Malware analysis worldwind.exe Malicious activity | ANY.RUN

Add for printing

File name:	worldwind.exe
Full analysis:	https://app.any.run/tasks/76249f78-16d4-46d6-8ae8-868929a13be2
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 09, 2023, 16:16:30
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	asyncrat stealer evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	FAFD2FEE2145A1C0CFF13D372694AA11
SHA1:	DD1E28DDFACC273E94FA34846DB572E601248DB1
SHA256:	B9602DF895CFA8CEB21F3B08DC54BA282FC257D8446BDC3E8A8E5AE6C9E78EF1
SSDEEP:	3072:Ee8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTJwARE+WpCc:g6ewwIwQJ6vKX0c5MlYZ0b2i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Steals credentials
  - worldwind.exe (PID: 3420)
- Steals credentials from Web Browsers
  - worldwind.exe (PID: 3420)
- ASYNCRAT detected by memory dumps
  - worldwind.exe (PID: 3420)
- Actions looks like stealing of personal data
  - worldwind.exe (PID: 3420)
SUSPICIOUS
- Write to the desktop.ini file (may be used to cloak folders)
  - worldwind.exe (PID: 3420)
- Reads browser cookies
  - worldwind.exe (PID: 3420)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 1468)
  - cmd.exe (PID: 3248)
- Starts application with an unusual extension
  - cmd.exe (PID: 1468)
  - cmd.exe (PID: 3248)
- Starts CMD.EXE for commands execution
  - worldwind.exe (PID: 3420)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 1468)
- Reads the Internet Settings
  - worldwind.exe (PID: 3420)
- Reads settings of System Certificates
  - worldwind.exe (PID: 3420)
- Checks for external IP
  - worldwind.exe (PID: 3420)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - worldwind.exe (PID: 3420)
INFO
- Creates files or folders in the user directory
  - worldwind.exe (PID: 3420)
- Checks supported languages
  - worldwind.exe (PID: 3420)
  - chcp.com (PID: 3596)
  - chcp.com (PID: 2316)
- Reads the machine GUID from the registry
  - worldwind.exe (PID: 3420)
- Reads the computer name
  - worldwind.exe (PID: 3420)
- The process checks LSA protection
  - worldwind.exe (PID: 3420)
  - netsh.exe (PID: 2800)
  - netsh.exe (PID: 1196)
- Reads Environment values
  - worldwind.exe (PID: 3420)
- Create files in a temporary directory
  - worldwind.exe (PID: 3420)
- [YARA] WLAN manipulation strings were found
  - worldwind.exe (PID: 3420)
- Reads CPU info
  - worldwind.exe (PID: 3420)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

AsyncRat

(PID) Process(3420) worldwind.exe

C2 (1)127.0.0.1

Ports (3)6606

7707

8808

Credentials

Protocoltelegram

URLnull

Token5680540790:AAEdId7f5SV2tnT6kXxK3ECoPzVFCgY9fQs

ChatId6186135789

BotnetDefault

Options

AutoRunfalse

MutexAsyncMutex_6SI8OkPnk

InstallFolder%AppData%

BSoDfalse

AntiVMfalse

Certificates

Cert1MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OB...

Server_SignatureJ7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3...

Keys

AESe5e3972eba013063607e705973dfdf80a8555bcfd8fe09651da2ab43b5773d9b

Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

EXIF

EXE

AssemblyVersion:	1.0.0.0
ProductVersion:	1.0.0.0
ProductName:	Client
OriginalFileName:	Client.exe
LegalTrademarks:	-
LegalCopyright:	Copyright © 2021
InternalName:	Client.exe
FileVersion:	1.0.0.0
FileDescription:	Client
CompanyName:	-
Comments:	-
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	1.0.0.0
FileVersionNumber:	1.0.0.0
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x2d1be
UninitializedDataSize:	-
InitializedDataSize:	2048
CodeSize:	176640
LinkerVersion:	8
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit
TimeStamp:	2023:06:19 17:49:04+00:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	19-Jun-2023 17:49:04
Comments:	-
CompanyName:	-
FileDescription:	Client
FileVersion:	1.0.0.0
InternalName:	Client.exe
LegalCopyright:	Copyright © 2021
LegalTrademarks:	-
OriginalFilename:	Client.exe
ProductName:	Client
ProductVersion:	1.0.0.0
Assembly Version:	1.0.0.0

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000080

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	3
Time date stamp:	19-Jun-2023 17:49:04
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00002000	0x0002B1C4	0x0002B200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.92433
.rsrc	0x0002E000	0x00000600	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.0295
.reloc	0x00030000	0x0000000C	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.10191

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.00112	490	UNKNOWN	UNKNOWN	RT_MANIFEST

Imports


mscoree.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1196

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1468

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\cmd.exe

—

worldwind.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2312

findstr All

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2316

chcp 65001

C:\Windows\SysWOW64\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2800

netsh wlan show profile

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

3248

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\cmd.exe

—

worldwind.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

3420

"C:\Users\admin\AppData\Local\Temp\worldwind.exe"

C:\Users\admin\AppData\Local\Temp\worldwind.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Client

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\worldwind.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\sspicli.dll

AsyncRat

(PID) Process(3420) worldwind.exe

C2 (1)127.0.0.1

Ports (3)6606

7707

8808

Credentials

Protocoltelegram

URLnull

Token5680540790:AAEdId7f5SV2tnT6kXxK3ECoPzVFCgY9fQs

ChatId6186135789

BotnetDefault

Options

AutoRunfalse

MutexAsyncMutex_6SI8OkPnk

InstallFolder%AppData%

BSoDfalse

AntiVMfalse

Certificates

Keys

AESe5e3972eba013063607e705973dfdf80a8555bcfd8fe09651da2ab43b5773d9b

Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

3596

chcp 65001

C:\Windows\SysWOW64\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

2 370

Read events

2 291

Write events

Delete events

Modification events


(PID) Process:	(3420) worldwind.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2800) netsh.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1196) netsh.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3420	worldwind.exe	C:\Users\admin\AppData\Local\f17cf50e532b3c842321317ea64b8193\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Downloads\desktop.ini		text
		MD5:3A37312509712D4E12D27240137FF377	SHA256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
3420	worldwind.exe	C:\Users\admin\AppData\Local\f17cf50e532b3c842321317ea64b8193\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Pictures\airoutdoor.jpg		image
		MD5:58086399A5A264124374561DA5F328C5	SHA256:EBAC096427F5CADF68B4720A6ACC0A71D023C39FAAC1B24E7DFDAA28C86AF5E0
3420	worldwind.exe	C:\Users\admin\AppData\Local\f17cf50e532b3c842321317ea64b8193\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Documents\irelandedition.rtf		text
		MD5:0668C47B7394EBBE9D1DE242D7BBA966	SHA256:956DAD51C21A5EE21D2365E3900C70F516CA6215396AFB318F80ABA5EF5E03D4
3420	worldwind.exe	C:\Users\admin\AppData\Local\f17cf50e532b3c842321317ea64b8193\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Desktop\desktop.ini		text
		MD5:9E36CC3537EE9EE1E3B10FA4E761045B	SHA256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
3420	worldwind.exe	C:\Users\admin\AppData\Local\f17cf50e532b3c842321317ea64b8193\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Documents\includemedium.rtf		text
		MD5:997341F80D9ECE148B211122167C36E6	SHA256:7C301C30E4702776D06C2BB394EE4D2DBDB844696EFAD17BDA9F78D095B8F97E
3420	worldwind.exe	C:\Users\admin\AppData\Local\f17cf50e532b3c842321317ea64b8193\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Documents\careskip.rtf		text
		MD5:0789E0951FC4F24EFF1BCD34F88B70D6	SHA256:2FC9357A4B122940E1A9D85D605BAA08335CA4D63DF424AEB859019C753E5272
3420	worldwind.exe	C:\Users\admin\AppData\Local\f17cf50e532b3c842321317ea64b8193\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Downloads\interfacesome.png		image
		MD5:553D533A42E4413844D326F1FB595BB2	SHA256:E20CE6EE7D9744916AB488B852AB6690B3CF3C62B30DCE028D230218023CE737
3420	worldwind.exe	C:\Users\admin\AppData\Local\f17cf50e532b3c842321317ea64b8193\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Desktop\asstext.rtf		text
		MD5:D0ABB94C964F0F9D37756A8ACB2DB21A	SHA256:EA56EAEC93E55A2FFAAF07D959670721BAA38D895492E8D9184F80FBB1B4A6FE
3420	worldwind.exe	C:\Users\admin\AppData\Local\f17cf50e532b3c842321317ea64b8193\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Documents\oflaws.rtf		text
		MD5:53701B705EFF31B9C7C1A0A3B35392E0	SHA256:4D56E68A353DA2BA6ED87DDD84B980AB9AB1599E8EDF88586472434FFC9803B5
3420	worldwind.exe	C:\Users\admin\AppData\Local\f17cf50e532b3c842321317ea64b8193\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Desktop\accessoriesavailability.rtf		text
		MD5:F2C31F7F849A5094B86FEE9377836550	SHA256:6D99BB7B89C38FB399E36F5604AB8EDE845D7BC8F0D9E4B9C3ED986FB76341C0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	2.16.107.208:80	http://apps.identrust.com/roots/dstrootcax3.p7c	unknown	—	—	shared
3420	worldwind.exe	GET	200	104.18.114.97:80	http://icanhazip.com/	US	text	14 b	shared
—	—	GET	200	8.248.135.254:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB039D4329A5E8.crt?d4b69a264e597b66	US	binary	1.36 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1208	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
332	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3420	worldwind.exe	104.18.114.97:80	icanhazip.com	CLOUDFLARENET	—	malicious
3420	worldwind.exe	172.67.196.114:443	api.mylnikov.org	CLOUDFLARENET	US	suspicious
3420	worldwind.exe	149.154.167.220:443	api.telegram.org	Telegram Messenger Inc	GB	malicious
3420	worldwind.exe	2.16.107.208:80	apps.identrust.com	Akamai International B.V.	DE	malicious
3420	worldwind.exe	8.248.135.254:80	ctldl.windowsupdate.com	LEVEL3	US	malicious
3420	worldwind.exe	172.67.34.170:443	pastebin.com	CLOUDFLARENET	US	malicious

DNS requests

Domain	IP	Reputation
icanhazip.com	104.18.114.97 104.18.115.97	shared
api.mylnikov.org	172.67.196.114 104.21.44.66	suspicious
apps.identrust.com	2.16.107.208 2.16.107.186	shared
ctldl.windowsupdate.com	8.248.135.254 8.253.95.121 8.253.204.121 8.253.204.249 67.27.235.126	whitelisted
api.telegram.org	149.154.167.220	shared
pastebin.com	172.67.34.170 104.20.67.143 104.20.68.143	malicious

Threats

PID	Process	Class	Message
3420	worldwind.exe	Potential Corporate Privacy Violation	ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
3420	worldwind.exe	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
332	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
3420	worldwind.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
—	—	Misc activity	ET HUNTING Telegram API Certificate Observed
3420	worldwind.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
3420	worldwind.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
3420	worldwind.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Telegram
3420	worldwind.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
3420	worldwind.exe	Misc activity	ET HUNTING Telegram API Certificate Observed

Add for printing

No debug info

General Info

worldwind.exe

FAFD2FEE2145A1C0CFF13D372694AA11

DD1E28DDFACC273E94FA34846DB572E601248DB1

B9602DF895CFA8CEB21F3B08DC54BA282FC257D8446BDC3E8A8E5AE6C9E78EF1

3072:Ee8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTJwARE+WpCc:g6ewwIwQJ6vKX0c5MlYZ0b2i

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Steals credentials

Steals credentials from Web Browsers

ASYNCRAT detected by memory dumps

Actions looks like stealing of personal data

SUSPICIOUS

Write to the desktop.ini file (may be used to cloak folders)

Reads browser cookies

Uses NETSH.EXE to obtain data on the network

Starts application with an unusual extension

Starts CMD.EXE for commands execution

Using 'findstr.exe' to search for text patterns in files and output

Reads the Internet Settings

Reads settings of System Certificates

Checks for external IP

Process communicates with Telegram (possibly using it as an attacker's C2 server)

INFO

Creates files or folders in the user directory

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

The process checks LSA protection

Reads Environment values

Create files in a temporary directory

[YARA] WLAN manipulation strings were found

Reads CPU info

Malware configuration

AsyncRat

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

AsyncRat

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats