File name:	WindowsUpdate.bat
Full analysis:	https://app.any.run/tasks/f602ba72-a99d-47fe-bfa1-ccbbc7159a38
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 27, 2025, 12:41:11
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stegocampaign payload ta558 apt loader reverseloader susp-powershell asyncrat
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, Non-ISO extended-ASCII text, with CRLF, NEL line terminators
MD5:	CF0445076DD7CE2F82E77DF4AAF90FF2
SHA1:	A7232B5D211A9B026CBE1BC09109C33E3FEE9DB7
SHA256:	4455DED5290611948E96F95172B5C8FF64227007824937AF3CFEEB9DCA003F19
SSDEEP:	192:6O5+3ijHfANX9P4JxOFfX9YF7l4u1hGxi6Yi/lPzBRNs/XMCx+lecap:64/jfANXWJxEKzwgdiZrrPW

PID	Process	Filename		Type
1328	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dn1mbet0.jw4.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1328	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ukbuindo.ycs.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5324	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_w3wofngb.bnw.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5324	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3eki2l11.hht.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1020	MSBuild.exe	C:\Users\admin\AppData\Roaming\MyData\DataLogs.conf		text
		MD5:CF759E4C5F14FE3EEC41B87ED756CEA8	SHA256:C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
5324	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:2FD5ED8CBBFFB531B193ED53099F986A	SHA256:237B7462DCA963B7B09DF2A0E6629AB87FB8A5A3FD741C3C9E9DFCAE24E2E10E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	20.109.210.53:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
3156	RUXIMICS.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3156	RUXIMICS.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	185.199.110.153:443	https://ofice365.github.io/1/test.jpg	unknown	image	5.48 Mb	—
—	—	GET	200	185.166.143.49:443	https://bitbucket.org/sambog/numenrt/raw/main/payload_1748317361_2041.txt	unknown	text	99.6 Kb	whitelisted
7676	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7676	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7676	SIHClient.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
7676	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3156	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3156	RUXIMICS.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
3156	RUXIMICS.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5324	powershell.exe	185.199.109.153:443	ofice365.github.io	FASTLY	US	shared
5324	powershell.exe	185.166.143.48:443	bitbucket.org	AMAZON-02	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1020	MSBuild.exe	178.128.97.207:4449	—	DIGITALOCEAN-ASN	SG	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
ofice365.github.io	185.199.109.153 185.199.108.153 185.199.110.153 185.199.111.153	unknown
bitbucket.org	185.166.143.48 185.166.143.50 185.166.143.49	whitelisted
dns.msftncsi.com	131.107.255.255	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
self.events.data.microsoft.com	52.168.117.168	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image
—	—	A Network Trojan was detected	PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
—	—	A Network Trojan was detected	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2
—	—	Exploit Kit Activity Detected	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1
—	—	Potentially Bad Traffic	PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound
—	—	A Network Trojan was detected	ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound

General Info

WindowsUpdate.bat

CF0445076DD7CE2F82E77DF4AAF90FF2

A7232B5D211A9B026CBE1BC09109C33E3FEE9DB7

4455DED5290611948E96F95172B5C8FF64227007824937AF3CFEEB9DCA003F19

192:6O5+3ijHfANX9P4JxOFfX9YF7l4u1hGxi6Yi/lPzBRNs/XMCx+lecap:64/jfANXWJxEKzwgdiZrrPW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

STEGOCAMPAIGN has been detected

Downloads the requested resource (POWERSHELL)

Dynamically loads an assembly (POWERSHELL)

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Uses base64 encoding (POWERSHELL)

Starts POWERSHELL.EXE for commands execution

Probably obfuscated PowerShell command line is found

Get information on the list of running processes

Gets or sets the security protocol (POWERSHELL)

Probably download files using WebClient

Application launched itself

Connects to unusual port

INFO

Uses string replace method (POWERSHELL)

Gets a random number, or selects objects randomly from a collection (POWERSHELL)

Create files in a temporary directory

Gets data length (POWERSHELL)

Reads the software policy settings

Converts byte array into Unicode string (POWERSHELL)

Reads security settings of Internet Explorer

Disables trace logs

Checks proxy server information

Found Base64 encoded access to processes via PowerShell (YARA)

Creates files or folders in the user directory

Found Base64 encoded text manipulation via PowerShell (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

Reads the computer name

Found Base64 encoded network access via PowerShell (YARA)

Checks supported languages

Reads the machine GUID from the registry

Malware configuration

AsyncRat

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

AsyncRat

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings