Edit tour
Windows
Analysis Report
V1yLpoS3XR.exe
Overview
General Information
Sample name: | V1yLpoS3XR.exerenamed because original name is a hash value |
Original sample name: | 7f264ba8e4c519ce90c6e3b430945476.exe |
Analysis ID: | 1417126 |
MD5: | 7f264ba8e4c519ce90c6e3b430945476 |
SHA1: | 4e18269b4c70931dcad3f7ca58e4f5db00411549 |
SHA256: | 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f |
Tags: | 32exetrojan |
Infos: | |
Detection
AsyncRAT, VenomRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected UAC Bypass using CMSTP
Yara detected VenomRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- V1yLpoS3XR.exe (PID: 4080 cmdline:
"C:\Users\ user\Deskt op\V1yLpoS 3XR.exe" MD5: 7F264BA8E4C519CE90C6E3B430945476) - pop3.exe (PID: 736 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\pop3.e xe" MD5: 8CD2675E19A8B1DCCF0DBF082F42AB33) - jsc.exe (PID: 7248 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\jsc .exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9) - jsc.exe (PID: 7256 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\jsc .exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9) - WerFault.exe (PID: 7332 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 36 -s 1044 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - start.exe (PID: 4320 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\start. exe" MD5: C1ADE258F05C512E98EBC4D9D1165F8A) - cmd.exe (PID: 7540 cmdline:
"C:\Window s\System32 \cmd.exe" /c schtask s /create /f /sc onl ogon /rl h ighest /tn "svchos" /tr '"C:\U sers\user\ AppData\Ro aming\svch os.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7632 cmdline:
schtasks / create /f /sc onlogo n /rl high est /tn "s vchos" /tr '"C:\User s\user\App Data\Roami ng\svchos. exe"' MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 7560 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\tmp1 7FD.tmp.ba t"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 7660 cmdline:
timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - svchos.exe (PID: 7780 cmdline:
"C:\Users\ user\AppDa ta\Roaming \svchos.ex e" MD5: C1ADE258F05C512E98EBC4D9D1165F8A)
- svchos.exe (PID: 7708 cmdline:
C:\Users\u ser\AppDat a\Roaming\ svchos.exe MD5: C1ADE258F05C512E98EBC4D9D1165F8A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
{"Server": "leetboy.dynuddns.net", "Port": "1339", "Version": "| Edit 3LOSH RAT", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "true", "Group": "true"}
{"Ports": ["1339"], "Server": ["leetboy.dynuddns.net"], "Mutex": "Exodus_Market", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "F0xfEIJ635aPVzJ7TxUSC7Qq0Nvv0T62b4z7CBNsc9ph6RsbFVcdaGd7619j9z8vXELuNb6nAMNzxVh5zw431HAg8uxac4l65Js76iA5ua7oiXIZGJkyHmqqwsGIyAhRfW3MsonOqm07xD5N0vdfHey4r0Vncivg0lzclsA5ofF6Vyle+WewDOLGeL+PH3bGiw9F8dbBeBgH6rdzG7t0OHdgh/32iJ0W9BUzFgjiD7/KZV/QPYXp6Tbh4Mryl4lt9khPn2VmC2eApgyazrOKC5PRUCdNN2J/IPPN3z9F+7nIn/ILSg9vsh5nz/2Zm2/wZ7MqHWvJ9OwxPB1jIs4ojWX4YhQRQkiHSMSC/4aNkvrU+3rMVgLOeieTqhxXnI2G0+wE8pMh5N7fELuZ4oupmAo/Xvbvaaguc2KgGc42OFxAVDJE/pkCg4/wmytoKWH8IEMAd/41qAN22r4qtw95CqhVM6LI6Nqgz3MHHf3fMbkDAbPgOl2z+Hy/gYWl5SMamD6RVWFAC0gDcHpXzFMjzVv5LIuCdaHvFmlDuCUgnezy9oUmMMhEOtOINDtLBS7UoGjYGo2HtI54OJZIDUUHYaD3jIOFaVzq/18l0RKZo8mYWMHwKrdypWpZtd9an1cAHAHb8qmc5Jif/Xajgj4hvCTaGaOOo95NlNeawcWrm1M="}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_VenomRAT | Yara detected VenomRAT | Joe Security | ||
Click to see the 34 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_VenomRAT | Yara detected VenomRAT | Joe Security | ||
JoeSecurity_VenomRAT | Yara detected VenomRAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
JoeSecurity_VenomRAT | Yara detected VenomRAT | Joe Security | ||
Click to see the 23 entries |
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems): |
Timestamp: | 03/28/24-16:25:58.663411 |
SID: | 2850454 |
Source Port: | 4449 |
Destination Port: | 49735 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 03/28/24-16:26:05.071550 |
SID: | 2035595 |
Source Port: | 1339 |
Destination Port: | 49743 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 03/28/24-16:25:58.663411 |
SID: | 2848152 |
Source Port: | 4449 |
Destination Port: | 49735 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 03/28/24-16:26:05.071550 |
SID: | 2030673 |
Source Port: | 1339 |
Destination Port: | 49743 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |