| File name: | SQL SERVER.exe |
| Full analysis: | https://app.any.run/tasks/5b7d0806-b5b3-4fc4-9a3f-666b9d2e3be8 |
| Verdict: | Malicious activity |
| Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
| Analysis date: | August 05, 2023, 11:01:07 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 4988796EC5E2D5E1E3965EF99124565A |
| SHA1: | C9B2D509B55B147E7C21F26C2D763F8C5803EC2C |
| SHA256: | 7D48C0F1AC56067AE17BF707C1871ADD97CC2C41D29D7C4D2512BDB2661B161F |
| SSDEEP: | 3072:2e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTcwARE+WpCc:u6ewwIwQJ6vKX0c5MlYZ0b2R |
MALICIOUS
Steals credentials
- SQL SERVER.exe (PID: 2396)
Steals credentials from Web Browsers
- SQL SERVER.exe (PID: 2396)
ASYNCRAT detected by memory dumps
- SQL SERVER.exe (PID: 2396)
Actions looks like stealing of personal data
- SQL SERVER.exe (PID: 2396)
SUSPICIOUS
Write to the desktop.ini file (may be used to cloak folders)
- SQL SERVER.exe (PID: 2396)
Reads browser cookies
- SQL SERVER.exe (PID: 2396)
Starts application with an unusual extension
- cmd.exe (PID: 3444)
- cmd.exe (PID: 3976)
Starts CMD.EXE for commands execution
- SQL SERVER.exe (PID: 2396)
Uses NETSH.EXE to obtain data on the network
- cmd.exe (PID: 3444)
- cmd.exe (PID: 3976)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 3444)
Checks for external IP
- SQL SERVER.exe (PID: 2396)
Reads the Internet Settings
- SQL SERVER.exe (PID: 2396)
Reads settings of System Certificates
- SQL SERVER.exe (PID: 2396)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- SQL SERVER.exe (PID: 2396)
INFO
Reads Environment values
- SQL SERVER.exe (PID: 2396)
Checks supported languages
- SQL SERVER.exe (PID: 2396)
- chcp.com (PID: 1884)
- chcp.com (PID: 1080)
Reads the machine GUID from the registry
- SQL SERVER.exe (PID: 2396)
Reads the computer name
- SQL SERVER.exe (PID: 2396)
The process checks LSA protection
- SQL SERVER.exe (PID: 2396)
- netsh.exe (PID: 1804)
- netsh.exe (PID: 292)
Create files in a temporary directory
- SQL SERVER.exe (PID: 2396)
Creates files or folders in the user directory
- SQL SERVER.exe (PID: 2396)
[YARA] WLAN manipulation strings were found
- SQL SERVER.exe (PID: 2396)
Reads CPU info
- SQL SERVER.exe (PID: 2396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
AsyncRat
(PID) Process(2396) SQL SERVER.exe
C2 (1)127.0.0.1
Ports (3)6606
7707
8808
Credentials
Protocoltelegram
URLnull
Token6403709832:AAGSbFlqK3Xt64jt2SH09HNmfFv--WAI0gE
ChatId5735041959
BotnetDefault
Options
AutoRunfalse
MutexAsyncMutex_6SI8OkPnk
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OB...
Server_SignatureJ7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3...
Keys
AESe5e3972eba013063607e705973dfdf80a8555bcfd8fe09651da2ab43b5773d9b
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| AssemblyVersion: | 1.0.0.0 |
|---|---|
| ProductVersion: | 1.0.0.0 |
| ProductName: | Client |
| OriginalFileName: | Client.exe |
| LegalTrademarks: | - |
| LegalCopyright: | Copyright © 2021 |
| InternalName: | Client.exe |
| FileVersion: | 1.0.0.0 |
| FileDescription: | Client |
| CompanyName: | - |
| Comments: | - |
| CharacterSet: | Unicode |
| LanguageCode: | Neutral |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 1.0.0.0 |
| FileVersionNumber: | 1.0.0.0 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 4 |
| ImageVersion: | - |
| OSVersion: | 4 |
| EntryPoint: | 0x2d1be |
| UninitializedDataSize: | - |
| InitializedDataSize: | 2048 |
| CodeSize: | 176640 |
| LinkerVersion: | 8 |
| PEType: | PE32 |
| ImageFileCharacteristics: | Executable, 32-bit |
| TimeStamp: | 2023:08:05 10:37:29+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 05-Aug-2023 10:37:29 |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | Client |
| FileVersion: | 1.0.0.0 |
| InternalName: | Client.exe |
| LegalCopyright: | Copyright © 2021 |
| LegalTrademarks: | - |
| OriginalFilename: | Client.exe |
| ProductName: | Client |
| ProductVersion: | 1.0.0.0 |
| Assembly Version: | 1.0.0.0 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000080 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 3 |
| Time date stamp: | 05-Aug-2023 10:37:29 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00002000 | 0x0002B1C4 | 0x0002B200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.92432 |
.rsrc | 0x0002E000 | 0x00000600 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.0295 |
.reloc | 0x00030000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
Imports
mscoree.dll |
Total processes
44
Monitored processes
8
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 292 | netsh wlan show networks mode=bssid | C:\Windows\System32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 568 | findstr All | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1080 | chcp 65001 | C:\Windows\System32\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1804 | netsh wlan show profile | C:\Windows\System32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1884 | chcp 65001 | C:\Windows\System32\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2396 | "C:\Users\admin\AppData\Local\Temp\SQL SERVER.exe" | C:\Users\admin\AppData\Local\Temp\SQL SERVER.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Client Exit code: 0 Version: 1.0.0.0 Modules
AsyncRat(PID) Process(2396) SQL SERVER.exe C2 (1)127.0.0.1 Ports (3)6606 7707 8808 Credentials Protocoltelegram URLnull Token6403709832:AAGSbFlqK3Xt64jt2SH09HNmfFv--WAI0gE ChatId5735041959 BotnetDefault Options AutoRunfalse MutexAsyncMutex_6SI8OkPnk InstallFolder%AppData% BSoDfalse AntiVMfalse Certificates Cert1MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OB... Server_SignatureJ7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3... Keys AESe5e3972eba013063607e705973dfdf80a8555bcfd8fe09651da2ab43b5773d9b Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941 | |||||||||||||||
| 3444 | "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All | C:\Windows\System32\cmd.exe | — | SQL SERVER.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3976 | "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid | C:\Windows\System32\cmd.exe | — | SQL SERVER.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
5 880
Read events
5 774
Write events
106
Delete events
0
Modification events
| (PID) Process: | (2396) SQL SERVER.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1804) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (292) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
0
Suspicious files
17
Text files
35
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2396 | SQL SERVER.exe | C:\Users\admin\AppData\Local\0cc27f7a79c3cbdaa16aa49037c2e720\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Documents\itpercent.rtf | text | |
MD5:34CF2F05B5E08B1AE2EA2B8D49422BA7 | SHA256:AFF115BB5A68BAADC4F9DE4FDB2997D0DD23535B3A0E24A4ABB6840A436D0C18 | |||
| 2396 | SQL SERVER.exe | C:\Users\admin\AppData\Local\Temp\tmp89DC.tmp.dat | binary | |
MD5:F47EB60CDF981C17722D0CE740129927 | SHA256:0210071DF12CA42D70DCB679926668AE072264705AC139A24F94BBC5A129DD8F | |||
| 2396 | SQL SERVER.exe | C:\Users\admin\AppData\Local\0cc27f7a79c3cbdaa16aa49037c2e720\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Desktop\desktop.ini | text | |
MD5:9E36CC3537EE9EE1E3B10FA4E761045B | SHA256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026 | |||
| 2396 | SQL SERVER.exe | C:\Users\admin\AppData\Local\0cc27f7a79c3cbdaa16aa49037c2e720\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Desktop\chapterlarger.rtf | text | |
MD5:FBA56635F8E97B6FA06C42581B402E4A | SHA256:2485F798B76E7769404D0DD013D18B5F1199DDF41C7405F8C0DCD22EB9870E1A | |||
| 2396 | SQL SERVER.exe | C:\Users\admin\AppData\Local\0cc27f7a79c3cbdaa16aa49037c2e720\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Desktop\antisee.png | image | |
MD5:DB87805C01A7B300DDA9E5DD609E31ED | SHA256:95F9251497879F648ABB8F07C855AA0904CB56EAB14EDEE9F8FCBBE73A9BB4AC | |||
| 2396 | SQL SERVER.exe | C:\Users\admin\AppData\Local\0cc27f7a79c3cbdaa16aa49037c2e720\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Pictures\desktop.ini | text | |
MD5:29EAE335B77F438E05594D86A6CA22FF | SHA256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4 | |||
| 2396 | SQL SERVER.exe | C:\Users\admin\AppData\Local\0cc27f7a79c3cbdaa16aa49037c2e720\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Documents\fewhp.rtf | text | |
MD5:C9677EF9BBFF9E430035109D5629C29D | SHA256:9DA1053615DC231E7E98B1EFBEDB1CCDF47CD6C9545D2FC7A06AC2DDDAE9750D | |||
| 2396 | SQL SERVER.exe | C:\Users\admin\AppData\Local\0cc27f7a79c3cbdaa16aa49037c2e720\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Pictures\settingj.png | image | |
MD5:0AF96EAE8E4A00CDD892EA33B6A2463A | SHA256:BA4CBF0AF08CC1229530249C3544E4EAE4D556D001E0339AB62036E235E81652 | |||
| 2396 | SQL SERVER.exe | C:\Users\admin\AppData\Local\0cc27f7a79c3cbdaa16aa49037c2e720\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Pictures\virtualparty.png | image | |
MD5:A7CA14931B0721B22910E5D2474EC625 | SHA256:2FA465A765B595DEA13D71F4199D561A9416A218D0AD22F7FEFF57DFF4B13871 | |||
| 2396 | SQL SERVER.exe | C:\Users\admin\AppData\Local\0cc27f7a79c3cbdaa16aa49037c2e720\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Desktop\kindmail.rtf | text | |
MD5:880A67DE97933CFA1A5055654734D399 | SHA256:8F76AA617631C840330D63AA400FB34098FBAE4127D2C919EEED5EC853E6818C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
12
DNS requests
5
Threats
8
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2396 | SQL SERVER.exe | GET | 200 | 104.18.114.97:80 | http://icanhazip.com/ | US | text | 14 b | shared |
2396 | SQL SERVER.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f64d34a3c5a1d24b | US | compressed | 62.3 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2640 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2396 | SQL SERVER.exe | 104.18.114.97:80 | icanhazip.com | CLOUDFLARENET | — | malicious |
2396 | SQL SERVER.exe | 172.67.196.114:443 | api.mylnikov.org | CLOUDFLARENET | US | suspicious |
2396 | SQL SERVER.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger Inc | GB | malicious |
2396 | SQL SERVER.exe | 172.67.34.170:443 | pastebin.com | CLOUDFLARENET | US | malicious |
2396 | SQL SERVER.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
icanhazip.com |
| shared |
api.mylnikov.org |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
api.telegram.org |
| shared |
pastebin.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2396 | SQL SERVER.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |
2396 | SQL SERVER.exe | Potential Corporate Privacy Violation | ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI) |
1088 | svchost.exe | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
2396 | SQL SERVER.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
2396 | SQL SERVER.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
2396 | SQL SERVER.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
2396 | SQL SERVER.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
2396 | SQL SERVER.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Telegram |