Edit tour
Windows
Analysis Report
rU6YAgkoAw.exe
Overview
General Information
| Sample name: | rU6YAgkoAw.exerenamed because original name is a hash value |
| Original sample name: | 1f2ec9232f191e28fa8d5fbcbfad3a4f.exe |
| Analysis ID: | 1417077 |
| MD5: | 1f2ec9232f191e28fa8d5fbcbfad3a4f |
| SHA1: | ee22f5b25185c5a6d37e16d3eb52f9515fd6964d |
| SHA256: | b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08 |
| Tags: | 32exetrojan |
| Infos: |   |
 | |
Detection
AsyncRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Drops executable to a common third party application directory
Drops large PE files
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Tries to load missing DLLs
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
rU6YAgkoAw.exe (PID: 6508 cmdline: "C:\Users\ user\Deskt op\rU6YAgk oAw.exe" MD5: 1F2EC9232F191E28FA8D5FBCBFAD3A4F) - tmpAADD.tmp.exe (PID: 3284 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\tmpAAD D.tmp.exe" MD5: 0B459466E3619D2A29BB93EA2DAC077A) - svchost (3).exe (PID: 7424 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\svch ost (3).ex e" MD5: 8CD2675E19A8B1DCCF0DBF082F42AB33) - RegSvcs.exe (PID: 5844 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\reg svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) 
WerFault.exe (PID: 1916 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 7 424 -s 118 4 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) 
build.exe (PID: 744 cmdline: "C:\Users\ user~1\App Data\Local \Temp\buil d.exe" MD5: 8701FCD188315FA69245FB99E07DF60D) - main.exe (PID: 4696 cmdline:
C:\Users\u ser~1\AppD ata\Local\ Temp\2eHfv uySzqzZl8q UAC9nldhe9 q6\main.ex e MD5: 94F3E2F32CED13FD99CC314BEB587233) - main.exe (PID: 6972 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\2eHf vuySzqzZl8 qUAC9nldhe 9q6\main.e xe" --type =gpu-proce ss --user- data-dir=" C:\Users\u ser\AppDat a\Roaming\ main" --gp u-preferen ces=UAAAAA AAAADgAAAY AAAAAAAAAA AAAAAAAABg AAAAAAAwAA AAAAAAAAAA AAAQAAAAAA AAAAAAAAAA AAAAAAAAAE gAAAAAAAAA SAAAAAAAAA AYAAAAAgAA ABAAAAAAAA AAGAAAAAAA AAAQAAAAAA AAAAAAAAAO AAAAEAAAAA AAAAABAAAA DgAAAAgAAA AAAAAACAAA AAAAAAA= - -mojo-plat form-chann el-handle= 1704 --fie ld-trial-h andle=1836 ,i,5338084 4802499029 22,7187138 2407862154 67,131072 --disable- features=S pareRender erForSiteP erProcess, WinRetriev eSuggestio nsOnlyOnDe mand /pref etch:2 MD5: 94F3E2F32CED13FD99CC314BEB587233) - main.exe (PID: 1768 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\2eHf vuySzqzZl8 qUAC9nldhe 9q6\main.e xe" --type =utility - -utility-s ub-type=ne twork.mojo m.NetworkS ervice --l ang=en-GB --service- sandbox-ty pe=none -- user-data- dir="C:\Us ers\user\A ppData\Roa ming\main" --mojo-pl atform-cha nnel-handl e=2148 --f ield-trial -handle=18 36,i,53380 8448024990 2922,71871 3824078621 5467,13107 2 --disabl e-features =SpareRend ererForSit ePerProces s,WinRetri eveSuggest ionsOnlyOn Demand /pr efetch:8 MD5: 94F3E2F32CED13FD99CC314BEB587233) - start.exe (PID: 368 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\star t.exe" MD5: C1ADE258F05C512E98EBC4D9D1165F8A) 
cmd.exe (PID: 4116 cmdline: "C:\Window s\System32 \cmd.exe" /c schtask s /create /f /sc onl ogon /rl h ighest /tn "svchos" /tr '"C:\U sers\user\ AppData\Ro aming\svch os.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3628 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 736 cmdline:
schtasks / create /f /sc onlogo n /rl high est /tn "s vchos" /tr '"C:\User s\user\App Data\Roami ng\svchos. exe"' MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 3896 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\tmpD 46E.tmp.ba t"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 1832 cmdline:
timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - svchos.exe (PID: 5140 cmdline:
"C:\Users\ user\AppDa ta\Roaming \svchos.ex e" MD5: C1ADE258F05C512E98EBC4D9D1165F8A)
- svchos.exe (PID: 5188 cmdline:
C:\Users\u ser\AppDat a\Roaming\ svchos.exe MD5: C1ADE258F05C512E98EBC4D9D1165F8A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
{"Ports": ["1339"], "Server": ["leetboy.dynuddns.net"], "Mutex": "Exodus_Market", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "F0xfEIJ635aPVzJ7TxUSC7Qq0Nvv0T62b4z7CBNsc9ph6RsbFVcdaGd7619j9z8vXELuNb6nAMNzxVh5zw431HAg8uxac4l65Js76iA5ua7oiXIZGJkyHmqqwsGIyAhRfW3MsonOqm07xD5N0vdfHey4r0Vncivg0lzclsA5ofF6Vyle+WewDOLGeL+PH3bGiw9F8dbBeBgH6rdzG7t0OHdgh/32iJ0W9BUzFgjiD7/KZV/QPYXp6Tbh4Mryl4lt9khPn2VmC2eApgyazrOKC5PRUCdNN2J/IPPN3z9F+7nIn/ILSg9vsh5nz/2Zm2/wZ7MqHWvJ9OwxPB1jIs4ojWX4YhQRQkiHSMSC/4aNkvrU+3rMVgLOeieTqhxXnI2G0+wE8pMh5N7fELuZ4oupmAo/Xvbvaaguc2KgGc42OFxAVDJE/pkCg4/wmytoKWH8IEMAd/41qAN22r4qtw95CqhVM6LI6Nqgz3MHHf3fMbkDAbPgOl2z+Hy/gYWl5SMamD6RVWFAC0gDcHpXzFMjzVv5LIuCdaHvFmlDuCUgnezy9oUmMMhEOtOINDtLBS7UoGjYGo2HtI54OJZIDUUHYaD3jIOFaVzq/18l0RKZo8mYWMHwKrdypWpZtd9an1cAHAHb8qmc5Jif/Xajgj4hvCTaGaOOo95NlNeawcWrm1M="}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
| INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| Click to see the 9 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
| INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| Click to see the 6 entries | ||||
System Summary |   |
|---|
| Source: | Author: Jonathan Cheong, oscd.community: | ||
| Source: | Author: Jonathan Cheong, oscd.community: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: frack113, Nasreddine Bencherchali: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||