Edit tour
Windows
Analysis Report
EGSh5caf8a.exe
Overview
General Information
Sample name: | EGSh5caf8a.exerenamed because original name is a hash value |
Original sample name: | 712940BAEF78C821E36B8701BF073C52.exe |
Analysis ID: | 1428675 |
MD5: | 712940baef78c821e36b8701bf073c52 |
SHA1: | d59896b87424fafc0d00ab5e5c2019bd941167ce |
SHA256: | 08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f |
Tags: | AsyncRATexeRAT |
Infos: | |
Detection
AsyncRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Compliance
Score: | 46 |
Range: | 0 - 100 |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- EGSh5caf8a.exe (PID: 180 cmdline:
"C:\Users\ user\Deskt op\EGSh5ca f8a.exe" MD5: 712940BAEF78C821E36B8701BF073C52) - schtasks.exe (PID: 4816 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:38 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5340 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6748 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:38 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7096 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6608 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:39 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 3092 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4692 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:40 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5856 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:41 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 2756 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 2412 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:42 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 2256 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:43 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 2924 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:43 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5172 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:44 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 3652 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6672 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:45 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6452 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:46 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6924 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5648 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:47 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 3300 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:48 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6192 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:48 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 4948 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 3960 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:49 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6692 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5868 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:50 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6220 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:51 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6216 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6616 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:52 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6656 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4252 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:53 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 1464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 3092 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:53 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5464 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:54 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 4636 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5468 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:55 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 2856 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:56 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5736 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 11:57 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7268 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 12:01 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7352 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 12:07 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7420 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 12:13 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7476 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 12:17 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7524 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 12:21 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7532 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7572 cmdline:
"SCHtAsKs. EXe" /crea te /tn Win dowsUpdate s797722446 /tr "C:\U sers\user\ AppData\Ro aming\Micr osoftwindo wsUpdates\ Accounts_L edger_Soft ware.eXE" /st 12:25 /du 9999:5 9 /sc dail y /ri 1 /f /RL HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7580 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
{"Ports": ["6606", "7707", "8808"], "Server": ["204.12.199.30"], "Mutex": "Bbtt03i3Zbxo", "Certificate": "MIIE8jCCAtqgAwIBAgIQAOd8JAii5M5++OnIagLrMTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMjI2MDg0MzU2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIOYWpZtR4+pV6eLVgmoW0pmFYYGm9MA+E38jZKadM0mAmNmtr24EWva8gLkn0jY887Tz5347cDo2BpaCAsnAktrEy5d5Bpc1aeAqIb0YCxwMJQGMkE0qwGViGunPUyPzzk6qoqQw/BZPNrQh13JLBN/++Xg5rspfo6GrmqAYpcyoh+nmtbBt/wfQsjrDmZ3TBNCniJX4Ax2lfymDtG/oOlmwo0YXGL/rszP7UxRo0V29mFPG5kEm+346UEZRNeIzf1FV/30VxvyZO8v/PBzVZOyav8MFGZSdo/7y8cdzIWwd+LcUAmZtSxFigD6YRLLwry7klVR0MpzqXqm9V7Cyqlbe04xIV1/UjhdSIDmGqnA8AMp+pwJRZRI3RMhE7HTbjzLULjBoUUTkcMLlIAPmflnfyyyHwxOr9SrHGfyecgDHH0q3/LMgH30jejoUvT2WyQYi5O6PdzX4ifLrQO7JJ6QNd6sihnR0U/IjQRaM0TJay0tQd/R3nHkzNjoBFCu/yBUGVVvFJabfpP14a5PCgQI1qG2JKXd49hK0v0B65ZjDY4vwan+qlP9n+KWeeK6jIg1qnkScg/88vUZKBv8mP6s2cbq+TFHgBoxrxVxIiM3N81tWZC7e6BRBcqORtpngao2N+16NLMsjMCjpY0hTeyQOJP9toGnmyY6Moxs0ciTAgMBAAGjMjAwMB0GA1UdDgQWBBRJpCHBn9DcES+YzHzK1/1Xt6WvWzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAow/Tq1W/Y/rkz41iTb/g5jrpI0VYmar2AH0Gcud9JaLtJ6hs4klWzG/C36xI4ModlwDQqGWTqkhG17pAFwOZV7OPmMqGEXANvDfjrQqu2Zm5YLaMLVVTQNuHKQPAq+n0ILbDre+Rq1oVxxhRCv1Yz/toSe3W3vRefl2GpoPGgwd5xtUnOytoaeFjOyYtXRMDzwbP9bUeSliHCnsBHkhTulMTjKBgJm7cvRw3FqTQAO95qzwIA4eQORnCynTZTM8sLYD597unFJehoZ8MRwEvnhq0od7nUn/JsDVna5mwRbJ413n/XtU7dIZkYvy0gQB0SMS8JPl0T4scz4Xbr0GSoj0YdRQmzlRXcTq9QQVqbE5X3j7voyrfY+fXLdthqeOObS0dALsAkrf6ILiAjr8wCVhW1URzlLBROgRs9swEoilJSdYxbHR9WvI2qw3LekrnZuLzBe8JUUcbDldrZFSUTuPiJYrDLCOQNZRG2uudymPvRqjnNDi9+3g3kzkB4AM7a2qSw+jZW6eXYGUFPeXjBanXsI0MJyNy9APnm3xi95iRqsR8iIqnKWzBqGF1E7LlsfZSn/fs9zZLgZH1CXFtpYxkWItnJdvOWA8q8RlrIZbf9Y7r5vIVwTR5pa+kGhW7Dvn24gaTp22GMRPSVXs1Ye4ztEm8MJbNNja3bUvx64A==", "Server Signature": "OHKZ7NWYl69EYIQcyC6+PGfU36n99thKqZdxN0puh4L1ETCwoOa29nJb96GrK7QKRepJZnvN+MRxczJy/Px1REeunjNO5Y//T/IyjBXZND5C8On0ON2cjRX83tRDp+Ioric9U5TtKN1Jq7L+GIGKanzfukOxSsg4f36h5IIQisCt8l9W8moK6s3BQDkx1NihC7WXyvRxf6UQsOdvhtD6fdi7h8NNBmEf0BwHbT74dNrA/9Te1MtfU1ddPlN6XT4EfFLKmKTpUGlegoneAsMRCPfpQbzmrfWmjXVMvUUg4E4HAWabE5U90mYvb+p9AcTVB+LCTlhs7KD3VtBDoKygN8IJcliOtp5FjfLKAIU6VAOi41SXMIFzGB11kVgd5fvhbJJgN7g3ZGQjesaSlXCmvzTnfyF2vPqvSnqc9KmTtZ2Cun1v4IztyqIlbYhEsSk5aa/MoOYLcVkgndI15PBP9WrrBwZqn3lgI86MOCtPPIilyL0pJLOGHvwRH7pC4AbJzmlvCyq0Foua4LyJGkDoQJsBuoPQF6I8XOlaNx4C0G+2mFZMloUlBPr/BdOawIaAU2SJldYrrCYHElg8YCpncvCfyJoo3GNuX22OdjgIaqORlg0+zv+1xcoKQIlIpcQi/puqHlRAZjEy5ZZC9GOG9dgAPYQopJKO8p/zMoDsP0g="}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Click to see the 2 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Timestamp: | 04/19/24-11:37:15.963600 |
SID: | 2030673 |
Source Port: | 8808 |
Destination Port: | 49710 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/19/24-11:37:15.963600 |
SID: | 2035595 |
Source Port: | 8808 |
Destination Port: | 49710 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |