Malware analysis /kgnfth/tumblr/raw/refs/heads/main/svchost.exe Malicious activity

Add for printing

download:	/kgnfth/tumblr/raw/refs/heads/main/svchost.exe
Full analysis:	https://app.any.run/tasks/80630e0c-8129-4f70-8108-afd1dbe195e3
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	November 21, 2024, 21:17:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	asyncrat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	368DEF2E1C8D8B51F2C99BEE8E1F3EDF
SHA1:	1715F6D60910957ADEE1B1127396053CA5C5847C
SHA256:	D822078324CB3602CDBAAE23BA680B506C22CB11433DC1A43D5E80170A22D8F4
SSDEEP:	1536:QSSeOrDGlCpw3s5z1rs83GbbUwvuBW61pqKmY7:QSSeO2lCpw3EzBR3GbbUmu/Oz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- ASYNCRAT has been detected (YARA)
  - svchost.exe (PID: 3612)
- Changes the autorun value in the registry
  - svchost.exe (PID: 5496)
SUSPICIOUS
- Starts a Microsoft application from unusual location
  - svchost.exe (PID: 5496)
- The process creates files with name similar to system file names
  - svchost.exe (PID: 5496)
- Starts CMD.EXE for commands execution
  - svchost.exe (PID: 5496)
- The executable file from the user directory is run by the CMD process
  - svchost.exe (PID: 3612)
- Connects to unusual port
  - svchost.exe (PID: 3612)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 2956)
- Executing commands from a ".bat" file
  - svchost.exe (PID: 5496)
- Executable content was dropped or overwritten
  - svchost.exe (PID: 5496)
- Process drops legitimate windows executable
  - svchost.exe (PID: 5496)
INFO
- Reads the computer name
  - svchost.exe (PID: 5496)
  - svchost.exe (PID: 3612)
- Creates files or folders in the user directory
  - svchost.exe (PID: 5496)
- Create files in a temporary directory
  - svchost.exe (PID: 5496)
- Reads the machine GUID from the registry
  - svchost.exe (PID: 5496)
  - svchost.exe (PID: 3612)
- Checks supported languages
  - svchost.exe (PID: 5496)
  - svchost.exe (PID: 3612)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

AsyncRat

(PID) Process(3612) svchost.exe

C2 (1)45.10.151.182

Ports (1)4477

Version1.0.7

Options

AutoRuntrue

Mutexwerg5e4grretr5n4rbe6a5v45ew

InstallFolder%AppData%

Certificates

Cert1MIICLjCCAZegAwIBAgIVAL9MPe9ylKLRZKSHp0xqguCD59JtMA0GCSqGSIb3DQEBDQUAMGIxEzARBgNVBAMMCnN6dXJ1Ym9vcnUxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDAyMTAwMDQ5MzlaFw0zNDExMTkwMDQ5MzlaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB...

Server_SignatureLdzi4NBynJ9ohs9UAB3v2huQz3JORs0qcvyQIi5dpPbQym1JpD1e/nFg98vQvfylo077YR4qKyfTcXvfX1hfIA4qCFCQn1k6FLJxFjDuxqqGe5vd/W/TVPhAm8/RBYyEpLBdN/TsmST6gOIX8s0tSJfiPFdkFdQ5y0wa16hoP4Y=

Keys

AESd2aebc7759b62491b7969c769442e07ddc3bd24e3604d0106fc2fdde0a83cebd

SaltDcRatByqwqdanchun

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:11:21 00:47:54+00:00
ImageFileCharacteristics:	Executable
PEType:	PE32
LinkerVersion:	8
CodeSize:	59904
InitializedDataSize:	4608
UninitializedDataSize:	-
EntryPoint:	0x1096e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.2.20348.2520
ProductVersionNumber:	6.2.20348.2520
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	Microsoft Corporation
FileDescription:	Host Process for Windows Services
FileVersion:	6.2.20348.2520
InternalName:	svchost.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
LegalTrademarks:	-
OriginalFileName:	svchost.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	6.2.20348.2520
AssemblyVersion:	6.2.20348.2520

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

117

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2508

timeout 3

C:\Windows\System32\timeout.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

timeout - pauses command processing

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

2956

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp9FE5.tmp.bat""

C:\Windows\System32\cmd.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll

3508

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3612

"C:\Users\admin\AppData\Roaming\svchost.exe"

C:\Users\admin\AppData\Roaming\svchost.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Host Process for Windows Services

Version:

6.2.20348.2520

Modules

Images
c:\users\admin\appdata\roaming\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

AsyncRat

(PID) Process(3612) svchost.exe

C2 (1)45.10.151.182

Ports (1)4477

Version1.0.7

Options

AutoRuntrue

Mutexwerg5e4grretr5n4rbe6a5v45ew

InstallFolder%AppData%

Certificates

Server_SignatureLdzi4NBynJ9ohs9UAB3v2huQz3JORs0qcvyQIi5dpPbQym1JpD1e/nFg98vQvfylo077YR4qKyfTcXvfX1hfIA4qCFCQn1k6FLJxFjDuxqqGe5vd/W/TVPhAm8/RBYyEpLBdN/TsmST6gOIX8s0tSJfiPFdkFdQ5y0wa16hoP4Y=

Keys

AESd2aebc7759b62491b7969c769442e07ddc3bd24e3604d0106fc2fdde0a83cebd

SaltDcRatByqwqdanchun

5496

"C:\Users\admin\Desktop\svchost.exe"

C:\Users\admin\Desktop\svchost.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Host Process for Windows Services

Exit code:

Version:

6.2.20348.2520

Modules

Images
c:\users\admin\desktop\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

653

Read events

652

Write events

Delete events

Modification events


(PID) Process:	(5496) svchost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	svchost
Value: "C:\Users\admin\AppData\Roaming\svchost.exe"

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5496	svchost.exe	C:\Users\admin\AppData\Roaming\svchost.exe		executable
		MD5:368DEF2E1C8D8B51F2C99BEE8E1F3EDF	SHA256:D822078324CB3602CDBAAE23BA680B506C22CB11433DC1A43D5E80170A22D8F4
5496	svchost.exe	C:\Users\admin\AppData\Local\Temp\tmp9FE5.tmp.bat		text
		MD5:5E8A0AB8AEFEFCB98724104B624B4C99	SHA256:5368928CDB80B078641313BB70CCBEE012D93F42E5F95C56D0319CEDF811AE10

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	184.24.77.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.24.77.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2876	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4420	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
2876	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	184.24.77.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.24.77.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	104.126.37.129:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4932	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	184.24.77.12 184.24.77.35	whitelisted
www.microsoft.com	184.30.21.171 88.221.169.152	whitelisted
google.com	142.250.186.174	whitelisted
www.bing.com	104.126.37.129 104.126.37.154 104.126.37.144 104.126.37.176 104.126.37.128 104.126.37.178 104.126.37.131 104.126.37.139 104.126.37.136	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
login.live.com	40.126.32.140 40.126.32.134 40.126.32.74 20.190.160.17 40.126.32.136 40.126.32.68 40.126.32.138 20.190.160.22	whitelisted
go.microsoft.com	23.43.62.58	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

/kgnfth/tumblr/raw/refs/heads/main/svchost.exe

368DEF2E1C8D8B51F2C99BEE8E1F3EDF

1715F6D60910957ADEE1B1127396053CA5C5847C

D822078324CB3602CDBAAE23BA680B506C22CB11433DC1A43D5E80170A22D8F4

1536:QSSeOrDGlCpw3s5z1rs83GbbUwvuBW61pqKmY7:QSSeO2lCpw3EzBR3GbbUmu/Oz

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ASYNCRAT has been detected (YARA)

Changes the autorun value in the registry

SUSPICIOUS

Starts a Microsoft application from unusual location

The process creates files with name similar to system file names

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Connects to unusual port

Uses TIMEOUT.EXE to delay execution

Executing commands from a ".bat" file

Executable content was dropped or overwritten

Process drops legitimate windows executable

INFO

Reads the computer name

Creates files or folders in the user directory

Create files in a temporary directory

Reads the machine GUID from the registry

Checks supported languages

Malware configuration

AsyncRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

AsyncRat

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings