File name: | b053c0ae7e661821fb518b47470997e4 |
Full analysis: | https://app.any.run/tasks/01125215-d0e6-46ff-ad56-8b1626c15889 |
Verdict: | Malicious activity |
Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
Analysis date: | December 06, 2022, 00:55:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | B053C0AE7E661821FB518B47470997E4 |
SHA1: | A6F973970CA00A3ADCC2911226716C7E19F25628 |
SHA256: | B849210061C7A281CAD816DA9807F70A98EA8290D936D5DF1649772851965CDD |
SSDEEP: | 768:ku6RaupTPYzbs8WU+eaamo2q1/ox6UeXAh6PICkD0bXL4FlyBFhghQLobeAC4PBF:ku6YupTPsj2FgwhC9bXLcyghQOjdJx |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.4) |
.exe | | | Win32 Executable (generic) (5.1) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2020-May-10 05:24:51 |
Comments: | - |
CompanyName: | - |
FileDescription: | - |
FileVersion: | 1.0.0.0 |
InternalName: | Stub.exe |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFilename: | Stub.exe |
ProductName: | - |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2020-May-10 05:24:51 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 45604 | 46080 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.59827 |
.rsrc | 57344 | 2047 | 2048 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.88507 |
.reloc | 65536 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0815394 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.15228 | 716 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#2) | 5.22615 | 1171 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3188 | "C:\Users\admin\AppData\Local\Temp\b053c0ae7e661821fb518b47470997e4.exe" | C:\Users\admin\AppData\Local\Temp\b053c0ae7e661821fb518b47470997e4.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 Modules
AsyncRat(PID) Process(3188) b053c0ae7e661821fb518b47470997e4.exe C2 (7)127.0.0.1 185.246.220.26 5.tcp.ngrok.io disownnet.duckdns.org 7.tcp.eu.ngrok.io 6.tcp.eu.ngrok.io: 0.tcp.eu.ngrok.io Ports (9)6606 7707 8808 51115 26993 19624 12336 18867 5200 Version0.5.7B Autorunfalse MutexAsyncMutex_6SI8OkPnk CertificateMIIE5jCCAs6gAwIBAgIQAPI53jb4ULzAubdYCVf+VTANBgkqhkiG9w0BAQ0FADAUMRIwEAYDVQQDDAlib29tc3Rpa3MwIBcNMjIxMTIyMDQyOTAyWhgPOTk5OTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMMCWJvb21zdGlrczCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPil+3ZAmbLp2e5iWmi4Jc8TSaDSVJDKQ9qqtqHn1xIqLOpAi02Z82GD9AEha8DoRlgpR5EPZ+mB720T+CTgn7UNlQhs... Server_SignatureSObGMl4dTqvNY0WCnrfJMqGEYgCsxJmqPEImrqaksUvoaKd5fhA9r+5eIaW4K/XQE90iHhrSeayvt8jFdBPU92/X9TyjLai6n+3al/aR8Rmwbgg0/ub2BxDVQBohdsswtlxx1sK49Ve2uAiAD9UTpifbDm/qHJKAFKOx0tcGXY7C4LXACF2uvGk5AOKbHk9crUsLw0ti6sOFUbcbZ31rfWsRpA1zTRnOljyIZeE3bEqbC7IU9AHAmcusKgy9pTxlXdWpzzRQcZL9dH8f5xQzLVmNfi6xHYef0FLlfjcSaECH... AntiVMfalse PasteBinnull bdosfalse BotnetDefault Aes_Key61b6d404e3c1ac39dd21d7e7b963d7039ce03ead3d55cd6b168a08e86e28fd7a Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941 Install_Folder%AppData% |
(PID) Process: | (3188) b053c0ae7e661821fb518b47470997e4.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3188 | b053c0ae7e661821fb518b47470997e4.exe | 3.141.204.47:8808 | 5.tcp.ngrok.io | AMAZON-02 | US | malicious |
3188 | b053c0ae7e661821fb518b47470997e4.exe | 3.67.15.169:19624 | 7.tcp.eu.ngrok.io | AMAZON-02 | DE | malicious |
3188 | b053c0ae7e661821fb518b47470997e4.exe | 3.142.157.76:8808 | 5.tcp.ngrok.io | AMAZON-02 | US | unknown |
3188 | b053c0ae7e661821fb518b47470997e4.exe | 3.124.142.205:5200 | 0.tcp.eu.ngrok.io | AMAZON-02 | DE | malicious |
3188 | b053c0ae7e661821fb518b47470997e4.exe | 185.246.220.26:7707 | — | Delis LLC | BG | malicious |
Domain | IP | Reputation |
---|---|---|
5.tcp.ngrok.io |
| malicious |
dns.msftncsi.com |
| shared |
0.tcp.eu.ngrok.io |
| malicious |
7.tcp.eu.ngrok.io |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |
— | — | Potential Corporate Privacy Violation | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |
— | — | Potential Corporate Privacy Violation | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |
— | — | Potential Corporate Privacy Violation | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |