File name:

fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184

Full analysis: https://app.any.run/tasks/707afb10-6726-4339-97b8-8e90d54c28ac
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: January 30, 2025, 22:53:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
purecrypter
netreactor
asyncrat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

F7FF29ED9C4F2BF03A3EE92E71CC07A4

SHA1:

C6FBD7F4E8F4410B86D2BF5F59FCC0C3B9F1F41A

SHA256:

FD7A64D15E03608DCEB95BC0912B39F9B94327B7BA8E6C989AA29205C3819184

SSDEEP:

49152:fTi//hl2nt+gosfqe0/EMsoWHDMfqh/SNlPiwkUSdwpU7fnNIN7B8Tm82hOxJQtw:f0yo3sfHMOjMLNlErdAyNgF8Tm1OCqHT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe (PID: 5916)

    • PURECRYPTER has been detected (YARA)

      • fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe (PID: 5916)

    • Create files in the Startup directory

      • fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe (PID: 5916)

    • ASYNCRAT has been detected (YARA)

      • InstallUtil.exe (PID: 5592)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe (PID: 5916)

    • Connects to unusual port

      • InstallUtil.exe (PID: 5592)

  • INFO

    • Checks supported languages

      • fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe (PID: 5916)
      • InstallUtil.exe (PID: 5592)

    • Reads the computer name

      • fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe (PID: 5916)
      • InstallUtil.exe (PID: 5592)

    • Reads the machine GUID from the registry

      • fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe (PID: 5916)
      • InstallUtil.exe (PID: 5592)

    • .NET Reactor protector has been detected

      • fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe (PID: 5916)

    • Creates files or folders in the user directory

      • fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe (PID: 5916)

    • Manual execution by a user

      • InstallUtil.exe (PID: 5592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(5592) InstallUtil.exe
C2 (1)deadpoolstart2037.duckdns.org
Ports (1)4010
Version1.0.7
Options
AutoRunfalse
Mutexcookiestemp
InstallFolder%AppData%
Certificates
Cert1MIICKzCCAZSgAwIBAgIVAIl0qKpvXDSasNr35XLYMldJTIwlMA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB0Nvb2tpZXMxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMTA3MDcxODU0NTVaFw0zMjA0MTUxODU0NTVaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB...
Server_SignatureFCsPYme/8s8Q8oIMTcERd2fSWwAmJG2F1b5YMD2Ve3+WEwN/0E6fjmFAvxDh3GJRnFGR/KP75P0Puo/n2MSi07nwm38uNbjNO0jB4RGxr5DUoRSNmzrO3XkI2IxmIIWrJFe1MbWl4N83+MmVP53E1dgO6AZEnaWzk3zCFgblzjo=
Keys
AES314e0517eca67dd0b88d04b1a6362403c71be302db8010c32031f7d034d5df68
SaltDcRatByqwqdanchun
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:30 19:49:48+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 1058304
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0x10443e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 13.0.0.8
ProductVersionNumber: 13.0.0.8
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Win Protector
CompanyName: Auslogics
FileDescription: Win Protector
FileVersion: 13.0.0.8
InternalName: Ghrfqo.exe
LegalCopyright: Copyright © 2008-2024 Auslogics Labs Pty Ltd
LegalTrademarks: Copyright © 2008-2024 Auslogics Labs Pty Ltd
OriginalFileName: Ghrfqo.exe
ProductName: BoostSpeed
ProductVersion: 13.0.0.8
AssemblyVersion: 13.0.0.8
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #PURECRYPTER fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe #ASYNCRAT installutil.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5592"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AsyncRat
(PID) Process(5592) InstallUtil.exe
C2 (1)deadpoolstart2037.duckdns.org
Ports (1)4010
Version1.0.7
Options
AutoRunfalse
Mutexcookiestemp
InstallFolder%AppData%
Certificates
Cert1MIICKzCCAZSgAwIBAgIVAIl0qKpvXDSasNr35XLYMldJTIwlMA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB0Nvb2tpZXMxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMTA3MDcxODU0NTVaFw0zMjA0MTUxODU0NTVaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB...
Server_SignatureFCsPYme/8s8Q8oIMTcERd2fSWwAmJG2F1b5YMD2Ve3+WEwN/0E6fjmFAvxDh3GJRnFGR/KP75P0Puo/n2MSi07nwm38uNbjNO0jB4RGxr5DUoRSNmzrO3XkI2IxmIIWrJFe1MbWl4N83+MmVP53E1dgO6AZEnaWzk3zCFgblzjo=
Keys
AES314e0517eca67dd0b88d04b1a6362403c71be302db8010c32031f7d034d5df68
SaltDcRatByqwqdanchun
5916"C:\Users\admin\Desktop\fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe" C:\Users\admin\Desktop\fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe
explorer.exe
User:
admin
Company:
Auslogics
Integrity Level:
MEDIUM
Description:
Win Protector
Exit code:
4294967295
Version:
13.0.0.8
Modules
Images
c:\users\admin\desktop\fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
598
Read events
598
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5916fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NextSink.vbstext
MD5:86C0CDCCFB8411316752CDBAD101EB5F
SHA256:766290ECDF4D329411C690FC3335AFB7A24C3D0D878ABD7BAD5075B6139B37F5
5916fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184.exeC:\Users\admin\AppData\Roaming\NextSink.exeexecutable
MD5:F7FF29ED9C4F2BF03A3EE92E71CC07A4
SHA256:FD7A64D15E03608DCEB95BC0912B39F9B94327B7BA8E6C989AA29205C3819184
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
39
DNS requests
7
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.21.65.132:443
Akamai International B.V.
NL
unknown
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5592
InstallUtil.exe
179.14.11.213:4010
deadpoolstart2037.duckdns.org
Colombia Movil
CO
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
deadpoolstart2037.duckdns.org
  • 179.14.11.213
unknown
self.events.data.microsoft.com
  • 20.50.80.210
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2192
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2192
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fd7a64d15e03608dceb95bc0912b39f9b94327b7ba8e6c989aa29205c3819184