File name:

c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955

Full analysis: https://app.any.run/tasks/e66aded9-3dfc-4cd2-b29e-9af05d8db6a0
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 19:45:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
asyncrat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

FFAF524B9E6E6F3C520B297B2D87ED0A

SHA1:

8A855AB7FFC459D759228EEDE5D47EA044A580FB

SHA256:

C8A08858411449D9DF33993ACF378EEC801138760CCF743430A6FED73757D955

SSDEEP:

3072:xfWwUw7nNnymHIZOTFbHOxoMtzvUMfq3zs2UFX9Ud/ld9CfwSew6Nbb/vM5J2UVZ:xxHMjYFbVwq3zTOXY9C+w6zhglvToO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe (PID: 7304)

    • ASYNCRAT has been detected (YARA)

      • winDLL.exe (PID: 7584)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe (PID: 7304)

    • Executing commands from a ".bat" file

      • c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe (PID: 7304)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7472)

    • Executable content was dropped or overwritten

      • c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe (PID: 7304)

    • The executable file from the user directory is run by the CMD process

      • winDLL.exe (PID: 7584)

    • Connects to unusual port

      • winDLL.exe (PID: 7584)

  • INFO

    • Reads the machine GUID from the registry

      • c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe (PID: 7304)
      • winDLL.exe (PID: 7584)

    • Checks supported languages

      • c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe (PID: 7304)
      • winDLL.exe (PID: 7584)

    • Reads the computer name

      • c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe (PID: 7304)
      • winDLL.exe (PID: 7584)

    • Creates files or folders in the user directory

      • c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe (PID: 7304)

    • Create files in a temporary directory

      • c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe (PID: 7304)

    • Reads the software policy settings

      • slui.exe (PID: 7816)

    • Checks proxy server information

      • slui.exe (PID: 7816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(7584) winDLL.exe
C2 (1)18.197.94.4
Ports (1)6606
Version0.5.8
BotnetDefault
Options
AutoRuntrue
Mutex7o0VxWGMI2qI
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAJidv/q5VKsQu6wMTycK2zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwMzIwMTgzNDQxWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMegqwo0ITD5dNQMa53YsJlOPDa3JiQdJbpfhITGFpBnnrn8AJgpab2MkYLUtwV9JoiFT25UP2du...
Server_SignaturemywLexVTsE1VpFVHxXvTkT+nBWqu0Z+VlnzLL5vqulR1gzei7+Kod18W0Mf2VTobb7LSHxulbpnxQz913oJlHsQiLxPNvX8fc6QrlZafpU2IqiIWCAzTIMsTqlw0bepXaJ9W+P1Oleh+JiSLMG5E1C4+A249hR1HNbPH51tiDrZCacRXCYcLzKDuK0e/zneba8gv8j7ftSkm/jBn/g5XvrpYpc6QVcHBGKq3+l2MMRnHizC9kIBEBcN3ahxdITAC5LdsyZCkl7f2Xexxl+p0uE1QWGHItVY8GNRVezkqRsbo...
Keys
AESdf2f0f89655823369a74e938100eb447cfd1e6cb2fd43abbfb835c6338804ee8
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:16 21:40:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 43008
InitializedDataSize: 172032
UninitializedDataSize: -
EntryPoint: 0xc6ee
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 7.10.0.0
ProductVersionNumber: 7.10.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Alexander Roshal
FileDescription: WinRAR
FileVersion: 7.10.0.0
InternalName: WinRAR
LegalCopyright: Copyright © Alexander Roshal 1993-2025
LegalTrademarks: -
OriginalFileName: WinRAR
ProductName: WinRAR
ProductVersion: 7.10.0.0
AssemblyVersion: 7.10.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs #ASYNCRAT windll.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7304"C:\Users\admin\Desktop\c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe" C:\Users\admin\Desktop\c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR
Exit code:
0
Version:
7.10.0.0
Modules
Images
c:\users\admin\desktop\c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7472C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmpD860.tmp.bat""C:\Windows\SysWOW64\cmd.exec8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7480\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7524timeout 3 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7584"C:\Users\admin\AppData\Roaming\winDLL.exe" C:\Users\admin\AppData\Roaming\winDLL.exe
cmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR
Version:
7.10.0.0
Modules
Images
c:\users\admin\appdata\roaming\windll.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AsyncRat
(PID) Process(7584) winDLL.exe
C2 (1)18.197.94.4
Ports (1)6606
Version0.5.8
BotnetDefault
Options
AutoRuntrue
Mutex7o0VxWGMI2qI
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAJidv/q5VKsQu6wMTycK2zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwMzIwMTgzNDQxWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMegqwo0ITD5dNQMa53YsJlOPDa3JiQdJbpfhITGFpBnnrn8AJgpab2MkYLUtwV9JoiFT25UP2du...
Server_SignaturemywLexVTsE1VpFVHxXvTkT+nBWqu0Z+VlnzLL5vqulR1gzei7+Kod18W0Mf2VTobb7LSHxulbpnxQz913oJlHsQiLxPNvX8fc6QrlZafpU2IqiIWCAzTIMsTqlw0bepXaJ9W+P1Oleh+JiSLMG5E1C4+A249hR1HNbPH51tiDrZCacRXCYcLzKDuK0e/zneba8gv8j7ftSkm/jBn/g5XvrpYpc6QVcHBGKq3+l2MMRnHizC9kIBEBcN3ahxdITAC5LdsyZCkl7f2Xexxl+p0uE1QWGHItVY8GNRVezkqRsbo...
Keys
AESdf2f0f89655823369a74e938100eb447cfd1e6cb2fd43abbfb835c6338804ee8
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
7816C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 887
Read events
3 886
Write events
1
Delete events
0

Modification events

(PID) Process:(7304) c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:winDLL
Value:
"C:\Users\admin\AppData\Roaming\winDLL.exe"
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7304c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exeC:\Users\admin\AppData\Roaming\winDLL.exeexecutable
MD5:FFAF524B9E6E6F3C520B297B2D87ED0A
SHA256:C8A08858411449D9DF33993ACF378EEC801138760CCF743430A6FED73757D955
7304c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955.exeC:\Users\admin\AppData\Local\Temp\tmpD860.tmp.battext
MD5:BB05A792EF07310B8583122FB55E16D1
SHA256:C032EB738DC2C2A9EAF802709170253892D0B449FD9B22A003F39F85BCCC60CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
22
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.48.23.24:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7584
winDLL.exe
18.197.94.4:6606
AMAZON-02
DE
unknown
4380
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7816
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.24
  • 23.48.23.29
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
c8a08858411449d9df33993acf378eec801138760ccf743430a6fed73757d955