 4716)
- ASYNCRAT has been detected (MUTEX)
  - AddInProcess32.exe (PID: 4556)
  - AddInProcess32.exe (PID: 396)
  - AddInProcess32.exe (PID: 5000)
  - AddInProcess32.exe (PID: 2136)
  - AddInProcess32.exe (PID: 4244)
  - AddInProcess32.exe (PID: 2212)
  - AddInProcess32.exe (PID: 5968)
- ASYNCRAT has been detected (YARA)
  - AddInProcess32.exe (PID: 396)
SUSPICIOUS
- Writes data into a file (POWERSHELL)
  - powershell.exe (PID: 4716)
- Gets path to any of the special folders (POWERSHELL)
  - powershell.exe (PID: 4716)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 4716)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 4716)
- Likely accesses (executes) a file from the Public directory
  - AutoHotkey64.exe (PID: 2676)
  - schtasks.exe (PID: 3988)
  - AutoHotkey64.exe (PID: 2072)
- Found regular expressions for crypto-addresses (YARA)
  - AddInProcess32.exe (PID: 396)
- The process executes via Task Scheduler
  - AutoHotkey64.exe (PID: 2072)
- Connects to unusual port
  - AddInProcess32.exe (PID: 396)
INFO
- The sample compiled with english language support
  - powershell.exe (PID: 4716)
- Uses string split method (POWERSHELL)
  - powershell.exe (PID: 4716)
- Checks supported languages
  - AutoHotkey64.exe (PID: 2676)
  - AddInProcess32.exe (PID: 396)
  - AddInProcess32.exe (PID: 2136)
  - AddInProcess32.exe (PID: 5000)
  - AddInProcess32.exe (PID: 4244)
  - AddInProcess32.exe (PID: 4556)
  - AutoHotkey64.exe (PID: 2072)
  - AddInProcess32.exe (PID: 2212)
- The process uses the downloaded file
  - powershell.exe (PID: 4716)
- Reads the computer name
  - AddInProcess32.exe (PID: 4556)
  - AddInProcess32.exe (PID: 4244)
  - AddInProcess32.exe (PID: 396)
  - AddInProcess32.exe (PID: 2136)
  - AddInProcess32.exe (PID: 5000)
- Reads the machine GUID from the registry
  - AddInProcess32.exe (PID: 4556)
  - AddInProcess32.exe (PID: 396)
  - AddInProcess32.exe (PID: 2136)
  - AddInProcess32.exe (PID: 5000)
  - AddInProcess32.exe (PID: 4244)
  - AddInProcess32.exe (PID: 5968)
  - AddInProcess32.exe (PID: 2212)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

All screenshots are available in the full report

Add for printing

Total processes

131

Monitored processes

16

Malicious processes

10

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

396

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

AutoHotkey64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AddInProcess.exe

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

2072

"C:\Users\Public\Documents\AutoHotkey64.exe"

C:\Users\Public\Documents\AutoHotkey64.exe

—

svchost.exe

User:

admin

Company:

AutoHotkey Foundation LLC

Integrity Level:

MEDIUM

Description:

AutoHotkey Unicode 64-bit

Exit code:

0

Version:

1.1.37.02

Modules

Images
c:\users\public\documents\autohotkey64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\gdi32full.dll

2136

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

AutoHotkey64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AddInProcess.exe

Exit code:

0

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2212

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

AutoHotkey64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AddInProcess.exe

Exit code:

0

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

2676

"C:\Users\Public\Documents\AutoHotkey64.exe"

C:\Users\Public\Documents\AutoHotkey64.exe

—

powershell.exe

User:

admin

Company:

AutoHotkey Foundation LLC

Integrity Level:

MEDIUM

Description:

AutoHotkey Unicode 64-bit

Exit code:

0

Version:

1.1.37.02

Modules

Images
c:\users\public\documents\autohotkey64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll

3988

"C:\WINDOWS\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 09:26 /f

C:\Windows\System32\schtasks.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4244

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

AutoHotkey64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AddInProcess.exe

Exit code:

0

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

4384

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

—

AutoHotkey64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AddInProcess.exe

Exit code:

0

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

4392

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

—

AutoHotkey64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AddInProcess.exe

Exit code:

0

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

Add for printing

Total events

6 417

Read events

6 417

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

1

Suspicious files

4

Text files

4

Unknown types

0

Dropped files

PID	Process	Filename		Type
4716	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_akna2i1u.3ly.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4716	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\771TH4KZDSM0R4LX0QJD.temp		binary
		MD5:25D20C98CC6B0E0B2EAF0212B6BE9062	SHA256:FAAF8EA30D3E24835432925A23F759AAE6C186137F9BDFFCC9EC627C92428030
4716	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sr1bd3yz.jf5.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4716	powershell.exe	C:\Users\Public\Documents\A.txt		text
		MD5:4BFA7384C7F4E87897BBEEA936D09B8C	SHA256:DC25BB34493E3D16FC0CEC229AFE3827908C4F9025F9AF96A694E2EFCFD598C6
4716	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:25D20C98CC6B0E0B2EAF0212B6BE9062	SHA256:FAAF8EA30D3E24835432925A23F759AAE6C186137F9BDFFCC9EC627C92428030
4716	powershell.exe	C:\Users\Public\Documents\AutoHotkey64.exe		executable
		MD5:2D0600FE2B1B3BDC45D833CA32A37FDB	SHA256:EFFDEA83C6B7A1DC2CE9E9D40E91DFD59BED9FCBD580903423648B7CA97D9696
4716	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:31EF1394C57CD17D7E4107F1F16ECBB9	SHA256:68BF685FADEE575ECEF9023B95129CC052BEEC404229EC5E059A93A5B78D8428
4716	powershell.exe	C:\Users\Public\Documents\AutoHotkey64.ahk		text
		MD5:A51D3CC02396652AC39DE494E7D725D6	SHA256:D2FB28BBAFA9B105BED3334225778451529CBB2F847594021CCCFAB7F7D69C5D
4716	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1362a5.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

4

TCP/UDP connections

49

DNS requests

8

Threats

2

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.106:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2324	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2324	svchost.exe	GET	200	2.16.164.106:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	2.23.209.189:443	www.bing.com	Akamai International B.V.	GB	whitelisted
2324	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4712	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.106:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
2324	svchost.exe	2.16.164.106:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
2324	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
www.bing.com	2.23.209.189 2.23.209.187 2.23.209.182 2.23.209.181 2.23.209.186 2.23.209.185 2.23.209.130 2.23.209.183 2.23.209.179	whitelisted
google.com	142.250.185.174	whitelisted
crl.microsoft.com	2.16.164.106 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
sasaa.kozow.com	69.48.204.229	unknown
self.events.data.microsoft.com	20.42.72.131	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.kozow .com Domain
—	—	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.kozow .com Domain

Add for printing

No debug info