Edit tour
Windows
Analysis Report
LZazJikRId.exe
Overview
General Information
Sample name: | LZazJikRId.exerenamed because original name is a hash value |
Original sample name: | 4410dbdf8f12dfbf1f165276c42444fe.exe |
Analysis ID: | 1427019 |
MD5: | 4410dbdf8f12dfbf1f165276c42444fe |
SHA1: | 41636f267072fec4554293c8d6abe148e1e67cc6 |
SHA256: | 61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222 |
Tags: | AsyncRATexeRAT |
Infos: | |
Detection
AsyncRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AsyncRAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- LZazJikRId.exe (PID: 7260 cmdline:
"C:\Users\ user\Deskt op\LZazJik RId.exe" MD5: 4410DBDF8F12DFBF1F165276C42444FE) - schtasks.exe (PID: 7676 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /f /sc ONLOGON /R L HIGHEST /tn "'audi odrv"' /tr "'C:\User s\user\App Data\Roami ng\audiodr v.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 7684 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7728 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\tmpD 41E.tmp.ba t"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7736 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 7780 cmdline:
timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6) - audiodrv.exe (PID: 7804 cmdline:
"C:\Users\ user\AppDa ta\Roaming \audiodrv. exe" MD5: B650EE637C386E63F318CFF98A1F4A7A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
{"Ports": ["6606", "7707", "8808"], "Server": ["dgorijan20785.hopto.org"], "Version": "0.5.6A", "Mutex": "v5tvc4rc3ex788", "Certificate": "MIIE8jCCAtqgAwIBAgIQAKCvtX6x4GWUjdDXmrjDSzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAwMjI3MTc1MDE4WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJWZrleM/elp6VQ5BNFXmHujEc6VYshScV5BjcC3RzsRwJJDOdN11KsItwYXo/V9MyRkcRg6sv4d5VV5VXICM28b5foqtB99ZROKxA/me7xsL+fr2wZ5E0mI0G1hiX+OCrKE1IfWu0KaI0aZXVVZkTjUuTzsgxcs1MgHKC2PenKfpx1x0U7q9FmsJAmXawMfFL4s0D+vSpxdBaJCn2ZwjYBOOOWdFUIuFJi8dbCL4oj4oNW4G0nBmCPeWQMpL3bMi43d3vM28wWdUOdiGiuUtHE+XUHQ7uxhw5QKsMaUz27t/+0kThrzLtn8daGgBjRpMg6wJqX6vmCZ9dAeYRhxy0hD8qJ6AugXnr6sOfTHUMZx0R+FoZBeUDiJ7xnVR8rP2/koXlCr0M7GRmLBgu/Q1mhQFRvVJJXoKUtzglU68JgQZWRAKK5TtAs6AKDO6O11HIg5oGYPdbh9QlEmMCCsQk1qdHFnrtsEZPC1by4bXpahbDI/VSg92uAahtAfrXqGgcoZG0oJQ2ZEp/oI5WTcDcMeYY6WkcZDiybV610+4Qhkh0+/9Vx8o5hqACEha+P4Y4+v24wLiW8IZOh/RvBRbK3ECqKn8IHcIRqQ1vEi5xIGRhpF0Qjr5XXKufQA2pYMDU1E6bTT5SjeNwSf8JXV96DZxwt/yDVXWkmJgh7+ZiB5AgMBAAGjMjAwMB0GA1UdDgQWBBSbnCsk+Il5H1ptmgszq/o+lfWgljAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBYXPPqc8VSTyuHNBzV8jZ8OhnVkba36kyTgkMezu7u30RC4+yxkCHzKs6D6iN/MipePwZ7PhCCB/U11G5uPehKk3r8NotgWNrWJK7OadRBgOlX4mw3mihLmvn90+RRZNsFOPMAYstr9ERI7Wqm/aYhLc23h+0PdL8BNjn4z+crPdGqRNAICw/wMF9z+KJ34sYFNJjCaJWUqP7cxF5KjtPQ1jJCCqywKJd/D+StJTSybp4i34jWEnhpNGuWYFZGIHIXspf8XxTItzEDym05HVc8aI5ZmsvI+6K/VhPnqc/UG1anDFaLlE458/RZj9rCRlTGPml8VIhSheY19bjqCjILrY5tm8QOwZTONYeZQGNwyZ6J7wn+KtOfGvQqIFphkoHkBQGie47Jb441vVs17pfd83MrBMRcyHW6yWaBS56dRGPYcTA04FSbMYiMBaJkN8Hx1Nn3AF5QiuSplkRrup2wmtfLNhfVVZJsIGks65bzgDOU0JhmN9ODDNeIm0nQzRuQ18efT+3ffzIBcx++ufuoX0l/kRcB4H+XbtCcsP3zYysPSWZpC2tW4VqOHLjdbyTHSFi0BhY2uESl9F3Ts0zxbWMkYj4ZJTuxMreLDuwVlbSjxbEIg6jC1jC9T94koGjaQjjQZfX+KJaqN7FcDs3wt61KHDcXhJjRt9xF04n7YQ==", "Server Signature": "hC+LRMyAIJunmtMIu5I/w2LCWhOXeyX1wM1Jgx8R5x3F4vzwVXusfKBKRLPEGHkDdVTFJeLHi9NM7o5i+QfANPGHTjYWUtPy8RsDP2BxcRbbLg5miGJniglJeGE5JLFn1kgXea7sRepu2rmDh6QBlqjeSZjg4J6S60Mvnykmq1a+/mqyItTWmRV/enOdTbRdn+dgipoHrz+IoFJLEGiBhjEu7ozXx6UngcRkRR9GWbYRjselqpFXDadztoJJc4qGEd/tJSRhH3xAPnSmpYXGOQWc0Puj+uMMkrPd4Fl1iME/qEugzyYyPsaWkrxS4iaftLceFUbjLT1mfgFzE3c4LqZ4MQNsf52WXUiC/ib0MPMCdr9Sj9aPcebqRDsg+KGQy+uTfxme4hpfG5RCZeUGj6HeFnNW2nxObSqeeL6xcSBwYHblzpiPs0Nk/BASXdP0y+QL0/bjoDApXtoVQ90p4vjuo6Ox7wBiIiTVnvPcxHzdqdoJ1oBL1YOm54xBadxdC3wVzgE33qFzHv2aCJ6JhuQXziw6VUJuJH6BGE7Cj/AzQThMikof7pWxjm9Y9dtVWMgTnvk/hMGs+QrhI0MTV2FSvXflflZXRoBPYTFXeNMAa+qicoiD4tEcBGSVzHR+HnNZoxmj4y0WnCfxTQSJy74tlk+UmZpvBiv70kTd6R0="}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
Click to see the 10 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Timestamp: | 04/16/24-22:17:55.099629 |
SID: | 2030673 |
Source Port: | 7707 |
Destination Port: | 49736 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/16/24-22:17:55.099629 |
SID: | 2035595 |
Source Port: | 7707 |
Destination Port: | 49736 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |