Windows Analysis Report
xmo4WvZPV3Q0.exe

Overview

General Information

Sample name:	xmo4WvZPV3Q0.exe
Analysis ID:	1428935
MD5:	f9df5d58f05141ffb8bc31ceee65e6f4
SHA1:	a47a42d314b3f85c4cf424270b56d8dc51933602
SHA256:	d79a750ee167a5091e3b3d72a7d0e818e4eb816d74cbf173bc65c54f8563f986
Tags:	DcRatexe
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AsyncRAT

Yara detected DcRat

.NET source code references suspicious native API functions

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/ https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: xmo4WvZPV3Q0.exe

Avira: detected

Found malware configuration

Source: xmo4WvZPV3Q0.exe

Malware Configuration Extractor: AsyncRAT {"Ports": ["7095"], "Server": ["procesoexitos1.duckdns.org"], "Mutex": "ESPECIALES777", "Certificate": "MIICMDCCAZmgAwIBAgIVAMaBeR9P3Ul+SdXWCbf4dEVfPoRFMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDIwNDE1MDcxN1oXDTMzMTExMzE1MDcxN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKc8o3jPsEuo8oWGV/dKkjetOpEe003VLgZvyH72e4hhVOKpVhCoXfNzypj62QwbJzZNiJEjKbHcMIBTj6FXTcN0crxDt9y9Zkqcv5bHQt7qEhSGlQDWusiPiFi/ZUm5aABL1L3ZDlEq0EomTSE+zogqLxeR4JBAsV0AR4buL7SRAgMBAAGjMjAwMB0GA1UdDgQWBBQmwIernSRvdh/MqJJVki/p4G9lwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAIQGk5vP6qdN4EaKNY/YrbRS91Tu9QPKlufTNOzSlJxuxr062vtdFPTQylkVTc+MeL3xUB8gBMAixsOc/vHhhjk6N+XsPz/AvA0eRze9Tje1kzVx/fH+uv1/dBFR0/I8hyBB6C1MxQ5E4tNT4z0yGxYsRw0P9j2sVHbmQKMh1R2n", "Server Signature": "lwh/qdaHbWIu6f8uSxAHSISPHNRHAzgruRhQNWqQRlu7lJl8nxyAs2H16BDfUOVvTNX4EnwLAmj0LZ++/DIk6hY7dnjRVpVjHkX6Y7J+dQuB6Kygp66xDLX85/NLq+ar+ROOpnzkgl2aUJchTybHgtbnAZSqlZBmwx2BkLQKD3I="}

Multi AV Scanner detection for submitted file

Source: xmo4WvZPV3Q0.exe

ReversingLabs: Detection: 81%

Machine Learning detection for sample

Source: xmo4WvZPV3Q0.exe

Joe Sandbox ML: detected

Source: xmo4WvZPV3Q0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 179.13.0.175:7095 -> 192.168.2.8:49705
Source: Traffic	Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 179.13.0.175:7095 -> 192.168.2.8:49705

Uses dynamic DNS services

Source: unknown

DNS query: name: procesoexitos1.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49705 -> 179.13.0.175:7095

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 179.13.0.175 179.13.0.175

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ColombiaMovilCO ColombiaMovilCO

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: procesoexitos1.duckdns.org

Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2576145165.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab%d
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2578546588.000000001B39E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabB
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2576145165.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ens
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002A83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: xmo4WvZPV3Q0.exe, type: SAMPLE
Source: Yara match	File source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: xmo4WvZPV3Q0.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: xmo4WvZPV3Q0.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: xmo4WvZPV3Q0.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: xmo4WvZPV3Q0.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000001.00000002.2578546588.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000001.00000002.2576593809.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000001.00000002.2576145165.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000001.00000002.2576593809.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000001.00000002.2576593809.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Code function: 1_2_00007FFB4B368346	1_2_00007FFB4B368346
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Code function: 1_2_00007FFB4B3630E2	1_2_00007FFB4B3630E2
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Code function: 1_2_00007FFB4B3690F2	1_2_00007FFB4B3690F2

Sample file is different than original file name gathered from version info

Source: xmo4WvZPV3Q0.exe, 00000001.00000000.1328913578.000000000045E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs xmo4WvZPV3Q0.exe
Source: xmo4WvZPV3Q0.exe	Binary or memory string: OriginalFilenameClient.exe" vs xmo4WvZPV3Q0.exe

Yara signature match

Source: xmo4WvZPV3Q0.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: xmo4WvZPV3Q0.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: xmo4WvZPV3Q0.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: xmo4WvZPV3Q0.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 1.0.xmo4WvZPV3Q0.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000001.00000002.2578546588.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000001.00000002.2576593809.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000001.00000002.2576145165.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000001.00000002.2576593809.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000001.00000002.2576593809.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: xmo4WvZPV3Q0.exe, Settings.cs	Base64 encoded string: 'S6oK3ETgwOyjnyuvY19lfXR8Ux/STQPOoaj+2t3BW3TJJXjgyrppgAAbKaWPefCcVQoR76o7aYcpEa8Afor9YQ==', 'zm6I1nWjcqcwpJ+fvYkxrcIHvOpNI9sufIBXOD9KK8Z2aJhBqNr+RgpAFkcP3BbEZSBzPAFNqshs8d8AuP27j12TxCk2A88m6WeynoAZUMU=', 'YlhnB889aeoBkz1xd6q9+OYB3j+ENt+jeiRrt7tI4jLeERvB1XN2bjhgPD+l5zouFW/EEuZ2iYY3wsZrbyoaZQ==', 'i2+5ahEBqWDq9/jZYwWM+shEPInt5YI1zuu86vK4vO/MMU4TdG/gjhDREv72reunjz0p9CYuhM14G/vi3mZzmA==', 'HP3JZeQ8Vzf5MH+OxFJnVhF6hjJpdVzPQkPLy7DfSU99mMMgFrIgXemY84JiMbpM660OX44C35/+VCYlLKXV8NEKKO8LJPfHuQVgG9GHDWHIigsewx3f1pz7/H/G07WmT09SXnDmkddHAhtCzcRK/HCGfPPft5UWACZC6lY5qrlXnD2srSvF5x2EKZPcTAGSD75jl76Iwh7v7ldISth04Bgfra0d0trG2Fd+z9O9QFbKwQ94ScFA4tbf9F+ha2XHxh9DYUGZYE36V1dY3pmXJJVpBbDWaRd+XLyXaL4hBAPXmfZF2X+UshnDO8186C6Nefm8/stbiugNwJIAp3APnQpbxUfVK9f63Riuyooatw6zh4d+BS29sYI+bjX54rGpKz0YjyHDFNjgdq+3h8wDJm3+jCNT3Ie9nmREmHmFidiJGQN5iA2zfq7LaG8wg3CYwIggMjbbH8L5Fe16RS5c22RSkEyfPKKNyYAu0RhVapOq3M99lMxUFVjXOSqJY8ewtqZAtAavNuHTMHEw8TpUW/EDIaRAjQmdeKa6bKFuzfm15W/BpqWGHuANx2fVmPsFrhLOjQB9pd/BMXJsFWGywf5wzN3RFcN98bnlIdumN5WP5IQWbXsMA4RCPxzLY9UWVU7ulaKTuZOGZu0MkLrpws6XqrF75x0Q+THFNIg9h/KmjFVq+BdpoQa496zTWMOuV7wii1ZJ3kJMf2Lq3RWjv409WKAnIi8hOzY5rG+xD4XwNL+T7OQGte+z2ATl2thFy5aGRLqq03J+SxaHUhMgad+Ak76iJpQTmBf6t3LRmpmcbpa2hPMKQZHIG2cROhY9zp7tymprkOwTE+tyl0n8HJ5VSKwnsxgoUeg1tfho4fsEUvgqPMTmaJ7yMNDws4BD2YjKYiJeMrgxvH09lNKEoP7l8a1k9sQazsX4kDKMqMERj+EzGiyiRcRMSCzj5nZeuOPA03Ws51q+YDryHscrnJOv9jJASzWqkUQRh0M8BOUpxHfOuOBmooFnB4W66FOU/IEZ8Hz+GNDDX/nAUXdoPXsYeRao5HVvHddu1xDxh/2+oKEktmIynuIiM+VclSKm', 'jHtx8ij/qb8PDY1XAwRXvByVt6pTkVMBj8mKnk0Zub8LJ1pFZlWzWRmETnCvenzOLLONTzpeCF816H7dDEgVAUV4cy898Z1876FMWqLav3hNA3UfY+8/krDI93UxO7XqNsxyDHavHMI2vfomC/VldKlcxFBHn6CQJCcqB18YTujxOt9H7GwWLRXxxEp0bp1bp/vpScQqAcUvfEovJ+ElLNzHfYKn6QqkTaTWaFhYCQf6n3//6O3WcnJNXC51jULvmPTh1Iv+4bTnIWctbvnKzt7TGokZXjZop7HLsHCBfAg=', 'HpQydJmuV+6q45SvJESTODdH/pXmdgGqPUx9ZRLHtzVwvZ9/mD2RitjKFGh3Teqc/WrbZBsj8r6y8Kj57JeLUA==', 'tFQwiHTprwFpHfXsSkammmcXJq4P8ekJTalvUG64VOuWZeg0slV5MCRvzmORJM/KCkyR2rHeYJ0am5a0EKxSgQ=='
Source: xmo4WvZPV3Q0.exe, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun

Source: xmo4WvZPV3Q0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xmo4WvZPV3Q0.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Section loaded: msdmo.dll	Jump to behavior

Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior

Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Memory allocated: 9A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Memory allocated: 1AA00000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Window / User API: threadDelayed 9449			Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe	Window / User API: threadDelayed 419			Jump to behavior

Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe TID: 6348	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe TID: 6452	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe TID: 5940	Thread sleep count: 9449 > 30	Jump to behavior
Source: C:\Users\user\Desktop\xmo4WvZPV3Q0.exe TID: 5940	Thread sleep count: 419 > 30	Jump to behavior

Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2578479760.000000001B24A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2578546588.000000001B393000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2578479760.000000001B24A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: xmo4WvZPV3Q0.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: xmo4WvZPV3Q0.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: xmo4WvZPV3Q0.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: xmo4WvZPV3Q0.exe, Amsi.cs	Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)

Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002A72000.00000004.00000800.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576593809.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: xmo4WvZPV3Q0.exe, 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: xmo4WvZPV3Q0.exe, 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: xmo4WvZPV3Q0.exe, 00000001.00000002.2578546588.000000001B3F0000.00000004.00000020.00020000.00000000.sdmp, xmo4WvZPV3Q0.exe, 00000001.00000002.2576145165.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: xmo4WvZPV3Q0.exe, 00000001.00000000.1328895348.0000000000452000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Source: Yara match	File source: 00000001.00000002.2576593809.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2576593809.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xmo4WvZPV3Q0.exe PID: 6964, type: MEMORYSTR

ID:	1428935
Product:	CloudBasic
Start time:	21:35:06
Start date:	19.04.2024
Sample:	xmo4WvZPV3Q0.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f9df5d58f05141ffb8bc31ceee65e6f4
SHA1:	a47a42d314b3f85c4cf424270b56d8dc51933602
SHA256:	d79a750ee167a5091e3b3d72a7d0e818e4eb816d74cbf173bc65c54f8563f986
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	29F65BA8E88C063813CC50A4EA544E93	05A7040D5C127E68C25D81CC51271FFB8BEF3568	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	6E60C681712968FE1AF5F2FB7E12BF71	5452CF23098D3961C6EC15A4460CACBA2B90849A	F19B96AC0581E8E87F4FC30794D50BB31BD5568D9005F0C4058C8F2C056DA661

Windows Analysis Report xmo4WvZPV3Q0.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
xmo4WvZPV3Q0.exe

Malware Threat Intel
Provided by