File name:

from_file.exe

Full analysis: https://app.any.run/tasks/a8ddc070-5f10-4e91-8c32-aac92b6c5538
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: October 30, 2023, 13:15:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
asyncrat
remote
sinkhole
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

0E0281A776C11B2BE2B23815729F88F8

SHA1:

8E3275655F104588B31F723E2D5FA5BD9DB66958

SHA256:

D3DA918C19797FE4E70B02258D2667F64A97495CB6C9C8C9249462FA84905194

SSDEEP:

1536:eWliiu4a6zwrBClisKwp/CWGLAAHXBbSHzAue9240rIP5x:Dliiu4a6zwrBClPH2RbS8uI2N+x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • from_file.exe (PID: 1884)

    • ASYNCRAT has been detected (SURICATA)

      • from_file.exe (PID: 1884)

    • ASYNCRAT has been detected (YARA)

      • from_file.exe (PID: 1884)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • from_file.exe (PID: 1884)

    • Connects to unusual port

      • from_file.exe (PID: 1884)

    • Reads the Internet Settings

      • from_file.exe (PID: 1884)

  • INFO

    • Checks supported languages

      • from_file.exe (PID: 1884)
      • wmpnscfg.exe (PID: 3984)

    • Reads the computer name

      • from_file.exe (PID: 1884)
      • wmpnscfg.exe (PID: 3984)

    • Create files in a temporary directory

      • from_file.exe (PID: 1884)

    • Reads the machine GUID from the registry

      • from_file.exe (PID: 1884)
      • wmpnscfg.exe (PID: 3984)

    • Reads Environment values

      • from_file.exe (PID: 1884)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(1884) from_file.exe
C2 (1)xxxrepliesxxx.ddnsfree.com
Ports (3)6006
7007
8008
BotnetDefault
Version| Edit 3LOSH RAT
Options
AutoRunfalse
MutexAsyncMutex_xx
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGva...
Server_SignatureWEZFD6ZSIHkBmKPjG4MlnRoRFTDk7Eb5WnfUr+tNf7br3o1PFfGpLMldGxfm4QE6njdDK6LryYnGfr8JiCYd5d3F0Jeb5fmLKrEH1HgdtDZLAdjT1ipL1WA/NwaCKHmIcVq26U6yWMEmzKrV6W1UeAf6+/1XMEC8gjADH44X//zHIhdpHWdkxAH9DBfp2n1CfoB9c+9YTCON0q1hSaQEz22jsiVY9QKufk/xyUFc1JVM0sjz8cBnQkAE/2hHMW37LcTAmvUPaycc15GxOHllXfUELfrnnaF8vAQ2z/VE/ta/...
Keys
AES9e5d81ad9980bca4eb66b752a2d61f30328c5cbf279d855191b49342ff2151d1
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:09:20 19:02:02+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 62976
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x115de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: Stub.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: Stub.exe
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ASYNCRAT from_file.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1884"C:\Users\admin\AppData\Local\Temp\from_file.exe" C:\Users\admin\AppData\Local\Temp\from_file.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\from_file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
AsyncRat
(PID) Process(1884) from_file.exe
C2 (1)xxxrepliesxxx.ddnsfree.com
Ports (3)6006
7007
8008
BotnetDefault
Version| Edit 3LOSH RAT
Options
AutoRunfalse
MutexAsyncMutex_xx
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGva...
Server_SignatureWEZFD6ZSIHkBmKPjG4MlnRoRFTDk7Eb5WnfUr+tNf7br3o1PFfGpLMldGxfm4QE6njdDK6LryYnGfr8JiCYd5d3F0Jeb5fmLKrEH1HgdtDZLAdjT1ipL1WA/NwaCKHmIcVq26U6yWMEmzKrV6W1UeAf6+/1XMEC8gjADH44X//zHIhdpHWdkxAH9DBfp2n1CfoB9c+9YTCON0q1hSaQEz22jsiVY9QKufk/xyUFc1JVM0sjz8cBnQkAE/2hHMW37LcTAmvUPaycc15GxOHllXfUELfrnnaF8vAQ2z/VE/ta/...
Keys
AES9e5d81ad9980bca4eb66b752a2d61f30328c5cbf279d855191b49342ff2151d1
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
3984"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
4 350
Read events
4 335
Write events
12
Delete events
3

Modification events

(PID) Process:(1884) from_file.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3984) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{C07D4527-B752-4F7C-9F78-2FA2AA297C64}\{5AA8DCD3-32BF-4277-ABE5-DB9821C1A999}
Operation:delete keyName:(default)
Value:
(PID) Process:(3984) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{C07D4527-B752-4F7C-9F78-2FA2AA297C64}
Operation:delete keyName:(default)
Value:
(PID) Process:(3984) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{DEF2692F-C562-4D8E-9ECA-894B44FD4C31}
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1884from_file.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:A3831D073FC28000EFDD80858C808147
SHA256:07DBCDA579FEDB30AAFCB449338D89DDA2872F6DB606521FE390238E6A17028D
1884from_file.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
1884from_file.exeC:\Users\admin\AppData\Local\Temp\TarB8DF.tmpbinary
MD5:9441737383D21192400ECA82FDA910EC
SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
1884from_file.exeC:\Users\admin\AppData\Local\Temp\CabB8DE.tmpcompressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
2
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1884
from_file.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3049f4f41b8f4b96
unknown
compressed
61.6 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1884
from_file.exe
185.81.157.24:8008
xxxrepliesxxx.ddnsfree.com
Inulogic Sarl
FR
malicious
1884
from_file.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted

DNS requests

Domain
IP
Reputation
xxxrepliesxxx.ddnsfree.com
  • 185.81.157.24
malicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ddnsfree .com Domain
1884
from_file.exe
Domain Observed Used for C2 Detected
REMOTE [ANY.RUN] AsyncRAT SSL certificate
1884
from_file.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
1884
from_file.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT Style SSL Cert
1884
from_file.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
from_file.exe