File name:

filehistory.exe

Full analysis: https://app.any.run/tasks/f616de19-3d05-4735-a262-dbfd289167fe
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: September 28, 2024, 15:31:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
susp-powershell
asyncrat
confuser
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:

FBA73C5A9ABD2782AF4BCFBCE153E299

SHA1:

BEE739C3BCC4F415EF1F363229EFBEDF359CAB6D

SHA256:

43CC6ED0DCD1FA220283F7BBFA79AAF6342FDB5E73CDABDDE67DEBB7E2FFC945

SSDEEP:

12288:f8n3bVLUBUOw4ra554+zy+RG+EBH8ATUUC8upJ:mlG+G5py

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ASYNCRAT has been detected (YARA)

      • filehistory.exe (PID: 6412)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • filehistory.exe (PID: 6412)

    • Reads security settings of Internet Explorer

      • filehistory.exe (PID: 6412)

    • Connects to unusual port

      • filehistory.exe (PID: 6412)

  • INFO

    • Reads the machine GUID from the registry

      • filehistory.exe (PID: 6412)

    • Reads the computer name

      • filehistory.exe (PID: 6412)

    • Checks supported languages

      • filehistory.exe (PID: 6412)

    • Create files in a temporary directory

      • filehistory.exe (PID: 6412)

    • Reads Environment values

      • filehistory.exe (PID: 6412)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • filehistory.exe (PID: 6412)

    • Confuser has been detected (YARA)

      • filehistory.exe (PID: 6412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(6412) filehistory.exe
C2 (3)chimpail.com
aghbh73ehefiv787ywe8ads.com
o8i9asf86v76t3y67t63gg.cn
Ports (1)53245
Versionv0.2
Botnetmar21_23
Options
AutoRunfalse
Mutexafgj6j3umd5uk
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAJOLtOK4DcqnHaZsqyb4cTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9FViBHZW9UcnVzdCBpbmMwIBcNMjIwMzAxMTIyNjU5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0VWIEdlb1RydXN0IGluYzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK68Xd0MO8EW/+d8NOBCPuJuyO6tuOargdvVl0gBkk/JeQiexuiOFRlnHrqlkKWbMIfUeVZ7VEwd...
Server_SignatureYSHRQJ0YRcQoYftOHCm8Z0sEClc8gseGQyUBnKZMXSt01o0rCRReToIimjbPJyGvGHCgu2kHsHtz54BlrLjYpnSLwV6DzfHC4KEMLb7mikgBRKYOpNxE/hP9Z0b2cIlpl5nhgg2R/k/4L2b5pUDqJyuJ5IC2rTCQEbkvl3kbKQt78K0sO3jMFcZb6HaJAXRYimTYnrYRI2JrdsnCau89JA22rLZJPygPaUXYEBNl4BfCNOnfyvFLowinjX4C8zJdWD2GzKrH8SEJOZfxrIef3nPgI0u+ppadWT1NAJXrV5SR...
Keys
AES6083ac4b3de68f39834dae9ae4462fbdfdfc22f31f3aaa21115377cf6383448f
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2087:08:30 02:13:28+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 443392
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: hellowrold
FileVersion: 1.0.0.0
InternalName: hellowrold.exe
LegalCopyright: Copyright © 2021
LegalTrademarks: -
OriginalFileName: hellowrold.exe
ProductName: hellowrold
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT filehistory.exe

Process information

PID
CMD
Path
Indicators
Parent process
6412"C:\Users\admin\Desktop\filehistory.exe" C:\Users\admin\Desktop\filehistory.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
hellowrold
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\filehistory.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
AsyncRat
(PID) Process(6412) filehistory.exe
C2 (3)chimpail.com
aghbh73ehefiv787ywe8ads.com
o8i9asf86v76t3y67t63gg.cn
Ports (1)53245
Versionv0.2
Botnetmar21_23
Options
AutoRunfalse
Mutexafgj6j3umd5uk
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAJOLtOK4DcqnHaZsqyb4cTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9FViBHZW9UcnVzdCBpbmMwIBcNMjIwMzAxMTIyNjU5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0VWIEdlb1RydXN0IGluYzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK68Xd0MO8EW/+d8NOBCPuJuyO6tuOargdvVl0gBkk/JeQiexuiOFRlnHrqlkKWbMIfUeVZ7VEwd...
Server_SignatureYSHRQJ0YRcQoYftOHCm8Z0sEClc8gseGQyUBnKZMXSt01o0rCRReToIimjbPJyGvGHCgu2kHsHtz54BlrLjYpnSLwV6DzfHC4KEMLb7mikgBRKYOpNxE/hP9Z0b2cIlpl5nhgg2R/k/4L2b5pUDqJyuJ5IC2rTCQEbkvl3kbKQt78K0sO3jMFcZb6HaJAXRYimTYnrYRI2JrdsnCau89JA22rLZJPygPaUXYEBNl4BfCNOnfyvFLowinjX4C8zJdWD2GzKrH8SEJOZfxrIef3nPgI0u+ppadWT1NAJXrV5SR...
Keys
AES6083ac4b3de68f39834dae9ae4462fbdfdfc22f31f3aaa21115377cf6383448f
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Total events
842
Read events
842
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6412filehistory.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ibupu5no.tld.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6412filehistory.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_engnb05g.2qq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
26
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2952
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2952
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2952
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6412
filehistory.exe
204.11.56.48:53245
chimpail.com
ULTRADDOS
VG
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
chimpail.com
  • 204.11.56.48
unknown
aghbh73ehefiv787ywe8ads.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
filehistory.exe