Edit tour

Windows Analysis Report
bUAB.exe

Overview

General Information

Sample name:	bUAB.exe
Analysis ID:	1426963
MD5:	e3a50cd4b0d687de0371979907eecec8
SHA1:	a985891877f61b6b68b9584b3ebedad6941eb7ec
SHA256:	bbfd0355383f8e0df1442c646737854bfccb138b9c89e86c64c3d49d31e5fbf8
Tags:	DcRatexe
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AsyncRAT

Yara detected DcRat

.NET source code references suspicious native API functions

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

bUAB.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\bUAB.exe" MD5: E3A50CD4B0D687DE0371979907EECEC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/ https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["2016"], "Server": ["window10.duckdns.org"], "Mutex": "DcRatMutex_qw6rgvfu6ruj67fere5fhy HJG", "Certificate": "MIICMDCCAZmgAwIBAgIVAOiowOgN5NQCLKxXZz1P8wPFyFGbMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMTEyNzE5NTQzNloXDTMzMDkwNTE5NTQzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRrE0IxI4zvM+hQcd9c4/yjtBdQ09rGNkpsb08nsW4aceh/GHFWKWNHRyls+IUj6Kow5TCJXpFu6pm5I+96sGG68VLJEfoj3YXIakWD2G8tJPPpO/K+AgInNvriE+lJYAq1h8v4ZIiJjeCCAHt9BoASkTJURDBrpDXmIpmJth7dAgMBAAGjMjAwMB0GA1UdDgQWBBQ9+9t2HSqwv0IrSQzqdGSkt2dxiDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAKGk8bk2LLJ+VAz3F5R8eGjfhgE9gCOLW+R0LrM9TAxnZ41mNHCVXuDXSVB8sCst7u7xIsUZwCByYPWGFnxT5CrT32bsjZQ6SP1PVPs8bPuK7fdTlX4jbsHKaAM1spt8dWRMttkGQY7sOqCKNwCKmqfw/koPiv3wPpHBQIEUleKh", "Server Signature": "CfBGWgaZcSFbRY1ZjzIeyTGhsM2okmwQOujBLV9KdxvTK5nuKtxl0YRc2dkODk9hElCZE1bbstsI9BFpQuIkGa59o27bUU8qSGAak3ZjEIlIgtbTjjgbQCxSQToalikk8qsDvFS4CG/X5uWQ60CVgykbly7uvjFvKlV47JqVu1A="}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bUAB.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
bUAB.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fc:$a1: havecamera 0x9b14:$a2: timeout 3 > NUL 0x9b34:$a3: START "" " 0x99bf:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a74:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
bUAB.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a74:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99bf:$s2: L2Mgc2NodGFza3MgL2 0x993e:$s3: QW1zaVNjYW5CdWZmZXI 0x998c:$s4: VmlydHVhbFByb3RlY3Q
bUAB.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cf6:$q1: Select * from Win32_CacheMemory 0x9d36:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d84:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9dd2:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
bUAB.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa16e:$s1: DcRatBy

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x892:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2909667773.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1c58:$b2: DcRat By qwqdanchun1
00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x3efc:$b2: DcRat By qwqdanchun1 0xb884:$b2: DcRat By qwqdanchun1 0xbad4:$b2: DcRat By qwqdanchun1
00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63fc:$a1: havecamera 0x9914:$a2: timeout 3 > NUL 0x9934:$a3: START "" " 0x97bf:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9874:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000002.2909667773.0000000000807000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x461bc:$b2: DcRat By qwqdanchun1
00000000.00000002.2912273923.000000001AFA6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x238ec:$b2: DcRat By qwqdanchun1 0x263e0:$b2: DcRat By qwqdanchun1
00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x5350:$b1: DcRatByqwqdanchun 0x438dc:$b2: DcRat By qwqdanchun1
00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x21c094:$b2: DcRat By qwqdanchun1
Process Memory Space: bUAB.exe PID: 7532	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: bUAB.exe PID: 7532	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: bUAB.exe PID: 7532	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x12961:$a1: havecamera 0x2d63:$b1: DcRatByqwqdanchun 0x1755b:$b1: DcRatByqwqdanchun 0x2b7:$b2: DcRat By qwqdanchun1 0xef29:$b2: DcRat By qwqdanchun1 0x1af4a:$b2: DcRat By qwqdanchun1 0x20be2:$b2: DcRat By qwqdanchun1 0x2e972:$b2: DcRat By qwqdanchun1 0x44e47:$b2: DcRat By qwqdanchun1
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.bUAB.exe.3b0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.bUAB.exe.3b0000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fc:$a1: havecamera 0x9b14:$a2: timeout 3 > NUL 0x9b34:$a3: START "" " 0x99bf:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a74:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.bUAB.exe.3b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a74:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99bf:$s2: L2Mgc2NodGFza3MgL2 0x993e:$s3: QW1zaVNjYW5CdWZmZXI 0x998c:$s4: VmlydHVhbFByb3RlY3Q
0.0.bUAB.exe.3b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cf6:$q1: Select * from Win32_CacheMemory 0x9d36:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d84:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9dd2:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.bUAB.exe.3b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa16e:$s1: DcRatBy

Snort Signatures

ET TROJAN Observed Malicious SSL Cert (AsyncRAT) - Source IP: 172.94.39.213 - Destination IP: 192.168.2.4

Timestamp:	04/16/24-20:09:13.581089
SID:	2034847
Source Port:	2016
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) - Source IP: 172.94.39.213 - Destination IP: 192.168.2.4

Timestamp:	04/16/24-20:09:13.581089
SID:	2848152
Source Port:	2016
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bUAB.exe

Avira: detected

Found malware configuration

Source: bUAB.exe

Malware Configuration Extractor: AsyncRAT {"Ports": ["2016"], "Server": ["window10.duckdns.org"], "Mutex": "DcRatMutex_qw6rgvfu6ruj67fere5fhy HJG", "Certificate": "MIICMDCCAZmgAwIBAgIVAOiowOgN5NQCLKxXZz1P8wPFyFGbMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMTEyNzE5NTQzNloXDTMzMDkwNTE5NTQzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRrE0IxI4zvM+hQcd9c4/yjtBdQ09rGNkpsb08nsW4aceh/GHFWKWNHRyls+IUj6Kow5TCJXpFu6pm5I+96sGG68VLJEfoj3YXIakWD2G8tJPPpO/K+AgInNvriE+lJYAq1h8v4ZIiJjeCCAHt9BoASkTJURDBrpDXmIpmJth7dAgMBAAGjMjAwMB0GA1UdDgQWBBQ9+9t2HSqwv0IrSQzqdGSkt2dxiDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAKGk8bk2LLJ+VAz3F5R8eGjfhgE9gCOLW+R0LrM9TAxnZ41mNHCVXuDXSVB8sCst7u7xIsUZwCByYPWGFnxT5CrT32bsjZQ6SP1PVPs8bPuK7fdTlX4jbsHKaAM1spt8dWRMttkGQY7sOqCKNwCKmqfw/koPiv3wPpHBQIEUleKh", "Server Signature": "CfBGWgaZcSFbRY1ZjzIeyTGhsM2okmwQOujBLV9KdxvTK5nuKtxl0YRc2dkODk9hElCZE1bbstsI9BFpQuIkGa59o27bUU8qSGAak3ZjEIlIgtbTjjgbQCxSQToalikk8qsDvFS4CG/X5uWQ60CVgykbly7uvjFvKlV47JqVu1A="}

Multi AV Scanner detection for submitted file

Source: bUAB.exe

ReversingLabs: Detection: 84%

Machine Learning detection for sample

Source: bUAB.exe

Joe Sandbox ML: detected

Source: bUAB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 172.94.39.213:2016 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 172.94.39.213:2016 -> 192.168.2.4:49731

Uses dynamic DNS services

Source: unknown

DNS query: name: window10.duckdns.org

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: window10.duckdns.org

Source: bUAB.exe, 00000000.00000002.2912273923.000000001AFF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: bUAB.exe, 00000000.00000002.2909667773.0000000000807000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: bUAB.exe, 00000000.00000002.2912273923.000000001AFEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab;
Source: bUAB.exe, 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: bUAB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: bUAB.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: bUAB.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: bUAB.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: bUAB.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000000.00000002.2909667773.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2909667773.0000000000807000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2912273923.000000001AFA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: C:\Users\user\Desktop\bUAB.exe	Code function: 0_2_00007FFD9B8A6752	0_2_00007FFD9B8A6752
Source: C:\Users\user\Desktop\bUAB.exe	Code function: 0_2_00007FFD9B8A0600	0_2_00007FFD9B8A0600
Source: C:\Users\user\Desktop\bUAB.exe	Code function: 0_2_00007FFD9B8A59A6	0_2_00007FFD9B8A59A6

Source: bUAB.exe, 00000000.00000000.1660557765.00000000003BE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs bUAB.exe
Source: bUAB.exe	Binary or memory string: OriginalFilenameClient.exe" vs bUAB.exe

Source: bUAB.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: bUAB.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: bUAB.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: bUAB.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000000.00000002.2909667773.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2909667773.0000000000807000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2912273923.000000001AFA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: bUAB.exe, Settings.cs	Base64 encoded string: 'WsUhTQje46qdg2lN6JVthKiw+LAQPDmUXNV5eUfEgROdFv89WKJ5OXBQdA0ZV8DCeYqmjvHT+Fa4fGwUeLUQyw==', 'TkYgoLUZBVzMxX20nfUGzR0GU0lcgPfvXXdATyC6183xEBWX/txToy/uzmYYMLxWn7Ngs0Nb46W8/iHfO2jAvB3utnkB9ylAt5KbkBV2XKw=', 'VmzBJGQ03lXVyrXTnqsJeQzo4Uutzy+bnv96bRJu+VfOcm27jIsPlggtAUMPT6ngayeinTyrzw1GSowjSZ78jA==', 'tsQctTio8bwbLQHkd9MfpL5jMkUBsZiLhpb1ppBFw8lAL+ztbcRrM8CA6i8vSDsh0M83PaMtnTj43hkcl9yY7A==', 'gzbSl59ZwlrDDVgvI2gcD1WGL1yS/K4kbXaiB5D+2d0LbU4ZB3yyRj/n4eomiTs7zG6MBAYzEyjMFk38fR/e/gLs92IVR9p+9cXhspQmsFRQVB6DD1Tr79kfQAofEWiw', 'H2WEsBgVBmC9/R62QTBaX89PgGnTZsbjdmw6EU2Fhy+ylpXiVfAm6YeTAxT+OlMR5llG4AUOodkNIiOBNNakLA==', 'PeOYw+bEtEhjCnll95hRjz3upv9bP1uivsDB4g3zuVS6br9QlKUe8PM0BTbiO73AMT7LRVofPKAHx+ILILCW/g==', 'Vu8u5NKpQ90jbn0VVcYy/4Rly7nw8QOXeVhFueu99AtFwsNK9u59fhMgWx81PI2dBv0boTu3zi4MTXhEndRTcA==', 'YlvdchsTMVZZxYCDwrwxPovuwOCjuIdff+Em4X+Ui5VT4Tr8CJKmMv7r/EpbEDhOVKySH5miswBAlCMnIMUa6w=='
Source: bUAB.exe, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@5/1

Source: C:\Users\user\Desktop\bUAB.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\bUAB.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qw6rgvfu6ruj67fere5fhy HJG

Source: bUAB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bUAB.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\bUAB.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bUAB.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Section loaded: msdmo.dll	Jump to behavior

Source: C:\Users\user\Desktop\bUAB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: bUAB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bUAB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\bUAB.exe

Code function: 0_2_00007FFD9B8A00BD pushad ; iretd

0_2_00007FFD9B8A00C1

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: bUAB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR

Source: C:\Users\user\Desktop\bUAB.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: bUAB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\bUAB.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: bUAB.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\bUAB.exe	Memory allocated: B00000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Memory allocated: 1A6C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\bUAB.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\bUAB.exe	Window / User API: threadDelayed 4470			Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe	Window / User API: threadDelayed 5373			Jump to behavior

Source: C:\Users\user\Desktop\bUAB.exe TID: 7760	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe TID: 7816	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe TID: 7824	Thread sleep count: 4470 > 30	Jump to behavior
Source: C:\Users\user\Desktop\bUAB.exe TID: 7824	Thread sleep count: 5373 > 30	Jump to behavior

Source: C:\Users\user\Desktop\bUAB.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\bUAB.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: bUAB.exe, 00000000.00000002.2912273923.000000001AFA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: bUAB.exe, 00000000.00000002.2912981417.000000001B19F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\bUAB.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bUAB.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: bUAB.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: bUAB.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: bUAB.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: bUAB.exe, Amsi.cs	Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)

Source: bUAB.exe, 00000000.00000002.2910315909.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002735000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002727000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: bUAB.exe, 00000000.00000002.2910315909.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002735000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002727000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\Desktop\bUAB.exe

Queries volume information: C:\Users\user\Desktop\bUAB.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\bUAB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: bUAB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR

Source: bUAB.exe, 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: bUAB.exe, 00000000.00000002.2912273923.000000001AFF3000.00000004.00000020.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2909667773.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: bUAB.exe, 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: bUAB.exe, 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\bUAB.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
bUAB.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
bUAB.exe	100%	Avira	HEUR/AGEN.1307404
bUAB.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	unknown
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.63.34	true	false	unknown
window10.duckdns.org	172.94.39.213	true	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	bUAB.exe, 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.94.39.213	window10.duckdns.org	United States		9009	M247GB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1426963
Start date and time:	2024-04-16 20:08:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bUAB.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@5/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 217.20.63.34, 23.40.205.9, 23.40.205.83, 23.40.205.74, 23.40.205.26, 23.40.205.34, 23.40.205.41, 23.40.205.66, 23.40.205.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: bUAB.exe

Simulations

Behavior and APIs

Time	Type	Description
20:09:14	API Interceptor	1x Sleep call for process: bUAB.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	https://netorg5340145-my.sharepoint.com/:b:/g/personal/info_curreg_com/EYsFsgLHWKJPpZNQ4wSBOOoBqo-z__F4rwbyNsnTrr6xBA?e=O3FtTX	Get hash	malicious	HTMLPhisher	Browse	217.20.50.37
	https://ethiocultural.com/choiys/ryosan.co.kr/efax/	Get hash	malicious	HTMLPhisher	Browse	217.20.54.36
	https://domainkey.xxabg.cn/	Get hash	malicious	Unknown	Browse	217.20.54.37
	F5ZC1F67nf.exe	Get hash	malicious	CobaltStrike	Browse	217.20.49.105
	https://pub-ccab1e1c90754b44a899b93b24a61322.r2.dev/pp.html	Get hash	malicious	HTMLPhisher	Browse	217.20.49.100
	http://validartucuentaaqui.mx.zya.me/login.live.com_login_verify_credentials_outlook.html?i=3	Get hash	malicious	Unknown	Browse	217.20.49.34
	https://omdomfinbd.com/amaz/	Get hash	malicious	Unknown	Browse	146.19.181.21
	https://www.w543.cn/	Get hash	malicious	Unknown	Browse	217.20.52.98
	https://kkx26.z11.web.core.windows.net/werrx01USAHTML/?bcda=1-877-200-1965	Get hash	malicious	TechSupportScam	Browse	146.19.181.19
	https://broken-hat-112c.u4eulk3x.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	162.222.105.38
bg.microsoft.map.fastly.net	https://docs.google.com/forms/d/e/1FAIpQLScaqr8AS5UHJLhHgsk75Su6KzT5rrqw0atzmeeQYQGFlm3rfA/viewform?usp=sf_link	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	xutnF2gKGTTy.exe	Get hash	malicious	AsyncRAT	Browse	199.232.210.172
	hta.hta	Get hash	malicious	Unknown	Browse	199.232.214.172
	2.hta	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://cubes.concordia.ca/track?type=click&enid=bWFpbGluZ2lkPTM2MjMmbWVzc2FnZWlkPTQxMjEmZGF0YWJhc2VpZD05MDEmc2VyaWFsPTEyNzU1MDM1NzUmZW1haWxpZD13YXJpZXN0NTkzMzgud2Vla2x5bWFpbEBibG9nZ2VyLmNvbSZ1c2VyaWQ9NDcxJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&2028&&&http://gbmaucstans.com/?No5zl=ZGFuQHZpcnR1YWxpbnRlbGxpZ2VuY2VicmllZmluZy5jb20=	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://00f82de.blob.core.windows.net/00f82de/1.html?4SdhQu6964HfYs43wfnwuulljn913CWVGBFRQHRPAHNP32199OVKO12176b14#14/43-6964/913-32199-12176	Get hash	malicious	Phisher	Browse	199.232.210.172
	ujMoHKBIfN.exe	Get hash	malicious	DarkCloud	Browse	199.232.210.172
	Shipping_Invoces_xls_0000000.vbs	Get hash	malicious	GuLoader	Browse	199.232.214.172
	Swift_documents&Advice.vbs	Get hash	malicious	GuLoader	Browse	199.232.214.172
	JUSTIFICANTE DE PAGO.vbs	Get hash	malicious	Unknown	Browse	199.232.210.172
window10.duckdns.org	bTa0.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	172.111.136.105
	bSX5.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	172.111.136.105
	bSkM.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	173.44.50.84

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	2jQHythw1E.elf	Get hash	malicious	Mirai	Browse	38.203.241.133
	zLH4Gkr36e.elf	Get hash	malicious	Mirai	Browse	194.71.126.13
	https://www.goodnewsliverpool.co.uk/?ads_click=1&data=10345-9192-0-3318-1&nonce=b019a2f042&redir=%68%74%74%70%25%33%41aiitpune.com%2Fjs%2Ftjux%2F%2Fc2J5cm5lQGpwYy5xbGQuZWR1LmF1&$	Get hash	malicious	HTMLPhisher	Browse	95.215.226.7
	r414SHIPPINGORDERETC-0313SO6432TW102667003.scr.exe	Get hash	malicious	XWorm	Browse	104.250.180.178
	J2NWKU2oJi.exe	Get hash	malicious	Amadey, RHADAMANTHYS	Browse	91.202.233.180
	UGXRHW5XnG.elf	Get hash	malicious	Mirai	Browse	45.86.28.68
	IF175.vbs	Get hash	malicious	Unknown	Browse	45.61.128.239
	VVr5Eoo84.vbs	Get hash	malicious	Unknown	Browse	45.61.128.239
	V4Mhvhr77.vbs	Get hash	malicious	Unknown	Browse	45.61.128.239
	Bf5V99.vbs	Get hash	malicious	Unknown	Browse	45.61.128.239

Process:	C:\Users\user\Desktop\bUAB.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\bUAB.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.1414940076987787
Encrypted:	false
SSDEEP:	6:kKMs3llDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:j3llMkPlE99SNxAhUeVLVt
MD5:	B744899B447B22033F3B9819A133E0A5
SHA1:	6DE73F94A1FE4EB2590922C3F6E82267D4E33272
SHA-256:	C2E1BF18EC0A93E4D7AC2030827F07590D7C4CEA7E3A4A397B99F60E0BE6BBE8
SHA-512:	42EC04C068322D912A136B12741859C32849061ABE3CF53ACC9068ADC848E8C8E14CDCD44B1F89401E526A816F9D1952A9CB62C7A9AC04379D7D75AB12E62C33
Malicious:	false
Reputation:	low
Preview:	p...... .........._0)...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.621111951451253
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	bUAB.exe
File size:	48'640 bytes
MD5:	e3a50cd4b0d687de0371979907eecec8
SHA1:	a985891877f61b6b68b9584b3ebedad6941eb7ec
SHA256:	bbfd0355383f8e0df1442c646737854bfccb138b9c89e86c64c3d49d31e5fbf8
SHA512:	273454ea78c38ed570f90a818a471e13cad94849797cf83b3bd7533581d12b381331afbea428ab571f6efeb260c9ce6bcfbfea5b0df24918b8899b11fda76cb3
SSDEEP:	768:l9GmxD6ILNCaS+Di+LFxh635OiY8Ybage19kOId0vEgK/JjZVc6KN:l9GAHW+RxkQzbNMkOQ0nkJjZVclN
TLSH:	E9236D0037A8C536E6BD4BB4ADF292058375D6672D03CA5D7CC814AA2B13FC996136FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40cbde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60930A0B [Wed May 5 21:11:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb90	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xabe4	0xac00	98ecc3faf77d1b7b1f4fcd67cece6b5e	False	0.5028161337209303	data	5.646482729064109	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0xdf7	0xe00	2083376922615c09cdda9acfd9305376	False	0.4017857142857143	data	5.110607648061562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	c10c3c0a0024ae64684ddd6e1f2ef429	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2d4	data			0.4350828729281768
RT_MANIFEST	0xe374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/16/24-20:09:13.581089	TCP	2034847	ET TROJAN Observed Malicious SSL Cert (AsyncRAT)	2016	49731	172.94.39.213	192.168.2.4
04/16/24-20:09:13.581089	TCP	2848152	ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)	2016	49731	172.94.39.213	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 20:09:11.545137882 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:11.829696894 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:11.829914093 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:13.290158987 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:13.581089020 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:13.586394072 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:13.877599001 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:13.925678015 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:14.931826115 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:15.268254042 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:15.268326044 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:15.604186058 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:25.349845886 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:25.684798002 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:25.684854984 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:25.976406097 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:26.019712925 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:26.314876080 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:26.330209017 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:26.667982101 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:26.668174982 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:27.004148006 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:35.770510912 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:36.104140997 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:36.104351997 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:36.389823914 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:36.441445112 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:36.725717068 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:36.727828979 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:37.013562918 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:37.013684988 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:37.349874973 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:46.191838026 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:46.527070999 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:46.527187109 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:46.827687979 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:46.878844023 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:47.165591002 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:47.188452005 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:47.523216963 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:47.523418903 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:47.857820034 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:56.614272118 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:56.948973894 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:56.949095011 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:57.233623981 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:57.285355091 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:57.569694996 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:57.572041035 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:57.905760050 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:09:57.905874014 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:09:58.244359970 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:06.909666061 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:06.957004070 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:07.111643076 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:07.241916895 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:07.242044926 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:07.453695059 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:07.531512976 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:07.735269070 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:07.997719049 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:07.998066902 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:07.999752998 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:08.333821058 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:08.333913088 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:08.668375969 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:17.519988060 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:17.861838102 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:17.862040997 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:18.150441885 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:18.191593885 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:18.481952906 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:18.484051943 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:18.817692041 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:18.817822933 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:19.152959108 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:27.942434072 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:28.276479006 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:28.276628017 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:28.561669111 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:28.613332033 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:28.902815104 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:28.904644012 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:29.241741896 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:29.241993904 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:29.576586008 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:36.900762081 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:36.957144022 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:37.244194984 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:37.285193920 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:38.363703012 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:38.697941065 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:38.698272943 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:38.984798908 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:39.035290003 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:39.320408106 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:39.322999001 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:39.657561064 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:39.657790899 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:39.992302895 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:48.786475897 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:49.121330023 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:49.121681929 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:49.409384966 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:49.457226992 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:49.742156029 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:49.744981050 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:50.081258059 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:50.081525087 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:50.417262077 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:59.223135948 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:59.558089018 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:59.558371067 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:10:59.845397949 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:10:59.894840956 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:11:00.181771994 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:11:00.183665037 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:11:00.521356106 CEST	2016	49731	172.94.39.213	192.168.2.4
Apr 16, 2024 20:11:00.521574020 CEST	49731	2016	192.168.2.4	172.94.39.213
Apr 16, 2024 20:11:00.857449055 CEST	2016	49731	172.94.39.213	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 20:09:02.089090109 CEST	52816	53	192.168.2.4	1.1.1.1
Apr 16, 2024 20:09:03.097940922 CEST	52816	53	192.168.2.4	1.1.1.1
Apr 16, 2024 20:09:04.097817898 CEST	52816	53	192.168.2.4	1.1.1.1
Apr 16, 2024 20:09:06.097735882 CEST	52816	53	192.168.2.4	1.1.1.1
Apr 16, 2024 20:09:06.197458029 CEST	53	52816	1.1.1.1	192.168.2.4
Apr 16, 2024 20:09:06.197501898 CEST	53	52816	1.1.1.1	192.168.2.4
Apr 16, 2024 20:09:06.197535992 CEST	53	52816	1.1.1.1	192.168.2.4
Apr 16, 2024 20:09:06.202701092 CEST	53	52816	1.1.1.1	192.168.2.4
Apr 16, 2024 20:09:11.209065914 CEST	62891	53	192.168.2.4	1.1.1.1
Apr 16, 2024 20:09:11.539151907 CEST	53	62891	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 16, 2024 20:09:02.089090109 CEST	192.168.2.4	1.1.1.1	0x4a0d	Standard query (0)	window10.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:03.097940922 CEST	192.168.2.4	1.1.1.1	0x4a0d	Standard query (0)	window10.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:04.097817898 CEST	192.168.2.4	1.1.1.1	0x4a0d	Standard query (0)	window10.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:06.097735882 CEST	192.168.2.4	1.1.1.1	0x4a0d	Standard query (0)	window10.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:11.209065914 CEST	192.168.2.4	1.1.1.1	0xc965	Standard query (0)	window10.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 16, 2024 20:09:06.197458029 CEST	1.1.1.1	192.168.2.4	0x4a0d	Server failure (2)	window10.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:06.197501898 CEST	1.1.1.1	192.168.2.4	0x4a0d	Server failure (2)	window10.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:06.197535992 CEST	1.1.1.1	192.168.2.4	0x4a0d	Server failure (2)	window10.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:06.202701092 CEST	1.1.1.1	192.168.2.4	0x4a0d	Server failure (2)	window10.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:11.539151907 CEST	1.1.1.1	192.168.2.4	0xc965	No error (0)	window10.duckdns.org		172.94.39.213	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:14.077347994 CEST	1.1.1.1	192.168.2.4	0xb508	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.63.34	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:14.077347994 CEST	1.1.1.1	192.168.2.4	0xb508	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.50.40	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:14.077347994 CEST	1.1.1.1	192.168.2.4	0xb508	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.50.39	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:14.077347994 CEST	1.1.1.1	192.168.2.4	0xb508	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.55.36	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:14.077347994 CEST	1.1.1.1	192.168.2.4	0xb508	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.51.27	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:14.077347994 CEST	1.1.1.1	192.168.2.4	0xb508	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.50.41	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:14.077347994 CEST	1.1.1.1	192.168.2.4	0xb508	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.48.36	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:09:14.077347994 CEST	1.1.1.1	192.168.2.4	0xb508	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.53.34	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:10:14.312493086 CEST	1.1.1.1	192.168.2.4	0x1844	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 16, 2024 20:10:14.312493086 CEST	1.1.1.1	192.168.2.4	0x1844	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	20:08:55
Start date:	16/04/2024
Path:	C:\Users\user\Desktop\bUAB.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bUAB.exe"
Imagebase:	0x3b0000
File size:	48'640 bytes
MD5 hash:	E3A50CD4B0D687DE0371979907EECEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2909667773.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2909667773.0000000000807000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2912273923.000000001AFA6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9B8A0600 Relevance: 1.8, Strings: 1, Instructions: 579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 00007FFD9B8A849A

Memory Dump Source

Source File: 00000000.00000002.2913754056.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_bUAB.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 583e59fd460670c36c0d00ad8e65a61e612636d5624d84ae2ef6d051eb5fb2a3
Instruction ID: 40a9f1ef75a1966d6c8ed191fdc823d2e2f552f2f8d9a1fad001abf544a5f254
Opcode Fuzzy Hash: 583e59fd460670c36c0d00ad8e65a61e612636d5624d84ae2ef6d051eb5fb2a3
Instruction Fuzzy Hash: DC12B430B1990A4FEB98FB689875AB973E2FF58310F55057DE01EC32D6DE38A8428751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A59A6 Relevance: .5, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2913754056.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_bUAB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1277d236e9e33972b055ea9509751e0c3aa2a7855b312451234c59c4fb0c2da2
Instruction ID: 02e5711908e04f6258caae133e096025dcbcfabc72712744bd5d6bad707ba715
Opcode Fuzzy Hash: 1277d236e9e33972b055ea9509751e0c3aa2a7855b312451234c59c4fb0c2da2
Instruction Fuzzy Hash: E0F1A830A0DA8D8FEBA8DF28D8557E937D1FF58310F04426EE84DC7295DB74A9858782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A6752 Relevance: .5, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2913754056.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_bUAB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa55c422a96f0274a61ff159f57c5f960620638b969f4bb8fb3af031ffc17d68
Instruction ID: 8d860c2729537c68f86df90057621b5cce437d491b281946f6b81316ab960f95
Opcode Fuzzy Hash: aa55c422a96f0274a61ff159f57c5f960620638b969f4bb8fb3af031ffc17d68
Instruction Fuzzy Hash: D0E1E670A09A4E8FEBA8DF28C8557E977D1FF58310F04826ED84DC72A5CF74A9418781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A7FBD Relevance: 1.7, APIs: 1, Instructions: 166
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFD9B8A809A

Memory Dump Source

Source File: 00000000.00000002.2913754056.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_bUAB.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 885867b0bbdd49c51c5fb7ed4bb5fb8b90731d5aa7e1b8a78b2c48cb5697e0c5
Instruction ID: bc6b9f4418c27849d6c812dace07685d0b11066e38c32035e86412541f3095f5
Opcode Fuzzy Hash: 885867b0bbdd49c51c5fb7ed4bb5fb8b90731d5aa7e1b8a78b2c48cb5697e0c5
Instruction Fuzzy Hash: B0411931A0D78C4FDB1D9BA898566F97BE0EF96321F0442AFD089C3192DA756406C792

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bUAB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Windows Analysis Report
bUAB.exe

Function 00007FFD9B8A0600 Relevance: 1.8, Strings: 1, Instructions: 579
COMMON

Function 00007FFD9B8A59A6 Relevance: .5, Instructions: 472
COMMON

Function 00007FFD9B8A6752 Relevance: .5, Instructions: 458
COMMON

Function 00007FFD9B8A7FBD Relevance: 1.7, APIs: 1, Instructions: 166
memoryCOMMON