File name:

korea.exe

Full analysis: https://app.any.run/tasks/1cdc3395-1904-4184-9ce2-038c1b8ef864
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: July 02, 2024, 14:59:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
asyncrat
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

D041FF2E1D6F7A263D3E84B8254E9C43

SHA1:

09F06DF92D72E4412CF75A72E2C448AD4D6A5E79

SHA256:

F7E644D6657F21A224D1BB00983686E72F469F0B587B03837047AEF49EA740AA

SSDEEP:

1536:TSSIOOUD+VCpSPbRMFMTIbbmwON3UcuWyDpqKmY7:TSSIOODVCpSPbOFMTIbbmRwgz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • korea.exe (PID: 3416)

    • ASYNCRAT has been detected (SURICATA)

      • korea.exe (PID: 3416)

    • ASYNCRAT has been detected (YARA)

      • korea.exe (PID: 3416)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • korea.exe (PID: 3416)

    • Reads the Internet Settings

      • korea.exe (PID: 3416)

    • Contacting a server suspected of hosting an CnC

      • korea.exe (PID: 3416)

    • Connects to unusual port

      • korea.exe (PID: 3416)

  • INFO

    • Checks supported languages

      • korea.exe (PID: 3416)
      • wmpnscfg.exe (PID: 2100)

    • Reads the computer name

      • korea.exe (PID: 3416)
      • wmpnscfg.exe (PID: 2100)

    • Reads the machine GUID from the registry

      • korea.exe (PID: 3416)

    • Reads Environment values

      • korea.exe (PID: 3416)

    • Reads the software policy settings

      • korea.exe (PID: 3416)

    • Create files in a temporary directory

      • korea.exe (PID: 3416)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(3416) korea.exe
C2 (1)198.12.66.100
Ports (1)4443
Version5.0.5
Options
AutoRunfalse
MutexVenom_RAT_HVNC_Mutex_Venom RAT_HVNC
InstallFolder%AppData%
Certificates
Cert1MIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQAD...
Server_SignatureXVGmCUJj85r0y+VedH0XyoImhyv60/WimXxSAkeQCoM1ADow6i+5Cjk65I6cCwsZmObHsPo4y+B396Tr3OltXraNcbh6c+gdbqQFM4pRYINcj9ZJMLfZ/QjI/LJ5YWLKqgcRrkn/3fk+fhPTMF6E64TK2Gxjf129BQuwg1+ctTE=
Keys
AES58ce1104379ee3a29ce571510a6d5bae0ce1f5f7f0d80bb93efbbfe674811ac2
SaltVenomByVenom
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:02 11:47:30+00:00
ImageFileCharacteristics: Executable
PEType: PE32
LinkerVersion: 8
CodeSize: 59904
InitializedDataSize: 4096
UninitializedDataSize: -
EntryPoint: 0x1099e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.0.5.0
ProductVersionNumber: 5.0.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Venom RAT + HVNC
FileVersion: 5.0.5
InternalName: Client.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: -
OriginalFileName: Client.exe
ProductName: Venom
ProductVersion: 5.0.5
AssemblyVersion: 5.0.5.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ASYNCRAT korea.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2100"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
3416"C:\Users\admin\AppData\Local\Temp\korea.exe" C:\Users\admin\AppData\Local\Temp\korea.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Venom RAT + HVNC
Version:
5.0.5
AsyncRat
(PID) Process(3416) korea.exe
C2 (1)198.12.66.100
Ports (1)4443
Version5.0.5
Options
AutoRunfalse
MutexVenom_RAT_HVNC_Mutex_Venom RAT_HVNC
InstallFolder%AppData%
Certificates
Cert1MIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQAD...
Server_SignatureXVGmCUJj85r0y+VedH0XyoImhyv60/WimXxSAkeQCoM1ADow6i+5Cjk65I6cCwsZmObHsPo4y+B396Tr3OltXraNcbh6c+gdbqQFM4pRYINcj9ZJMLfZ/QjI/LJ5YWLKqgcRrkn/3fk+fhPTMF6E64TK2Gxjf129BQuwg1+ctTE=
Keys
AES58ce1104379ee3a29ce571510a6d5bae0ce1f5f7f0d80bb93efbbfe674811ac2
SaltVenomByVenom
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
3416korea.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
3416korea.exeC:\Users\admin\AppData\Local\Temp\CabF74D.tmpcompressed
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
3416korea.exeC:\Users\admin\AppData\Local\Temp\TarF74E.tmpcat
MD5:4EA6026CF93EC6338144661BF1202CD1
SHA256:8EFBC21559EF8B1BCF526800D8070BAAD42474CE7198E26FA771DBB41A76B1D8
3416korea.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:4F6E1ADDC79E85CE4F33124E0E43C022
SHA256:FDFD8E0BB78D9045AD526A50A85EAFD5FF727C176202C14B092C0BF98BB17D31
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
13
DNS requests
6
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3416
korea.exe
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d068838e968d89a4
unknown
unknown
1372
svchost.exe
GET
304
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
3416
korea.exe
198.12.66.100:4443
AS-COLOCROSSING
US
unknown
3416
korea.exe
23.50.131.200:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
23.50.131.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 23.50.131.200
  • 23.50.131.216
  • 93.184.221.240
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
3416
korea.exe
Domain Observed Used for C2 Detected
REMOTE [ANY.RUN] AsyncRAT SSL certificate
3416
korea.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (VenomRAT)
3416
korea.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
korea.exe