Edit tour

Windows Analysis Report
xPvEDYX7g1YE.exe

Overview

General Information

Sample name:	xPvEDYX7g1YE.exe
Analysis ID:	1428969
MD5:	4e11d0fdde3aa0cfdadbaebf83743bf1
SHA1:	b56cbb419e4fdc7d21ee9cc24c82d9a2ab107b77
SHA256:	6df5a6787c28c8d0568d6286ea2723fad317f6f42e796f4ac7f72a6db63925d3
Tags:	AsyncRATexe
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

xPvEDYX7g1YE.exe (PID: 4208 cmdline: "C:\Users\user\Desktop\xPvEDYX7g1YE.exe" MD5: 4E11D0FDDE3AA0CFDADBAEBF83743BF1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/ https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["3080"], "Server": ["firmes777.duckdns.org"], "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "gGGkyV1mB4oB/JHmZ1DsPCIuQYzXa0FFKsF5NQHpSE2tqf+6nDOc68lnpSkmkVAeoPEEmdiIiDLiyu+Kc3AWmxlTNv9r+0ICY4jQqd1jQre34/hKKXoYzL/lQ4+94KhErMlnl58v4lDczvQ2ovTdFYCMlNqgQtVBiTopx2hVzWkKeyL1I1qTtt5oIAXqhStLAC4jxDLrzvBFL/IZOwaD4v5KHlyGgCr93bGZbSNbGWpkScT09w8Oft3JbvV5Lionisa+D9A3x/GegTvy1PH/7ywX6+3c35hmwNuJbRq4drUPX4dKZarpXzHF2CkVkiY92QnZ90VVinqYI9SNi02ohT6UCWAyBrhFPC5sPP7BDKjMb7GR+IlwpTasghmUX+fiGD2LRpf/8p0yph4kD013vZrRaSiRnoDdOO9pnVMgZVT7dt6hnhmLRtpsT4onO5jcbrsEF73JuEdylWZj/6zHqk6gAsp7ptMF73yj/REykiKLDY4ogENXyW6m3fffn+tmPfh8CXIMa4yXipZO08G1mrST781EcuChUUu2yzfXXCyHQI0j6R5JCB5zPsdNztoWTSUyRIIKmo2IQ5Jh++I17u96Z9iIfNHAtbZc+a8GWPG5D6FKEkTAjGbJEDFtJs8QMLEOEmxXZRiJqMwHX40aK9EWsofEUjOZmO/TPPChoHs="}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xPvEDYX7g1YE.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
xPvEDYX7g1YE.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
xPvEDYX7g1YE.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xc564:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xf438:$a2: Stub.exe 0xf4c8:$a2: Stub.exe 0x8fe2:$a3: get_ActivatePong 0xc77c:$a4: vmware 0xc5f4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9ee9:$a6: get_SslClient
xPvEDYX7g1YE.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc5f6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4449015352.0000000004D36000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xca93:$x1: AsyncRAT 0xcad1:$x1: AsyncRAT
00000000.00000000.1981603943.0000000000432000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1981603943.0000000000432000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc3f6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: xPvEDYX7g1YE.exe PID: 4208	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: xPvEDYX7g1YE.exe PID: 4208	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1f51a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: xPvEDYX7g1YE.exe PID: 4208	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc01f:$x1: AsyncRAT 0xc051:$x1: AsyncRAT 0x1f5e0:$s6: VirtualBox 0x1f593:$s8: Win32_ComputerSystem
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.xPvEDYX7g1YE.exe.430000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.xPvEDYX7g1YE.exe.430000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.xPvEDYX7g1YE.exe.430000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xc564:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xf438:$a2: Stub.exe 0xf4c8:$a2: Stub.exe 0x8fe2:$a3: get_ActivatePong 0xc77c:$a4: vmware 0xc5f4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9ee9:$a6: get_SslClient
0.0.xPvEDYX7g1YE.exe.430000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc5f6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: xPvEDYX7g1YE.exe

Avira: detected

Found malware configuration

Source: xPvEDYX7g1YE.exe

Malware Configuration Extractor: AsyncRAT {"Ports": ["3080"], "Server": ["firmes777.duckdns.org"], "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "gGGkyV1mB4oB/JHmZ1DsPCIuQYzXa0FFKsF5NQHpSE2tqf+6nDOc68lnpSkmkVAeoPEEmdiIiDLiyu+Kc3AWmxlTNv9r+0ICY4jQqd1jQre34/hKKXoYzL/lQ4+94KhErMlnl58v4lDczvQ2ovTdFYCMlNqgQtVBiTopx2hVzWkKeyL1I1qTtt5oIAXqhStLAC4jxDLrzvBFL/IZOwaD4v5KHlyGgCr93bGZbSNbGWpkScT09w8Oft3JbvV5Lionisa+D9A3x/GegTvy1PH/7ywX6+3c35hmwNuJbRq4drUPX4dKZarpXzHF2CkVkiY92QnZ90VVinqYI9SNi02ohT6UCWAyBrhFPC5sPP7BDKjMb7GR+IlwpTasghmUX+fiGD2LRpf/8p0yph4kD013vZrRaSiRnoDdOO9pnVMgZVT7dt6hnhmLRtpsT4onO5jcbrsEF73JuEdylWZj/6zHqk6gAsp7ptMF73yj/REykiKLDY4ogENXyW6m3fffn+tmPfh8CXIMa4yXipZO08G1mrST781EcuChUUu2yzfXXCyHQI0j6R5JCB5zPsdNztoWTSUyRIIKmo2IQ5Jh++I17u96Z9iIfNHAtbZc+a8GWPG5D6FKEkTAjGbJEDFtJs8QMLEOEmxXZRiJqMwHX40aK9EWsofEUjOZmO/TPPChoHs="}

Multi AV Scanner detection for submitted file

Source: xPvEDYX7g1YE.exe

ReversingLabs: Detection: 76%

Machine Learning detection for sample

Source: xPvEDYX7g1YE.exe

Joe Sandbox ML: detected

Source: xPvEDYX7g1YE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xPvEDYX7g1YE.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: firmes777.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: xPvEDYX7g1YE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xPvEDYX7g1YE.exe.430000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 179.13.0.175:3080

Source: Joe Sandbox View

IP Address: 179.13.0.175 179.13.0.175

Source: Joe Sandbox View

ASN Name: ColombiaMovilCO ColombiaMovilCO

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: firmes777.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: xPvEDYX7g1YE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xPvEDYX7g1YE.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1981603943.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xPvEDYX7g1YE.exe PID: 4208, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: xPvEDYX7g1YE.exe, LimeLogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: xPvEDYX7g1YE.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: xPvEDYX7g1YE.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.xPvEDYX7g1YE.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.xPvEDYX7g1YE.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.4449015352.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1981603943.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: xPvEDYX7g1YE.exe PID: 4208, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: xPvEDYX7g1YE.exe PID: 4208, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: xPvEDYX7g1YE.exe, 00000000.00000000.1981728567.0000000000442000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs xPvEDYX7g1YE.exe
Source: xPvEDYX7g1YE.exe	Binary or memory string: OriginalFilenameStub.exe" vs xPvEDYX7g1YE.exe

Source: xPvEDYX7g1YE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xPvEDYX7g1YE.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: xPvEDYX7g1YE.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.xPvEDYX7g1YE.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.xPvEDYX7g1YE.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.4449015352.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1981603943.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: xPvEDYX7g1YE.exe PID: 4208, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: xPvEDYX7g1YE.exe PID: 4208, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: xPvEDYX7g1YE.exe, Settings.cs

Base64 encoded string: 'oHCMYs0h64XjmL6nYONqSDbgWpwIcWRCy0mBTv8aEbARHkogNsZO1coaAVixJhhIo7bHHjvNEkYXPtnaryXu4w==', 'TnSYhEgeSHIqFus4F2O5Q6hLO1G8tb1EWkzY/FyFJ+FbBaXV/SpChk/AX6c1dIpPzTTNiD9bDlxd2ZuC6Q2COBYgWfCxqoKjSRY3z8Iho+o=', 'YLbyR7FcPb5y3wyu0S1vPrhlnKqJJpjYHTYcZfMdFu7EWJqnk7w9FxNzGcD+TFJ+0ftp6Zi/GEOwsPM/jcNkTKi12Z2+Lp2oGN7V3cbJziU=', '/oTtgZDpZ/RMkL00rZd2H2rgxCtE9LBs38HQrDcyVBkWo+EXlNAOBcvW5iqucikbfKNGQP180qC0Tp7LuGxYcw==', 'uaSrBlvze6wFXL88jQD7cm0Gfs0qtI9sBx2u2BnBnZ+KLHHg4teTMfGDKDVioyvaB7xAqOBcpnCIN1kbn3qD/S8+f5uro+n7jBlKiLSjW9k=', 'RFn5hZVsYy6nsl5kQvkMzUFU/YGVtsKsPaW2WtpHM0XPVeyOtnC0CzF0Br2VRCSIBRCqn4w43FcyDOcTV/ErGQ==', 'GXuQaGHx+VMKNPpi6NKTcHIO3AyfoVrizQ+DEjuHYpU0hD457aqi+WycAdGr2h9ZI9QHfrOyEoLu5NeATHhy6w==', 'TmTxTdwdm/e86jufjUQx1dy1ftAF4sQXRS1cqc9lZJLHvQ07TS/Spt2R9iBHKvY25rBdakUjAuHP3EVMp4ZWqg==', 'YeocTeKNQS2RHnaaJRV1+L3t+FsyCdRWpGtcTJv8K8/5D18YH6SSb7LJxu8e8iOLPW+XTKkxKDDdfZq83egddQ=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@4/1

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk

Source: xPvEDYX7g1YE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xPvEDYX7g1YE.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xPvEDYX7g1YE.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: xPvEDYX7g1YE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: xPvEDYX7g1YE.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: xPvEDYX7g1YE.exe, Packet.cs

.Net Code: Plugins System.AppDomain.Load(byte[])

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Code function: 0_2_00D014F9 push eax; ret	0_2_00D01506
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Code function: 0_2_00D006B0 push esp; ret	0_2_00D006BA
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Code function: 0_2_00D00637 push edi; ret	0_2_00D00652
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Code function: 0_2_00D00637 push ecx; ret	0_2_00D006AA
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Code function: 0_2_00D01B68 push esp; ret	0_2_00D01B76
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Code function: 0_2_00D01718 push esp; ret	0_2_00D01722
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Code function: 0_2_00D01708 push esp; ret	0_2_00D01712

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: xPvEDYX7g1YE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xPvEDYX7g1YE.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1981603943.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xPvEDYX7g1YE.exe PID: 4208, type: MEMORYSTR

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: xPvEDYX7g1YE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xPvEDYX7g1YE.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1981603943.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xPvEDYX7g1YE.exe PID: 4208, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: xPvEDYX7g1YE.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe	Memory allocated: 2620000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe

Window / User API: threadDelayed 9716

Jump to behavior

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe TID: 1220	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe TID: 1220	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe TID: 1220	Thread sleep count: 9716 > 30	Jump to behavior
Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe TID: 1220	Thread sleep time: -9716000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: xPvEDYX7g1YE.exe	Binary or memory string: vmware
Source: xPvEDYX7g1YE.exe, 00000000.00000002.4449015352.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe

Queries volume information: C:\Users\user\Desktop\xPvEDYX7g1YE.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\xPvEDYX7g1YE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: xPvEDYX7g1YE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xPvEDYX7g1YE.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1981603943.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xPvEDYX7g1YE.exe PID: 4208, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	1 Input Capture	11 Security Software Discovery	Remote Services	1 Input Capture	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Obfuscated Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
xPvEDYX7g1YE.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.AsyncRATMarte
xPvEDYX7g1YE.exe	100%	Avira	TR/Dropper.Gen
xPvEDYX7g1YE.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
firmes777.duckdns.org	179.13.0.175	true	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
179.13.0.175	firmes777.duckdns.org	Colombia		27831	ColombiaMovilCO	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428969
Start date and time:	2024-04-19 23:50:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xPvEDYX7g1YE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@4/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 21 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target xPvEDYX7g1YE.exe, PID 4208 because it is empty
VT rate limit hit for: xPvEDYX7g1YE.exe

Simulations

Behavior and APIs

Time	Type	Description
23:51:34	API Interceptor	8724884x Sleep call for process: xPvEDYX7g1YE.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
179.13.0.175	xmo4WvZPV3Q0.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	xXQ39a5f9EJP.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	xmrhZ7VhlJjD.exe	Get hash	malicious	Quasar	Browse
	xBoD1uCJo8Dc.exe	Get hash	malicious	XWorm	Browse
	xffRCvQIkXWb.exe	Get hash	malicious	XWorm	Browse
	xApyUPoAYp9c.exe	Get hash	malicious	AsyncRAT	Browse
	xVDnoXtgbTMW.exe	Get hash	malicious	AsyncRAT	Browse
	xApyUPoAYp9c.exe	Get hash	malicious	AsyncRAT	Browse
	xVDnoXtgbTMW.exe	Get hash	malicious	AsyncRAT	Browse
	x1h52dJdta0O.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
firmes777.duckdns.org	xApyUPoAYp9c.exe	Get hash	malicious	AsyncRAT	Browse	179.13.0.175
	xVDnoXtgbTMW.exe	Get hash	malicious	AsyncRAT	Browse	179.13.0.175
	xApyUPoAYp9c.exe	Get hash	malicious	AsyncRAT	Browse	179.13.0.175
	xVDnoXtgbTMW.exe	Get hash	malicious	AsyncRAT	Browse	179.13.0.175
	xf9obZbyKks2.exe	Get hash	malicious	Njrat	Browse	179.13.0.175
	xvONQE15fXnp.exe	Get hash	malicious	Njrat	Browse	179.13.0.175
	x2WroBFVZxLz.exe	Get hash	malicious	Njrat	Browse	179.13.0.175

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	xmo4WvZPV3Q0.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	179.13.0.175
	xXQ39a5f9EJP.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	179.13.0.175
	6VXQ3TUNZo.elf	Get hash	malicious	Mirai	Browse	181.207.246.71
	wFtZih4nN9.elf	Get hash	malicious	Mirai	Browse	191.90.223.182
	tu.exe	Get hash	malicious	Remcos	Browse	179.14.10.110
	xmrhZ7VhlJjD.exe	Get hash	malicious	Quasar	Browse	179.13.0.175
	enEQvjUlGl.elf	Get hash	malicious	Mirai	Browse	181.207.212.107
	Ns1xkTsDQO.elf	Get hash	malicious	Mirai	Browse	181.68.139.5
	7t5zI3LtK8.elf	Get hash	malicious	Mirai	Browse	181.207.212.113
	MYb7GhRJl7.elf	Get hash	malicious	Mirai	Browse	181.69.231.0

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.391214586131594
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	xPvEDYX7g1YE.exe
File size:	64'512 bytes
MD5:	4e11d0fdde3aa0cfdadbaebf83743bf1
SHA1:	b56cbb419e4fdc7d21ee9cc24c82d9a2ab107b77
SHA256:	6df5a6787c28c8d0568d6286ea2723fad317f6f42e796f4ac7f72a6db63925d3
SHA512:	4ba422fbc3eb60c40272d8061b5ab0cc76c7d6447914d81fd684ef550cbb211cba2b2fc59aed5402bf594eee400cdd8a9292b118a0c8a317cd7644df3a45a6e1
SSDEEP:	1536:v2wukvF1ak9gcKu5UYFLGXw5bfAPWjp2rPlTGhx:v2dkvF1ak9Ku5UYFLGXw5bfVEdax
TLSH:	6B53E7013BF98029F3BE8F7469F7658106FAF5AF2D12C55D1C8950CE0632B869941BBB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vjzd................................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x410e8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x647A6A76 [Fri Jun 2 22:17:26 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10e40	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xee94	0xf000	89c3f37a715ae88ca612817d2477d811	False	0.45602213541666664	data	5.428084767246338	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x7ff	0x800	33cdbc5c50f34a35b4f0e61582ac7f11	False	0.41650390625	data	4.884866150337139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	c55d7a245ac64e9737ec35df4d0d8d84	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x120a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0x1236c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 23:51:00.049468994 CEST	49704	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:00.240345001 CEST	3080	49704	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:00.741806030 CEST	49704	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:00.930176020 CEST	3080	49704	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:01.444924116 CEST	49704	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:01.644979000 CEST	3080	49704	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:02.148024082 CEST	49704	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:02.339859962 CEST	3080	49704	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:02.851188898 CEST	49704	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:03.044276953 CEST	3080	49704	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:08.057815075 CEST	49705	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:08.570611000 CEST	3080	49705	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:09.085536957 CEST	49705	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:09.270031929 CEST	3080	49705	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:09.773025036 CEST	49705	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:09.945053101 CEST	3080	49705	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:10.444920063 CEST	49705	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:10.633446932 CEST	3080	49705	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:11.148021936 CEST	49705	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:11.335710049 CEST	3080	49705	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:17.555567026 CEST	49714	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:17.746253014 CEST	3080	49714	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:18.257402897 CEST	49714	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:18.461204052 CEST	3080	49714	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:18.976197004 CEST	49714	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:19.165797949 CEST	3080	49714	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:19.679435968 CEST	49714	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:19.875679016 CEST	3080	49714	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:20.382401943 CEST	49714	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:20.575714111 CEST	3080	49714	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:25.586774111 CEST	49715	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:25.770560980 CEST	3080	49715	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:26.273041964 CEST	49715	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:26.454384089 CEST	3080	49715	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:26.960666895 CEST	49715	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:27.134128094 CEST	3080	49715	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:27.648077965 CEST	49715	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:27.923147917 CEST	3080	49715	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:28.429277897 CEST	49715	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:28.619221926 CEST	3080	49715	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:33.634888887 CEST	49716	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:33.800091028 CEST	3080	49716	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:34.304284096 CEST	49716	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:34.470480919 CEST	3080	49716	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:34.976239920 CEST	49716	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:35.134443045 CEST	3080	49716	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:35.648108006 CEST	49716	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:35.803144932 CEST	3080	49716	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:36.304359913 CEST	49716	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:36.460656881 CEST	3080	49716	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:41.477737904 CEST	49717	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:41.668308973 CEST	3080	49717	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:42.179322004 CEST	49717	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:42.374516010 CEST	3080	49717	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:42.882365942 CEST	49717	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:43.059470892 CEST	3080	49717	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:43.569992065 CEST	49717	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:43.754139900 CEST	3080	49717	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:44.257416964 CEST	49717	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:44.432477951 CEST	3080	49717	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:49.445924997 CEST	49718	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:49.630960941 CEST	3080	49718	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:50.132421970 CEST	49718	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:50.345232010 CEST	3080	49718	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:50.852118969 CEST	49718	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:51.028820038 CEST	3080	49718	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:51.538656950 CEST	49718	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:51.720448017 CEST	3080	49718	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:52.226130009 CEST	49718	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:52.416570902 CEST	3080	49718	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:57.430399895 CEST	49720	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:57.628851891 CEST	3080	49720	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:58.132427931 CEST	49720	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:58.324143887 CEST	3080	49720	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:58.835521936 CEST	49720	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:59.024338961 CEST	3080	49720	179.13.0.175	192.168.2.5
Apr 19, 2024 23:51:59.538685083 CEST	49720	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:51:59.729640007 CEST	3080	49720	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:00.241745949 CEST	49720	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:00.434160948 CEST	3080	49720	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:06.203833103 CEST	49721	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:06.363889933 CEST	3080	49721	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:06.866724014 CEST	49721	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:07.037877083 CEST	3080	49721	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:07.538711071 CEST	49721	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:07.699399948 CEST	3080	49721	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:08.210505009 CEST	49721	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:08.418519974 CEST	3080	49721	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:08.929529905 CEST	49721	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:09.100023985 CEST	3080	49721	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:14.102370024 CEST	49722	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:14.278162003 CEST	3080	49722	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:14.788594007 CEST	49722	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:14.978461027 CEST	3080	49722	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:15.491719961 CEST	49722	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:15.665376902 CEST	3080	49722	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:16.179236889 CEST	49722	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:16.379256964 CEST	3080	49722	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:16.882332087 CEST	49722	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:17.065251112 CEST	3080	49722	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:22.071396112 CEST	49724	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:22.230817080 CEST	3080	49724	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:22.741750002 CEST	49724	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:22.910820007 CEST	3080	49724	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:23.413626909 CEST	49724	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:23.591228962 CEST	3080	49724	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:24.257544994 CEST	49724	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:24.420857906 CEST	3080	49724	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:25.069823980 CEST	49724	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:25.234375000 CEST	3080	49724	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:30.243886948 CEST	49725	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:30.425160885 CEST	3080	49725	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:30.930778980 CEST	49725	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:31.112052917 CEST	3080	49725	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:31.616714001 CEST	49725	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:31.804899931 CEST	3080	49725	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:32.319839954 CEST	49725	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:32.510672092 CEST	3080	49725	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:33.022985935 CEST	49725	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:33.206249952 CEST	3080	49725	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:38.211462021 CEST	49726	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:38.661075115 CEST	3080	49726	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:39.163558006 CEST	49726	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:39.347203016 CEST	3080	49726	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:39.851067066 CEST	49726	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:40.037992001 CEST	3080	49726	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:40.538631916 CEST	49726	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:40.727327108 CEST	3080	49726	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:41.241712093 CEST	49726	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:41.446196079 CEST	3080	49726	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:46.461321115 CEST	49727	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:46.630117893 CEST	3080	49727	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:47.132338047 CEST	49727	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:47.300108910 CEST	3080	49727	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:47.804191113 CEST	49727	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:47.970571041 CEST	3080	49727	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:48.476068974 CEST	49727	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:48.753209114 CEST	3080	49727	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:49.258785009 CEST	49727	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:49.415951967 CEST	3080	49727	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:54.430233002 CEST	49728	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:54.616938114 CEST	3080	49728	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:55.118762016 CEST	49728	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:55.299510956 CEST	3080	49728	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:55.804167032 CEST	49728	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:55.989216089 CEST	3080	49728	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:56.491699934 CEST	49728	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:56.683588982 CEST	3080	49728	179.13.0.175	192.168.2.5
Apr 19, 2024 23:52:57.196787119 CEST	49728	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:52:57.369106054 CEST	3080	49728	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:02.383562088 CEST	49729	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:02.573950052 CEST	3080	49729	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:03.085526943 CEST	49729	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:03.260884047 CEST	3080	49729	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:03.772931099 CEST	49729	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:03.952640057 CEST	3080	49729	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:04.460481882 CEST	49729	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:04.649631023 CEST	3080	49729	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:05.163558960 CEST	49729	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:05.344739914 CEST	3080	49729	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:10.493227005 CEST	49730	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:10.669480085 CEST	3080	49730	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:11.179662943 CEST	49730	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:11.352988005 CEST	3080	49730	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:11.866698027 CEST	49730	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:12.055516958 CEST	3080	49730	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:12.569797039 CEST	49730	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:12.734040976 CEST	3080	49730	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:13.241925001 CEST	49730	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:13.419368029 CEST	3080	49730	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:18.430140018 CEST	49731	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:18.604981899 CEST	3080	49731	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:19.116648912 CEST	49731	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:19.296766043 CEST	3080	49731	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:19.804146051 CEST	49731	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:20.485131979 CEST	3080	49731	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:20.991672993 CEST	49731	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:21.566802979 CEST	3080	49731	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:22.085403919 CEST	49731	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:22.261214018 CEST	3080	49731	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:27.274116993 CEST	49732	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:27.440104961 CEST	3080	49732	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:27.991662025 CEST	49732	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:28.144953966 CEST	3080	49732	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:28.694778919 CEST	49732	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:28.861524105 CEST	3080	49732	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:29.366774082 CEST	49732	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:29.528940916 CEST	3080	49732	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:30.038635015 CEST	49732	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:30.193340063 CEST	3080	49732	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:35.211384058 CEST	49733	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:35.398006916 CEST	3080	49733	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:35.907289028 CEST	49733	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:36.095524073 CEST	3080	49733	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:36.601126909 CEST	49733	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:36.801152945 CEST	3080	49733	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:37.304189920 CEST	49733	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:37.502928972 CEST	3080	49733	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:38.007299900 CEST	49733	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:38.260415077 CEST	3080	49733	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:44.318661928 CEST	49734	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:44.484211922 CEST	3080	49734	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:45.148004055 CEST	49734	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:45.305440903 CEST	3080	49734	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:45.944777966 CEST	49734	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:46.108779907 CEST	3080	49734	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:46.632286072 CEST	49734	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:46.799880981 CEST	3080	49734	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:47.335547924 CEST	49734	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:47.498399973 CEST	3080	49734	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:52.508790016 CEST	49735	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:52.697546959 CEST	3080	49735	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:53.210392952 CEST	49735	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:53.405378103 CEST	3080	49735	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:53.913537979 CEST	49735	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:54.191601992 CEST	3080	49735	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:54.694777012 CEST	49735	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:54.882422924 CEST	3080	49735	179.13.0.175	192.168.2.5
Apr 19, 2024 23:53:55.382263899 CEST	49735	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:53:55.561628103 CEST	3080	49735	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:02.211847067 CEST	49736	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:02.384239912 CEST	3080	49736	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:02.975996971 CEST	49736	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:03.149945021 CEST	3080	49736	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:03.772877932 CEST	49736	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:03.940566063 CEST	3080	49736	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:04.475994110 CEST	49736	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:04.645656109 CEST	3080	49736	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:05.272922039 CEST	49736	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:05.444802046 CEST	3080	49736	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:10.602323055 CEST	49737	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:10.784192085 CEST	3080	49737	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:11.304142952 CEST	49737	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:11.485954046 CEST	3080	49737	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:11.991626024 CEST	49737	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:12.167671919 CEST	3080	49737	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:12.679183960 CEST	49737	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:12.867904902 CEST	3080	49737	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:13.382791996 CEST	49737	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:13.573149920 CEST	3080	49737	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:18.586532116 CEST	49738	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:18.773789883 CEST	3080	49738	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:19.288881063 CEST	49738	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:19.464947939 CEST	3080	49738	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:19.975979090 CEST	49738	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:20.454111099 CEST	3080	49738	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:20.960397005 CEST	49738	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:21.440251112 CEST	3080	49738	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:21.944753885 CEST	49738	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:22.128113985 CEST	3080	49738	179.13.0.175	192.168.2.5
Apr 19, 2024 23:54:27.134824991 CEST	49739	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:28.147874117 CEST	49739	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:30.163482904 CEST	49739	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:34.163535118 CEST	49739	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:42.163451910 CEST	49739	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:53.195671082 CEST	49740	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:54.305222034 CEST	49740	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:54:56.319716930 CEST	49740	3080	192.168.2.5	179.13.0.175
Apr 19, 2024 23:55:00.319698095 CEST	49740	3080	192.168.2.5	179.13.0.175

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 23:50:59.902915955 CEST	59176	53	192.168.2.5	1.1.1.1
Apr 19, 2024 23:51:00.042330980 CEST	53	59176	1.1.1.1	192.168.2.5
Apr 19, 2024 23:52:06.015899897 CEST	57086	53	192.168.2.5	1.1.1.1
Apr 19, 2024 23:52:06.156191111 CEST	53	57086	1.1.1.1	192.168.2.5
Apr 19, 2024 23:53:10.351980925 CEST	53882	53	192.168.2.5	1.1.1.1
Apr 19, 2024 23:53:10.492247105 CEST	53	53882	1.1.1.1	192.168.2.5
Apr 19, 2024 23:54:10.461199045 CEST	61400	53	192.168.2.5	1.1.1.1
Apr 19, 2024 23:54:10.601329088 CEST	53	61400	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 23:50:59.902915955 CEST	192.168.2.5	1.1.1.1	0x9600	Standard query (0)	firmes777.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 19, 2024 23:52:06.015899897 CEST	192.168.2.5	1.1.1.1	0xdcdd	Standard query (0)	firmes777.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 19, 2024 23:53:10.351980925 CEST	192.168.2.5	1.1.1.1	0xde46	Standard query (0)	firmes777.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 19, 2024 23:54:10.461199045 CEST	192.168.2.5	1.1.1.1	0x1dc2	Standard query (0)	firmes777.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 23:51:00.042330980 CEST	1.1.1.1	192.168.2.5	0x9600	No error (0)	firmes777.duckdns.org	179.13.0.175	A (IP address)	IN (0x0001)	false
Apr 19, 2024 23:52:06.156191111 CEST	1.1.1.1	192.168.2.5	0xdcdd	No error (0)	firmes777.duckdns.org	179.13.0.175	A (IP address)	IN (0x0001)	false
Apr 19, 2024 23:53:10.492247105 CEST	1.1.1.1	192.168.2.5	0xde46	No error (0)	firmes777.duckdns.org	179.13.0.175	A (IP address)	IN (0x0001)	false
Apr 19, 2024 23:54:10.601329088 CEST	1.1.1.1	192.168.2.5	0x1dc2	No error (0)	firmes777.duckdns.org	179.13.0.175	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	23:50:54
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\xPvEDYX7g1YE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xPvEDYX7g1YE.exe"
Imagebase:	0x430000
File size:	64'512 bytes
MD5 hash:	4E11D0FDDE3AA0CFDADBAEBF83743BF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4449015352.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1981603943.0000000000432000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1981603943.0000000000432000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00D020F7 Relevance: 5.4, Strings: 4, Instructions: 439COMMON

