File name:

powershell payload.txt

Full analysis: https://app.any.run/tasks/32d45102-1fe1-4846-95bd-77042ae94fa9
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: January 31, 2024, 17:29:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
asyncrat
remote
Indicators:
MIME: text/plain
File info: Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5:

4A6EAEBF9BBDA278AF047EA44C85373D

SHA1:

03CDE01EE5FE0F1A0BE9886CD04B46CDFF367C35

SHA256:

54FB920C90A80446A0382C2109F9D3F28743FBDCC7A68F501CD8FC1B18E0DB38

SSDEEP:

12288:Z/rv57RCRYnBjWIdsFh0H2klKh4E/ESaFoz+wswIVkURjzq66/ByOYSRSCQYPiEk:ZzvVRMYBddTWuUzESYoz+MIVfFe6XSRm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • powershell.exe (PID: 1028)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 3596)

    • ASYNCRAT has been detected (SURICATA)

      • powershell.exe (PID: 1028)

  • SUSPICIOUS

    • Reads the Internet Settings

      • powershell.exe (PID: 1028)
      • notepad.exe (PID: 1044)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 1028)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 1028)

    • Connects to unusual port

      • powershell.exe (PID: 1028)

    • Unusual connection from system programs

      • powershell.exe (PID: 1028)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3596)

  • INFO

    • Checks supported languages

      • csc.exe (PID: 3596)
      • cvtres.exe (PID: 3600)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 3596)
      • cvtres.exe (PID: 3600)

    • Manual execution by a user

      • powershell.exe (PID: 1028)

    • Create files in a temporary directory

      • cvtres.exe (PID: 3600)
      • csc.exe (PID: 3596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start notepad.exe no specs #ASYNCRAT powershell.exe csc.exe cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1028"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
1044"C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\AppData\Local\Temp\powershell payload.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3596"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\q0fflboh.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
3600C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC827.tmp" "c:\Users\admin\AppData\Local\Temp\CSCFBB2E916464744EB9B5596A5CD5C77E.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.10.25028.0 built by: VCTOOLSD15RTM
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
12
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1028powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:6675EDE59684F4A119D2E5DA282AFBE6
SHA256:5026C5EE8FA9ACB21718BF1FAD563C0A3FD5BC79327611FDF9C4ABD2647CE829
1028powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:67BC9011476C87B42100EDEB9660C156
SHA256:1332A0F6F56E228FD1BF8D1756BBA448C457E74C26A8E2DDA9F0BA80BE65F1BC
3596csc.exeC:\Users\admin\AppData\Local\Temp\q0fflboh.outtext
MD5:2D73017FFB26E5A83609189F1E2CCB10
SHA256:502EAE6687A20D3CF6E98E57664139D8AAD789780C681A05AF95EB202D2C6C13
1044notepad.exeC:\Users\admin\Desktop\powershell payload.txttext
MD5:4A6EAEBF9BBDA278AF047EA44C85373D
SHA256:54FB920C90A80446A0382C2109F9D3F28743FBDCC7A68F501CD8FC1B18E0DB38
1028powershell.exeC:\Users\admin\AppData\Local\Temp\q0fflboh.0.cstext
MD5:67A804398B333C4A0D8DD6CF668D03EF
SHA256:26850A6C164460EC00B49F0E509C38C6457F223A2C487C790084C3FB98716DD2
3600cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC827.tmpbinary
MD5:ACD99718042DB7BFA2B37601D3904B87
SHA256:8A18BD74B742754E059213A8DF24F93590789A5901FB6BEA8B893C2F135A7084
1028powershell.exeC:\Users\admin\AppData\Local\Temp\q0fflboh.cmdlinetext
MD5:FD651418D67E211C519CA4FAC4859B67
SHA256:57E7582346897220AA9D3E0C65CC26D2840AA6EA17248B18F5A716FF8753F593
3596csc.exeC:\Users\admin\AppData\Local\Temp\CSCFBB2E916464744EB9B5596A5CD5C77E.TMPbinary
MD5:00466CA899CCE5A05268D26914403E5B
SHA256:C4AC857227D230688853394AD1F8CB81E19797A51D8B0827CDE68BF4ABDCCC55
1028powershell.exeC:\Users\admin\AppData\Local\Temp\TarD920.tmpbinary
MD5:9C0C641C06238516F27941AA1166D427
SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
1028powershell.exeC:\Users\admin\AppData\Local\Temp\rzuvru4j.ixq.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
3
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1028
powershell.exe
GET
200
184.24.77.205:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?011afa2a3692420e
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1028
powershell.exe
5.161.113.150:25658
w89tu45t8e7dqzo.top
Hetzner Online GmbH
US
unknown
1028
powershell.exe
184.24.77.205:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1028
powershell.exe
104.237.62.212:443
api.ipify.org
WEBNX
US
unknown

DNS requests

Domain
IP
Reputation
w89tu45t8e7dqzo.top
  • 5.161.113.150
malicious
ctldl.windowsupdate.com
  • 184.24.77.205
  • 184.24.77.173
  • 184.24.77.187
whitelisted
api.ipify.org
  • 104.237.62.212
  • 64.185.227.156
  • 173.231.16.76
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1028
powershell.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT Style SSL Cert
1080
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
powershell payload.txt