File name: | Defender Control.exe |
Full analysis: | https://app.any.run/tasks/dd31c2a3-4c64-4ba2-a552-ebd941c8f69a |
Verdict: | Malicious activity |
Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
Analysis date: | February 17, 2024, 00:07:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 9F6C34EF2775B528772CE4AF517EE292 |
SHA1: | 0E18276BADAD6CD1AD56C168E55273850AA21BE2 |
SHA256: | F9702EE002E8BB5857D7B3555022A68F5303547677B5F4A0A75BA744939C28F2 |
SSDEEP: | 49152:54yJX3DOZDNghYjRjlpaDw11SjsHb+msjca3ZiPNcr0P/+kveK3BYGTI30xdpjfO:5TFuzxwprLeiZbyKOqkWX8tik |
.exe | | | Win64 Executable (generic) (76.3) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 1 |
EntryPoint: | 0x1000 |
UninitializedDataSize: | - |
InitializedDataSize: | 1536 |
CodeSize: | 1803264 |
LinkerVersion: | 1.73 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
TimeStamp: | 2024:02:16 22:20:02+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2472 | "C:\Users\admin\Desktop\Defender Control.exe" | C:\Users\admin\Desktop\Defender Control.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3656 | "C:\Users\admin\AppData\Local\Temp\dControl.exe" | C:\Users\admin\AppData\Local\Temp\dControl.exe | — | Defender Control.exe | |||||||||||
User: admin Company: www.sordum.org Integrity Level: MEDIUM Description: dControl v2.1 Exit code: 3221226540 Version: 2.1.0.0 Modules
| |||||||||||||||
2840 | "C:\Users\admin\AppData\Local\Temp\dControl.exe" | C:\Users\admin\AppData\Local\Temp\dControl.exe | Defender Control.exe | ||||||||||||
User: admin Company: www.sordum.org Integrity Level: HIGH Description: dControl v2.1 Exit code: 0 Version: 2.1.0.0 Modules
| |||||||||||||||
3464 | C:\Users\admin\AppData\Local\Temp\dControl.exe | C:\Users\admin\AppData\Local\Temp\dControl.exe | dControl.exe | ||||||||||||
User: SYSTEM Company: www.sordum.org Integrity Level: SYSTEM Description: dControl v2.1 Exit code: 0 Version: 2.1.0.0 Modules
| |||||||||||||||
3460 | "C:\Users\admin\AppData\Local\Temp\dllhost.exe" | C:\Users\admin\AppData\Local\Temp\dllhost.exe | Defender Control.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.7.0 Modules
| |||||||||||||||
2624 | "C:\Users\admin\AppData\Local\Temp\svchost.exe" | C:\Users\admin\AppData\Local\Temp\svchost.exe | Defender Control.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
NjRat(PID) Process(2624) svchost.exe C2physical-several.at.ply.gg Ports51206 BotnetHacKed Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\10e16ea1fd352d48d0c7f69840d59b0c Splitter|'|'| Versionim523 | |||||||||||||||
3992 | "C:\Users\admin\AppData\Local\Temp\dControl.exe" /TI | C:\Users\admin\AppData\Local\Temp\dControl.exe | — | dControl.exe | |||||||||||
User: SYSTEM Company: www.sordum.org Integrity Level: SYSTEM Description: dControl v2.1 Version: 2.1.0.0 Modules
| |||||||||||||||
3936 | "C:\Users\admin\AppData\Local\Temp\dlhost.exe" | C:\Users\admin\AppData\Local\Temp\dlhost.exe | — | Defender Control.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Version: 1.0.0.0 Modules
| |||||||||||||||
4044 | "C:\Users\admin\AppData\Local\Temp\dlhost.exe" | C:\Users\admin\AppData\Local\Temp\dlhost.exe | Defender Control.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
1496 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\4uazkdsx.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | dlhost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
|
(PID) Process: | (2472) Defender Control.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2472) Defender Control.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2472) Defender Control.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2472) Defender Control.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2472) Defender Control.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2624) svchost.exe | Key: | HKEY_CURRENT_USER |
Operation: | write | Name: | di |
Value: ! | |||
(PID) Process: | (4044) dlhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (4044) dlhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (4044) dlhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (4044) dlhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2840 | dControl.exe | C:\Users\admin\AppData\Local\Temp\autF34B.tmp | binary | |
MD5:ECFFD3E81C5F2E3C62BCDC122442B5F2 | SHA256:9874AB363B07DCC7E9CD6022A380A64102C1814343642295239A9F120CB941C5 | |||
3464 | dControl.exe | C:\Windows\TEMP\autF463.tmp | binary | |
MD5:EFE44D9F6E4426A05E39F99AD407D3E7 | SHA256:5EA3B26C6B1B71EDAEF17CE365D50BE963AE9F4CB79B39EC723FE6E9E4054366 | |||
2840 | dControl.exe | C:\Users\admin\AppData\Local\Temp\2l8k4p0r.tmp | text | |
MD5:E00DCC76E4DCD90994587375125DE04B | SHA256:C8709F5A8B971D136E2273D66E65449791CA8EBA1F47DD767733EA52EE635447 | |||
3464 | dControl.exe | C:\Windows\TEMP\autF443.tmp | binary | |
MD5:9D5A0EF18CC4BB492930582064C5330F | SHA256:8F5BBCC572BC62FEB13A669F856D21886A61888FD6288AFD066272A27EA79BB3 | |||
3992 | dControl.exe | C:\Windows\TEMP\autF53F.tmp | binary | |
MD5:ECFFD3E81C5F2E3C62BCDC122442B5F2 | SHA256:9874AB363B07DCC7E9CD6022A380A64102C1814343642295239A9F120CB941C5 | |||
3992 | dControl.exe | C:\Windows\TEMP\3n9l9n2j.tmp | text | |
MD5:E00DCC76E4DCD90994587375125DE04B | SHA256:C8709F5A8B971D136E2273D66E65449791CA8EBA1F47DD767733EA52EE635447 | |||
1496 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCF7FC.tmp | res | |
MD5:697F148DC1B31DEB9E707997646DEF0B | SHA256:AB014A36B78FEBF2234C8576AC531548C047DD7F45873D108C698740C503DEFF | |||
2472 | Defender Control.exe | C:\Users\admin\AppData\Local\Temp\dllhost.exe | executable | |
MD5:D3BE1A2FF7B22817556F1B9B52637F9D | SHA256:ADE88CC6669F714A8538FE225252E554C5B4A4BEAE25088B32DA63D743F2B05C | |||
2472 | Defender Control.exe | C:\Users\admin\AppData\Local\Temp\dControl.exe | executable | |
MD5:58008524A6473BDF86C1040A9A9E39C3 | SHA256:1EF6C1A4DFDC39B63BFE650CA81AB89510DE6C0D3D7C608AC5BE80033E559326 | |||
2472 | Defender Control.exe | C:\Users\admin\AppData\Local\Temp\dlhost.exe | executable | |
MD5:8D843BEC1B2FA4692A5A5824FB8B4700 | SHA256:15FA29093E6053281EAED8642880975A1AE649C55285593C0FE2385FA2202E28 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2632 | svhost.exe | 147.185.221.16:40537 | social-mod.gl.at.ply.gg | PLAYIT-GG | US | malicious |
2624 | svchost.exe | 209.25.141.211:51206 | physical-several.at.ply.gg | PLAYIT-GG | US | malicious |
Domain | IP | Reputation |
---|---|---|
social-mod.gl.at.ply.gg |
| unknown |
physical-several.at.ply.gg |
| unknown |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
1080 | svchost.exe | Potentially Bad Traffic | ET INFO playit .gg Tunneling Domain in DNS Lookup |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO playit .gg Tunneling Domain in DNS Lookup |