Download Yara Rule

Strings

xaq, xrefs: 00D02736
,, xrefs: 00D02230
a]q, xrefs: 00D026FC
a]q, xrefs: 00D0269F

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID: a]q$ a]q$,$xaq
API String ID: 0-452644037
Opcode ID: b77803d9a233180519542b036fd3d93c7d60b65678f0d7848652dac62cf2df19
Instruction ID: 59a668ae2aa2fcd4cbfc636f4570b66aa7b846a28e587a077f3dd78b1c6f94b0
Opcode Fuzzy Hash: b77803d9a233180519542b036fd3d93c7d60b65678f0d7848652dac62cf2df19
Instruction Fuzzy Hash: F802AD34B002049FD715EF68D554B6E77E2FF84700F248968E40A9B3A9DBB4EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D00F89 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00D00FB5
(aq, xrefs: 00D0125A

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID: (aq$Te]q
API String ID: 0-2961548996
Opcode ID: 6b170d65e93e71e217bebf4c49e2ac08c92c5ebcb5662f52211d220624a70b50
Instruction ID: 73f4c00ef87cc59c597a65808022b6025e2309f546bdb48f0b82ffc7e7c885b2
Opcode Fuzzy Hash: 6b170d65e93e71e217bebf4c49e2ac08c92c5ebcb5662f52211d220624a70b50
Instruction Fuzzy Hash: 7A419035B105108FCB489F6DD458B5EBBE2FF89710F2580A9E806DB3A6CE75DC018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00D00DE8 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

dLcq, xrefs: 00D00E23
Haq, xrefs: 00D00F08

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID: Haq$dLcq
API String ID: 0-1713614415
Opcode ID: 5c74d7ad4265b27e996fdc236fe697682bad4c0257473871c69872defb288cac
Instruction ID: 70744fcf324380ab820873be820a23897ca1e2cf57a3c2448054e81fbc901af3
Opcode Fuzzy Hash: 5c74d7ad4265b27e996fdc236fe697682bad4c0257473871c69872defb288cac
Instruction Fuzzy Hash: 5031A031A002049FCB19DF69C454BAEBFF2BF89300F1449A9E506AB3A1CB75DD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0140F Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00D01453

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: cbb0e6352a92025d2d398742a27bb4b435333366238e018f2c671208136eacc1
Instruction ID: 2f5676630b0427b736d0936626b869b147acf51bc8be2a159962318f1f9c13c6
Opcode Fuzzy Hash: cbb0e6352a92025d2d398742a27bb4b435333366238e018f2c671208136eacc1
Instruction Fuzzy Hash: 3221AD34F001168FCB54EB788591A6EBBF2AFC8304B14456DE54ADB3A5DE34DC028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D00DE7 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

dLcq, xrefs: 00D00E23

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID: dLcq
API String ID: 0-2236789282
Opcode ID: 5c06beeba112f23ebe404aae1c27c74928f8b0f87b6bbf52d3b5d296bbcceace
Instruction ID: 3a83abc4e10be045d8f27f2269910ec8ed38074262774e20e3b1bb79b65ee050
Opcode Fuzzy Hash: 5c06beeba112f23ebe404aae1c27c74928f8b0f87b6bbf52d3b5d296bbcceace
Instruction Fuzzy Hash: A0318175A002049FCB14DF69D558BAEBFF1BF48300F148569E405AB3A1CB75DD05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D00B57 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287535f827dc2a53814ecac944943b1423d3c77fe827cd0c382f99965787cba5
Instruction ID: e87c46a2627d7be6104719d7a7c6b94c7cc461ad2c1fdbb4ba8d30be33f65600
Opcode Fuzzy Hash: 287535f827dc2a53814ecac944943b1423d3c77fe827cd0c382f99965787cba5
Instruction Fuzzy Hash: 4A51E63C112A01DFC71AFF2CF984A59376AFB8470571086A8D4019B72DDBB5AD0ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D02907 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becdefd319c15df0defa87c040abb47c6485ca864761ab90a0f09c8c69d212e9
Instruction ID: 63fa427eb0179273f0f650a43d096d98b8c342e50513bc355a875f34fb9463e9
Opcode Fuzzy Hash: becdefd319c15df0defa87c040abb47c6485ca864761ab90a0f09c8c69d212e9
Instruction Fuzzy Hash: 52414F75B102289FDF049BA9ED1479D7ABBBFCC710F144529E809B3758CA386C058B99

Uniqueness

Uniqueness Score: -1.00%

Function 00D009B8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecbe5880f5494cb5db2d329f8d228708cbfcb288161ff5d1b7c29c3b80787ca9
Instruction ID: 051582fb384a6b344f562ee66598cb24d7de7242b70111822b8df211ceea47c0
Opcode Fuzzy Hash: ecbe5880f5494cb5db2d329f8d228708cbfcb288161ff5d1b7c29c3b80787ca9
Instruction Fuzzy Hash: DF316E30710702AFDB59AB79A95477E7AA6BF40704B18482DD44FC72D0EF24D906CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D009B7 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3881c0fd87551cc96abf4db7c1c2f3df09891ba9485b14cfa918a0d87b23e1a2
Instruction ID: 421dfe1140005cfeeb7ac2ba0c8d722392bcd0f93203f2b5ac1f3b9e7bcc0a4e
Opcode Fuzzy Hash: 3881c0fd87551cc96abf4db7c1c2f3df09891ba9485b14cfa918a0d87b23e1a2
Instruction Fuzzy Hash: 3F315C30710702AFDB29AB79995877E3EA6BF84704B18492DD44BC72D0EF24DD018BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D01310 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a604f7cd7119d0da9fdcc3d5fb029cdae8e1915322f5880df3aa76f7331622
Instruction ID: 7e525cced1af9e65bbb93fea6f31907137cd9224ed3c704771ceb397155f8584
Opcode Fuzzy Hash: 00a604f7cd7119d0da9fdcc3d5fb029cdae8e1915322f5880df3aa76f7331622
Instruction Fuzzy Hash: 72117FB1B002155FCB48AFBE595436EBAEEEFC9700B20483DD44AD7395DE388D0587A5

Uniqueness

Uniqueness Score: -1.00%

Function 00D0130F Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b903bb3d8c5f0d1a55769285f694d95012549eea0666554734edc6a505a0364
Instruction ID: eb1d02633c51465f1b7af29fe6cc2fe2dfc1da4caf0a12c611678585df18e0a6
Opcode Fuzzy Hash: 9b903bb3d8c5f0d1a55769285f694d95012549eea0666554734edc6a505a0364
Instruction Fuzzy Hash: 0311AFB1B002155FCB48AFBE595436EBAEEEFC9700B20483DD44AD3396DE388C0587A5

Uniqueness

Uniqueness Score: -1.00%

Function 00D01508 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0ea3f6efc7a989ff8012b0c4da2ed671dc8b45268a72701e0603daf3ef79c8
Instruction ID: b7d2d2a6ae3513c0392664961fd2076f5b9120df9f13fa96f346207598ff65af
Opcode Fuzzy Hash: 3a0ea3f6efc7a989ff8012b0c4da2ed671dc8b45268a72701e0603daf3ef79c8
Instruction Fuzzy Hash: 50117978B012159FCB54EBB9D80862A7BF6BFC830471048B9D40ACB398EA34DD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D027B7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b2c0ebe7d272fac0da2d54487739f28031c1e2469a8d722bef5651566ae4fe
Instruction ID: 9d45f11b26f542da5812dd8da03314b4b12897ff3f295780ee4a19331bed7f62
Opcode Fuzzy Hash: 39b2c0ebe7d272fac0da2d54487739f28031c1e2469a8d722bef5651566ae4fe
Instruction Fuzzy Hash: 2F012DB9B066028FD708DF6EE94161AFBA6FFC4714318C2AAD508DB359D670E801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D01507 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed0eb76bfcca108ba973822e667f470d0b5dba0d6bf4d9d17ad7d687e762335
Instruction ID: 6808ca39fe0de8e093372a0b0b02ded5de0c717d30ef2619739bcabfa6a18945
Opcode Fuzzy Hash: 8ed0eb76bfcca108ba973822e667f470d0b5dba0d6bf4d9d17ad7d687e762335
Instruction Fuzzy Hash: 8D016D78A012159FCB54EB78D80466E7BF6BFC830571448B9D40ADB354EA34DD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D01B77 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c668b45fe46cc46147e0a23029be5c75b567a32a962d301e85ccb948c858a209
Instruction ID: 40a38c5e5ef0a44d74afcff07300dbc0c757bbd596e03a57f0d6b6c2bbc1321d
Opcode Fuzzy Hash: c668b45fe46cc46147e0a23029be5c75b567a32a962d301e85ccb948c858a209
Instruction Fuzzy Hash: 71016D3CB021158FCB18EBA9D4517BE7BA0AF45700F1440ADC40A97282DB709901CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D01C60 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ad4c4b0d6da2703e17683c0a4dbabb496f0e27a008aa1d62f1b2818d1407d1
Instruction ID: 0ea2883b6e2e650a98cbcdec31d951268a5843e2fd8830609a2dde37ed1fcc92
Opcode Fuzzy Hash: 42ad4c4b0d6da2703e17683c0a4dbabb496f0e27a008aa1d62f1b2818d1407d1
Instruction Fuzzy Hash: 2A01A438C10609CFD705FBBCE85575D7B75FF81304B404624C44657298EB70A904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00D01C50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93317ff1da34a1084f9eea8a91eb18b92d7040fdb40591f6a5bc2204672a488
Instruction ID: 35b15a318fb5ee54974669f2e636f1d344a81c2bc138183c2145f73d4966b34e
Opcode Fuzzy Hash: e93317ff1da34a1084f9eea8a91eb18b92d7040fdb40591f6a5bc2204672a488
Instruction Fuzzy Hash: 6A01F438C187898FE302EBB8D850B6C7F71AF82308B04465AC496962D5EB709905C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00D00F41 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ab11e65fc554d8850bb71606428c51550cb2c812b9bc59dff46af7ae21ebbe
Instruction ID: e2c9f33434d776db63396b21cf9751d6a44a5e66c36e7f7c893ebe09c97b1342
Opcode Fuzzy Hash: 03ab11e65fc554d8850bb71606428c51550cb2c812b9bc59dff46af7ae21ebbe
Instruction Fuzzy Hash: DEE046317152114FC7889A6DA8989AE7BAAEBC922932548BAF009C7361CA259C038750

Uniqueness

Uniqueness Score: -1.00%

Function 00D00F48 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52d117a880181dc4823edc98f8eabfde9530c6f14ed0b711e345a3f748d08b6
Instruction ID: a885242b8cf004b0d44261113aa78d5e97ead04e342ebeb613243c4a9c22fc72
Opcode Fuzzy Hash: d52d117a880181dc4823edc98f8eabfde9530c6f14ed0b711e345a3f748d08b6
Instruction Fuzzy Hash: 66E08C313002005F83449A2EA88495AB7DAEBC813531544B9E10DC7321CE60DC024390

Uniqueness

Uniqueness Score: -1.00%

Function 00D00B19 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd679aa7965ac57270bee6bdedc59ebecd600f8c295a3ae20fa828a29fd0e63a
Instruction ID: 5c619a13ce2da2e32bb0f4ec8765c9d6b91cdb6a06a1430696f806c038be08a8
Opcode Fuzzy Hash: bd679aa7965ac57270bee6bdedc59ebecd600f8c295a3ae20fa828a29fd0e63a
Instruction Fuzzy Hash: BBC08C30434548EFD30857B4D81C36C7E14EB4130EFB44155E0CB010F18E689886D633

Uniqueness

Uniqueness Score: -1.00%

Function 00D00B35 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4448040593.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_xPvEDYX7g1YE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765e43af2e0215a9afbf8159218e31a32817fe8c65da5952edd28dde9b20ef57
Instruction ID: 7ff0b66fb68bf79eda9994431eb69f727220d6434dfff38aaf9ede34804fd288
Opcode Fuzzy Hash: 765e43af2e0215a9afbf8159218e31a32817fe8c65da5952edd28dde9b20ef57
Instruction Fuzzy Hash: 7CC08C30434148EFD30867B4D80C36C7E14AF4230EFB40050E0CB020F18E689884D233

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xPvEDYX7g1YE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
xPvEDYX7g1YE.exe