File name:	27052025_0637_26052025_Quotation_Request_-_SM_-_TMBL_-_S05102.pdf.rar
Full analysis:	https://app.any.run/tasks/bbbe6e3d-17be-408d-88ac-5c6af3a00ed0
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 27, 2025, 06:42:30
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec stealer stormkitty evasion telegram worldwind ims-api generic pastebin arch-doc asyncrat rat
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	D0309D17522953C9E890B4A14D26C314
SHA1:	91FF528B7C84869EC05203640C3535E0A550F209
SHA256:	ECB7E6CCA4706566C9F7233FA4CE7AFD676EBA459888E0BA05CAA3897225A811
SSDEEP:	24576:SS29/19pDMgoaZYIGCKMdMZnG1NWG/tUhsI/wrT0m+:SS29/TpggoaZYIGCKMdMZnG1NWG/tMsW

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

FileVersion:	RAR v5
CompressedSize:	536563
UncompressedSize:	1044992
OperatingSystem:	Win32
ArchivedFileName:	Quotation Request - SM - TMBL - S05102.pdf.exe


(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\27052025_0637_26052025_Quotation_Request_-_SM_-_TMBL_-_S05102.pdf.rar
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 32
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256

PID	Process	Filename		Type
7800	Quotation Request - SM - TMBL - S05102.pdf.exe	C:\Users\admin\AppData\Local\Temp\recomplete		binary
		MD5:1D192C751429739DB8CDD0DF4468087C	SHA256:95ABB878C9D272A061EAFBE61653B932514EA9B0FE05C3C362595ECFED18383E
7800	Quotation Request - SM - TMBL - S05102.pdf.exe	C:\Users\admin\AppData\Local\Temp\enterogenous		text
		MD5:18265F602A50BFD6E104B3793AAEBADD	SHA256:4A75C3797D213F7835C95E4A969A933D577EC359FD6C105907F5EA5DC1ECA255
7800	Quotation Request - SM - TMBL - S05102.pdf.exe	C:\Users\admin\AppData\Local\Temp\autF7EF.tmp		binary
		MD5:3FAB405CC807B1978787100C5E21A742	SHA256:FEE998984BDB2DD645BBEA0E44A6E3D35BC4FA992C03C4EAC0F875AB30800421
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Downloads\desktop.ini		text
		MD5:3A37312509712D4E12D27240137FF377	SHA256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Desktop\currentlyclothing.rtf		text
		MD5:EBCA1B2FC8170E098EE61ED240FA8FC5	SHA256:585B6C5EB019A7934C2CD7E39C0325E5FC1E5EDCFBC256629299FD4EE52F12C1
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Documents\baycompleted.rtf		text
		MD5:9C3872ADC20D6CE540BBBE3EA719E1A8	SHA256:3CCD781E5125B761941CD5849E6E692B95960B4E367D487D698A90E38909F67A
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Downloads\humanship.jpg		image
		MD5:011C4C514A636EBB2DD108CC2646ED86	SHA256:2DBBE8D5D30BE33F9D876E437D98B60ACC969780B95619952B8A8AAD28790FB6
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Documents\desktop.ini		text
		MD5:ECF88F261853FE08D58E2E903220DA14	SHA256:CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Desktop\carolinawant.rtf		text
		MD5:EA8C80ADACE92EC560A75D71084C3DEE	SHA256:CBCE4675AC61878625BDFF75533EC2EA4EE56958F37ACE6E3FC991FC5E3920D8
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Pictures\Saved Pictures\desktop.ini		text
		MD5:87A524A2F34307C674DBA10708585A5E	SHA256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5796	svchost.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	52.168.112.66:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	—	—	whitelisted
—	—	GET	200	52.111.229.20:443	https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B11CBA5AD-6481-4359-897B-F31D01E5AF8D%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D	unknown	text	542 b	whitelisted
—	—	GET	200	184.24.77.4:443	https://binaries.templates.cdn.office.net/support/templates/en-us/tp01840907.cab	unknown	compressed	42.6 Kb	whitelisted
—	—	POST	200	52.168.112.66:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	whitelisted
—	—	GET	200	23.53.43.59:443	https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.16026&gtype=0%2C1%2C2%2C5%2C	unknown	xml	10.7 Kb	whitelisted
5776	RUXIMICS.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5796	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5776	RUXIMICS.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	172.67.196.114:443	https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=d4:da:6d:56:32:50	unknown	binary	88 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
5796	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5776	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5796	svchost.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5776	RUXIMICS.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5796	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5776	RUXIMICS.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
7828	RegSvcs.exe	104.16.185.241:80	icanhazip.com	CLOUDFLARENET	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	216.58.206.78	whitelisted
crl.microsoft.com	2.20.245.137 2.20.245.139 23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	2.23.246.101 23.35.229.160	whitelisted
icanhazip.com	104.16.185.241 104.16.184.241	whitelisted
api.mylnikov.org	172.67.196.114 104.21.44.66	unknown
api.telegram.org	149.154.167.220	whitelisted
pastebin.com	104.22.68.199 104.22.69.199 172.67.25.94	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
omex.cdn.office.net	23.48.23.42 23.48.23.11 23.48.23.62 23.48.23.30	whitelisted

PID	Process	Class	Message
7828	RegSvcs.exe	Potential Corporate Privacy Violation	ET INFO Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
7828	RegSvcs.exe	Attempted Information Leak	ET INFO IP Check Domain (icanhazip. com in HTTP Host)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
—	—	Potential Corporate Privacy Violation	ET INFO Wifi Geolocation Lookup Attempt
—	—	Potentially Bad Traffic	ET INFO BSSID Location Lookup via api .mylnikov .org
2196	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
7828	RegSvcs.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7828	RegSvcs.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
—	—	Misc activity	ET HUNTING Telegram API Request (GET)
—	—	Misc activity	ET HUNTING Telegram API Request (GET)

General Info

27052025_0637_26052025_Quotation_Request_-_SM_-_TMBL_-_S05102.pdf.rar

D0309D17522953C9E890B4A14D26C314

91FF528B7C84869EC05203640C3535E0A550F209

ECB7E6CCA4706566C9F7233FA4CE7AFD676EBA459888E0BA05CAA3897225A811

24576:SS29/19pDMgoaZYIGCKMdMZnG1NWG/tUhsI/wrT0m+:SS29/TpggoaZYIGCKMdMZnG1NWG/tMsW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

STORMKITTY has been detected (YARA)

Actions looks like stealing of personal data

ASYNCRAT has been detected (MUTEX)

SUSPICIOUS

Write to the desktop.ini file (may be used to cloak folders)

Starts application with an unusual extension

Uses NETSH.EXE to obtain data on the network

Checks for external IP

Using 'findstr.exe' to search for text patterns in files and output

Starts CMD.EXE for commands execution

Possible usage of Discord/Telegram API has been detected (YARA)

Potential Corporate Privacy Violation

Process communicates with Telegram (possibly using it as an attacker's C2 server)

INFO

Manual execution by a user

Reads mouse settings

Checks supported languages

Reads the computer name

Create files in a temporary directory

The sample compiled with english language support

Reads the machine GUID from the registry

Creates files or folders in the user directory

Changes the display of characters in the console

Reads CPU info

Disables trace logs

Checks proxy server information

Reads the software policy settings

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats