File name:	reversheshellb64batTO.exe
Full analysis:	https://app.any.run/tasks/ccb7cde1-1e79-4c4a-9cf7-cbb71efade76
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 18:12:21
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	susp-powershell loader asyncrat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	924600F20773E63DB025E1150848800B
SHA1:	BAFB301AD2DDAD2A42841E4EEDC6E8819651703F
SHA256:	59464C7FE56FFA979167B72FE0E1BA956B945FDC3D397231671F3964C9C52552
SSDEEP:	3072:ezvOp90TY6SA20EvIVBJmyxCqsKKiWbMjY:45ljEwPWiWbAY

.exe	\|	Win32 Executable MS Visual C++ (generic) (41)
.exe	\|	Win64 Executable (generic) (36.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.6)
.exe	\|	Win32 Executable (generic) (5.9)
.exe	\|	Win16/32 Executable Delphi generic (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:07:30 08:52:50+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	2.5
CodeSize:	68608
InitializedDataSize:	20992
UninitializedDataSize:	-
EntryPoint:	0x1000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.1.1.1
ProductVersionNumber:	1.1.1.1
FileFlagsMask:	0x003f
FileFlags:	Debug, Pre-release, Private build
FileOS:	Windows 16-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
FileVersion:	1.1.1.1
ProductVersion:	1.1.1.1
ProductName:	Runtime Broker


(PID) Process:	(2240) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:	write	Name:	C:\
Value:

PID	Process	Filename		Type
4724	reversheshellb64batTO.exe	C:\Users\admin\AppData\Local\Temp\C517.tmp\C518.tmp\C519.bat		text
		MD5:2998887E3CAB9B4FE6676D591ED0A0D2	SHA256:F19B1B5A346272B65F293EC9B8186F1B09B5E6C19C619BA7BF2074394F0CEFA8
3884	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nqxykhaj.pcq.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5868	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3r5pcv3a.vul.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5164	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3d2zotmd.nw1.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3884	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0v2d00ps.xwp.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6156	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kqdsr4ym.psk.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7052	reversheshellb64batTO.exe	C:\Users\admin\AppData\Local\Temp\DA54.tmp\DA55.tmp\DA56.bat		text
		MD5:2998887E3CAB9B4FE6676D591ED0A0D2	SHA256:F19B1B5A346272B65F293EC9B8186F1B09B5E6C19C619BA7BF2074394F0CEFA8
6080	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4fhxj3z0.up1.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1188	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u2hc3wrz.rex.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6080	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1yozqjgf.ude.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	301	104.18.111.161:443	https://tinyurl.com/giteaRUNTIME	unknown	html	510 b	whitelisted
—	—	GET	200	18.245.31.94:443	https://gitea.com/Unlepx/UXLP-NM/raw/branch/main/RuntimeBroker.exe	unknown	executable	48.0 Kb	—
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	200	20.190.160.67:443	https://login.live.com/RST2.srf	unknown	xml	1.35 Kb	whitelisted
—	—	POST	200	20.190.160.2:443	https://login.live.com/RST2.srf	unknown	xml	6.88 Kb	whitelisted
—	—	POST	200	20.190.160.14:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	200	20.190.160.66:443	https://login.live.com/RST2.srf	unknown	xml	5.15 Kb	whitelisted
—	—	POST	400	20.190.160.67:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	GET	200	20.31.169.57:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T181432Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=3e4ce3be5eea49e2949115991baefec3&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967813&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358343&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	unknown	binary	2.95 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6080	powershell.exe	104.17.112.233:443	tinyurl.com	CLOUDFLARENET	—	whitelisted
6080	powershell.exe	34.217.253.146:443	gitea.com	AMAZON-02	US	suspicious
4	System	192.168.100.255:137	—	—	—	whitelisted
4560	RuntimeBroker.exe	193.161.193.99:63495	dadfsfsdfasdfasddfgssdfaafsd-63495.portmap.host	OOO Bitree Networks	RU	malicious
6048	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114 2.19.11.120 2.19.11.105	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
tinyurl.com	104.17.112.233 104.18.111.161	whitelisted
gitea.com	34.217.253.146	unknown
dadfsfsdfasdfasddfgssdfaafsd-63495.portmap.host	193.161.193.99	malicious
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
login.live.com	20.190.160.5 40.126.32.76 20.190.160.132 20.190.160.67 20.190.160.66 20.190.160.22 20.190.160.14 20.190.160.2	whitelisted
arc.msn.com	20.31.169.57	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] URL Shortener TinyURL (tinyurl .com)
2196	svchost.exe	Misc activity	INFO [ANY.RUN] Possible short link service (tinyurl .com)
6080	powershell.exe	Potentially Bad Traffic	ET INFO Observed Self-Hosted Git Service Domain (gitea .com in TLS SNI)
2196	svchost.exe	Potentially Bad Traffic	ET INFO Self-Hosted Git Service Domain in DNS Lookup (gitea .com)
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO DNS Query to a Reverse Proxy Service Observed
2196	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)

General Info

reversheshellb64batTO.exe

924600F20773E63DB025E1150848800B

BAFB301AD2DDAD2A42841E4EEDC6E8819651703F

59464C7FE56FFA979167B72FE0E1BA956B945FDC3D397231671F3964C9C52552

3072:ezvOp90TY6SA20EvIVBJmyxCqsKKiWbMjY:45ljEwPWiWbAY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes Windows Defender settings

Adds path to the Windows Defender exclusion list

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Executing commands from a ".bat" file

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Starts process via Powershell

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

Application launched itself

Script adds exclusion path to Windows Defender

Executable content was dropped or overwritten

Potential Corporate Privacy Violation

Uses REG/REGEDIT.EXE to modify registry

Connects to unusual port

INFO

Process checks computer location settings

Create files in a temporary directory

Checks supported languages

The sample compiled with english language support

Reads the computer name

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Script raised an exception (POWERSHELL)

Found Base64 encoded network access via PowerShell (YARA)

Checks if a key exists in the options dictionary (POWERSHELL)

Reads the machine GUID from the registry

The executable file from the user directory is run by the Powershell process

Reads the software policy settings

Malware configuration

AsyncRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

AsyncRat

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity