Edit tour

Windows Analysis Report
xjXIE2ZFFSw4.exe

Overview

General Information

Sample name:	xjXIE2ZFFSw4.exe
Analysis ID:	1430613
MD5:	231e83da0623f80d134940cc17528eb3
SHA1:	99e2c48f98984b2802e62f8e54ec5773088e6b13
SHA256:	ec722b1e3fdf6f67c84676d86e717a7bd559f0eb0e28e53f6bcacc97581d6654
Tags:	DcRatexe
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Yara detected DcRat

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

xjXIE2ZFFSw4.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\xjXIE2ZFFSw4.exe" MD5: 231E83DA0623F80D134940CC17528EB3)

cmd.exe (PID: 7108 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7200 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF256.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7232 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)

FULL.exe (PID: 7280 cmdline: "C:\Users\user\AppData\Roaming\FULL.exe" MD5: 231E83DA0623F80D134940CC17528EB3)

FULL.exe (PID: 7256 cmdline: C:\Users\user\AppData\Roaming\FULL.exe MD5: 231E83DA0623F80D134940CC17528EB3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["1993"], "Server": ["rusia.duckdns.org"], "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAMpiW1YrmTD+bDAyEhYFNMtKsEnDMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDMyNjAwMDMxNloXDTMyMDEwMzAwMDMxNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIpAjdjDmYp87lgnKQjgw/HNV+OUZBLp+5wsQlPFQbgBytVTRIBCVI5+LZrpGbn47ZcgLLma7mTyft4Mp6VJxAlU/BOkiRQ5yqQGlvYrryVdwxBnyNBcxCPLyNCIPIHFju/3oVNgMkYeHprWs7E+qL+eOHGn286P7R99Nps4xqJpAgMBAAGjMjAwMB0GA1UdDgQWBBRW7ES/PqkkMvdN7EyphZ6YLF4KWDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAH7z8nh4pB88Rp2H7LaikiniVCu0bsCTmkIyb3QX6hjwCfIrWmi1HSkHYVOwlEaepXZFYyswXXDLu7v0NYS6XUokLl7IKKrZqCxDrp37i19UZ+0YFp/mUuME9xFNM5s9spRf6X5aF7ANw61G872EDB78SJNnarNEyXytI2zUVZ+c", "Server Signature": "iRdOmXtQOefRF9WysbiOmzSA9uTlIyCBU05GzEsxt8ZAkgdeYkuRzRii/l9vJYaefhsab8VeQeQWm3x9cxjwJVhRTfxqjmteK+RQu1f4WdvL5ar0f24/boAOcTn7E5SdMpW5+TeYiHRH8FeBUWlNiptG2VY45kj1wZepQEEQjeA="}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xjXIE2ZFFSw4.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
xjXIE2ZFFSw4.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd15a:$q1: Select * from Win32_CacheMemory 0xd19a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1e8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd236:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
xjXIE2ZFFSw4.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd796:$s1: DcRatBy

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\FULL.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\FULL.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd15a:$q1: Select * from Win32_CacheMemory 0xd19a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1e8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd236:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
C:\Users\user\AppData\Roaming\FULL.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd796:$s1: DcRatBy

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1631861328.0000000000732000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000008.00000002.1709688213.00000000013CC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x87c:$b2: DcRat By qwqdanchun1
00000008.00000002.1710297798.0000000003041000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x54a8:$b1: DcRatByqwqdanchun
00000007.00000002.2880963232.0000000003021000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x54a8:$b1: DcRatByqwqdanchun
00000000.00000002.1661055131.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1661055131.0000000002C16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.1661055131.0000000002C16000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xe902c:$b2: DcRat By qwqdanchun1
00000000.00000002.1660448779.0000000000B94000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x4c12c:$b2: DcRat By qwqdanchun1
00000007.00000002.2879895307.0000000001011000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x4a9fc:$b2: DcRat By qwqdanchun1
00000000.00000002.1661055131.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x3056c:$a2: timeout 3 > NUL 0x305a4:$a3: START "" " 0x54a8:$b1: DcRatByqwqdanchun
00000007.00000002.2880963232.000000000302D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000007.00000002.2880963232.000000000302D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x29202c:$b2: DcRat By qwqdanchun1
00000008.00000002.1710297798.000000000304D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000008.00000002.1710297798.000000000304D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x29202c:$b2: DcRat By qwqdanchun1
Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xba1d:$a1: havecamera 0x316dc:$a1: havecamera 0x1369e:$b1: DcRatByqwqdanchun 0x28421:$b1: DcRatByqwqdanchun 0x3935d:$b1: DcRatByqwqdanchun 0x4177:$b2: DcRat By qwqdanchun1 0x1eefb:$b2: DcRat By qwqdanchun1
Process Memory Space: FULL.exe PID: 7256	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: FULL.exe PID: 7256	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x236fa:$b1: DcRatByqwqdanchun 0x9c6c:$b2: DcRat By qwqdanchun1 0x105d5:$b2: DcRat By qwqdanchun1
Process Memory Space: FULL.exe PID: 7280	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: FULL.exe PID: 7280	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xee2d:$b1: DcRatByqwqdanchun 0x351d:$b2: DcRat By qwqdanchun1 0x1745e:$b2: DcRat By qwqdanchun1
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd15a:$q1: Select * from Win32_CacheMemory 0xd19a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1e8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd236:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd796:$s1: DcRatBy
0.0.xjXIE2ZFFSw4.exe.730000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.xjXIE2ZFFSw4.exe.730000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd15a:$q1: Select * from Win32_CacheMemory 0xd19a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1e8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd236:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.xjXIE2ZFFSw4.exe.730000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd796:$s1: DcRatBy
0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xb35a:$q1: Select * from Win32_CacheMemory 0xb39a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xb3e8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xb436:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xb996:$s1: DcRatBy
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\xjXIE2ZFFSw4.exe", ParentImage: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe, ParentProcessId: 6896, ParentProcessName: xjXIE2ZFFSw4.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' & exit, ProcessId: 7108, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7108, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' , ProcessId: 7200, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: xjXIE2ZFFSw4.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\FULL.exe

Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: xjXIE2ZFFSw4.exe

Malware Configuration Extractor: AsyncRAT {"Ports": ["1993"], "Server": ["rusia.duckdns.org"], "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAMpiW1YrmTD+bDAyEhYFNMtKsEnDMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDMyNjAwMDMxNloXDTMyMDEwMzAwMDMxNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIpAjdjDmYp87lgnKQjgw/HNV+OUZBLp+5wsQlPFQbgBytVTRIBCVI5+LZrpGbn47ZcgLLma7mTyft4Mp6VJxAlU/BOkiRQ5yqQGlvYrryVdwxBnyNBcxCPLyNCIPIHFju/3oVNgMkYeHprWs7E+qL+eOHGn286P7R99Nps4xqJpAgMBAAGjMjAwMB0GA1UdDgQWBBRW7ES/PqkkMvdN7EyphZ6YLF4KWDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAH7z8nh4pB88Rp2H7LaikiniVCu0bsCTmkIyb3QX6hjwCfIrWmi1HSkHYVOwlEaepXZFYyswXXDLu7v0NYS6XUokLl7IKKrZqCxDrp37i19UZ+0YFp/mUuME9xFNM5s9spRf6X5aF7ANw61G872EDB78SJNnarNEyXytI2zUVZ+c", "Server Signature": "iRdOmXtQOefRF9WysbiOmzSA9uTlIyCBU05GzEsxt8ZAkgdeYkuRzRii/l9vJYaefhsab8VeQeQWm3x9cxjwJVhRTfxqjmteK+RQu1f4WdvL5ar0f24/boAOcTn7E5SdMpW5+TeYiHRH8FeBUWlNiptG2VY45kj1wZepQEEQjeA="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\FULL.exe

ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: xjXIE2ZFFSw4.exe

ReversingLabs: Detection: 76%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FULL.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: xjXIE2ZFFSw4.exe

Joe Sandbox ML: detected

Source: xjXIE2ZFFSw4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: rusia.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 46.246.14.10:1993

Source: Joe Sandbox View

IP Address: 46.246.14.10 46.246.14.10

Source: Joe Sandbox View

ASN Name: PORTLANEwwwportlanecomSE PORTLANEwwwportlanecomSE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: rusia.duckdns.org

Source: xjXIE2ZFFSw4.exe, 00000000.00000002.1661055131.0000000002BFA000.00000004.00000800.00020000.00000000.sdmp, FULL.exe, 00000007.00000002.2880963232.0000000003548000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: xjXIE2ZFFSw4.exe, type: SAMPLE
Source: Yara match	File source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.xjXIE2ZFFSw4.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1631861328.0000000000732000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1661055131.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\FULL.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: xjXIE2ZFFSw4.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: xjXIE2ZFFSw4.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.0.xjXIE2ZFFSw4.exe.730000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.xjXIE2ZFFSw4.exe.730000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000008.00000002.1709688213.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.1710297798.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000007.00000002.2880963232.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.1661055131.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.1660448779.0000000000B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000007.00000002.2879895307.0000000001011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.1661055131.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000007.00000002.2880963232.000000000302D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.1710297798.000000000304D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: FULL.exe PID: 7256, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: FULL.exe PID: 7280, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: C:\Users\user\AppData\Roaming\FULL.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\FULL.exe, type: DROPPED	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A7418 NtProtectVirtualMemory,	0_2_00007FFD9B8A7418
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A8708 NtProtectVirtualMemory,	0_2_00007FFD9B8A8708
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 7_2_00007FFD9B8B7418 NtProtectVirtualMemory,	7_2_00007FFD9B8B7418
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 7_2_00007FFD9B8B8708 NtProtectVirtualMemory,	7_2_00007FFD9B8B8708
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 8_2_00007FFD9B8A7418 NtProtectVirtualMemory,	8_2_00007FFD9B8A7418
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 8_2_00007FFD9B8A8708 NtProtectVirtualMemory,	8_2_00007FFD9B8A8708

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A7418	0_2_00007FFD9B8A7418
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A5D66	0_2_00007FFD9B8A5D66
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A6B12	0_2_00007FFD9B8A6B12
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A7D8D	0_2_00007FFD9B8A7D8D
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A847E	0_2_00007FFD9B8A847E
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A04B8	0_2_00007FFD9B8A04B8
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 7_2_00007FFD9B8B7418	7_2_00007FFD9B8B7418
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 7_2_00007FFD9B8B5D66	7_2_00007FFD9B8B5D66
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 7_2_00007FFD9B8B6B12	7_2_00007FFD9B8B6B12
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 7_2_00007FFD9B8B7D8D	7_2_00007FFD9B8B7D8D
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 7_2_00007FFD9B8B847E	7_2_00007FFD9B8B847E
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 7_2_00007FFD9B8B04B8	7_2_00007FFD9B8B04B8
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 8_2_00007FFD9B8A5D66	8_2_00007FFD9B8A5D66
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 8_2_00007FFD9B8A7418	8_2_00007FFD9B8A7418
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 8_2_00007FFD9B8A6B12	8_2_00007FFD9B8A6B12
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 8_2_00007FFD9B8A7D8D	8_2_00007FFD9B8A7D8D
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 8_2_00007FFD9B8A847E	8_2_00007FFD9B8A847E

Source: xjXIE2ZFFSw4.exe, 00000000.00000002.1661055131.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs xjXIE2ZFFSw4.exe
Source: xjXIE2ZFFSw4.exe, 00000000.00000000.1631875385.0000000000742000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs xjXIE2ZFFSw4.exe
Source: xjXIE2ZFFSw4.exe	Binary or memory string: OriginalFilenameClient.exe" vs xjXIE2ZFFSw4.exe

Source: xjXIE2ZFFSw4.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: xjXIE2ZFFSw4.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.0.xjXIE2ZFFSw4.exe.730000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.xjXIE2ZFFSw4.exe.730000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000008.00000002.1709688213.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.1710297798.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000007.00000002.2880963232.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.1661055131.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.1660448779.0000000000B94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000007.00000002.2879895307.0000000001011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.1661055131.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000007.00000002.2880963232.000000000302D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.1710297798.000000000304D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: FULL.exe PID: 7256, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: FULL.exe PID: 7280, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Roaming\FULL.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Roaming\FULL.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy

Source: xjXIE2ZFFSw4.exe, Settings.cs	Base64 encoded string: 'L81/McLYqt/xwbq9N3RFCcoEoaFTB5pi6Y4Xe/ExZsXVTZOCAcEFMBMMI6Yu/+n7PrnrXEJLEhcLEqmvE0Y1qg==', 'QQ3szPY0U0oOqD6157M9zuulEC5OsUjV10mxjMEt8dGAjKyhHs+l7B1n/munOsfbijmPR69Xt9CRLBy8t5w41lrPMSrnMxKSPJIk8dtSIIA=', 'nKWNgfTepj31gG/0NbILZIJAkgCb5/heZrpSotu90RKl3v85xVHfut53kkWlbZS3KJApzDCdsQnjBTJT+cNyi8qtthk/K//ekcDh3Qgs0oRvKLqXuZSmmq6APOUs6KoyVQF5nCBw8OHh9pxFdV+IwWO7T6v7oj2dTZSF+nrOVpE2fcaDkW3uqNvpr0hI5nuHkKt4vxR66q+s5pHhUyLgLB748K/W69+zlhPtvk5/xW4iwnd9dwyepP+pEjmj7g+XljVloJrcazYo6XjuB+gcNhVR5+hRPH18Ju3xSStfH/CIvnxdXYfkC4VwHiKCshbR1qVHQqHVtDZ3XSvn1Rnxt5DSkGK2Sc/mWyViUYhsjaNjn+nagWUQr7daCs8aARI4v2NJb5J5p8ZS8Yf/PeH/CrXqJKCj1JnxX+KIUYFk2Hah5ebs902/VSnQuCoYsHoekb3WnvMlc3uUKPPZcu9k8uMaD4tEuDhRSAfnzOmBAB1AB6gJxfisLH1hLhiaL/QnXOpQX/byhu+DnWUgIFGn70uLPOCvJegtyvxBjQkbnXYdqzIPqpm81kLjYHToCCHqhO/78bLWTLGX6sIcyIMNcZ9v/s+19O/wC0y+m1GpH5jk7FrCu8ekeDTeWaUzC8gwxPFzIir3u2uxprYVKFjeD+07/IrBhhaQpxWPb4/hNxbL1iLs4xFJjBsI5zs8AF8OvpN/h7d0LuD3py0irTxFyvq3/DMMd8qWI19hkE4hpIhcu0I9NbAARXTgxYzLkSpyU3cIWjoyXjHoKGWGlx2eNSIs4jr5leKUXKd5LCToB3ROqmn8Ga5WJzSqqvcNtrOe5Zh2PiPeoXNSgNKdXoh/yW4XMi1dVyr8j0vDzAGoHXbrexGv4MpHBS+6MlgC4e7/pictaJMrruQIEBkiXn5hU6Cvi0Hsdt/emmsn3N1jaqrscZnE1gWK5EXzrzOd7A7VbkpP9VC+C/QgC1omzOaEOIlNJafIjni5UCNbaTvADopExnRRxgH4VLtTg5cbQMlKXloYybDmYBZZe6Hg6qzFcGX6Em5djDfzUHiKBOY3dqPfSuQkR1bN0Jn5oLCrvENn', 'lcE7UGMkol49PPlclNhvDN8dQKqiNdU2LvNm18yWq9c1S8yF9h7Hux+oANcSRamvRT3dO4JcPhLjyY82IHLQ6Q==', 'PduhHMbzFOBTicEuaWh2qiGquR0mzvWx6ZZ+aKwpcgAeE6mmgxOVqD3cEudwugjqFXz62Nsk/5twwNvTGuFryA==', 'l6JrTVOBlUtPxl2xzOVzHLrsGqlFH+/d1r4/SbZs30jpbEWKQdrEXJqQemlE5goc6pQ11+uBVqHNBMSkU3MFtg=='
Source: FULL.exe.0.dr, Settings.cs	Base64 encoded string: 'L81/McLYqt/xwbq9N3RFCcoEoaFTB5pi6Y4Xe/ExZsXVTZOCAcEFMBMMI6Yu/+n7PrnrXEJLEhcLEqmvE0Y1qg==', 'QQ3szPY0U0oOqD6157M9zuulEC5OsUjV10mxjMEt8dGAjKyhHs+l7B1n/munOsfbijmPR69Xt9CRLBy8t5w41lrPMSrnMxKSPJIk8dtSIIA=', 'nKWNgfTepj31gG/0NbILZIJAkgCb5/heZrpSotu90RKl3v85xVHfut53kkWlbZS3KJApzDCdsQnjBTJT+cNyi8qtthk/K//ekcDh3Qgs0oRvKLqXuZSmmq6APOUs6KoyVQF5nCBw8OHh9pxFdV+IwWO7T6v7oj2dTZSF+nrOVpE2fcaDkW3uqNvpr0hI5nuHkKt4vxR66q+s5pHhUyLgLB748K/W69+zlhPtvk5/xW4iwnd9dwyepP+pEjmj7g+XljVloJrcazYo6XjuB+gcNhVR5+hRPH18Ju3xSStfH/CIvnxdXYfkC4VwHiKCshbR1qVHQqHVtDZ3XSvn1Rnxt5DSkGK2Sc/mWyViUYhsjaNjn+nagWUQr7daCs8aARI4v2NJb5J5p8ZS8Yf/PeH/CrXqJKCj1JnxX+KIUYFk2Hah5ebs902/VSnQuCoYsHoekb3WnvMlc3uUKPPZcu9k8uMaD4tEuDhRSAfnzOmBAB1AB6gJxfisLH1hLhiaL/QnXOpQX/byhu+DnWUgIFGn70uLPOCvJegtyvxBjQkbnXYdqzIPqpm81kLjYHToCCHqhO/78bLWTLGX6sIcyIMNcZ9v/s+19O/wC0y+m1GpH5jk7FrCu8ekeDTeWaUzC8gwxPFzIir3u2uxprYVKFjeD+07/IrBhhaQpxWPb4/hNxbL1iLs4xFJjBsI5zs8AF8OvpN/h7d0LuD3py0irTxFyvq3/DMMd8qWI19hkE4hpIhcu0I9NbAARXTgxYzLkSpyU3cIWjoyXjHoKGWGlx2eNSIs4jr5leKUXKd5LCToB3ROqmn8Ga5WJzSqqvcNtrOe5Zh2PiPeoXNSgNKdXoh/yW4XMi1dVyr8j0vDzAGoHXbrexGv4MpHBS+6MlgC4e7/pictaJMrruQIEBkiXn5hU6Cvi0Hsdt/emmsn3N1jaqrscZnE1gWK5EXzrzOd7A7VbkpP9VC+C/QgC1omzOaEOIlNJafIjni5UCNbaTvADopExnRRxgH4VLtTg5cbQMlKXloYybDmYBZZe6Hg6qzFcGX6Em5djDfzUHiKBOY3dqPfSuQkR1bN0Jn5oLCrvENn', 'lcE7UGMkol49PPlclNhvDN8dQKqiNdU2LvNm18yWq9c1S8yF9h7Hux+oANcSRamvRT3dO4JcPhLjyY82IHLQ6Q==', 'PduhHMbzFOBTicEuaWh2qiGquR0mzvWx6ZZ+aKwpcgAeE6mmgxOVqD3cEudwugjqFXz62Nsk/5twwNvTGuFryA==', 'l6JrTVOBlUtPxl2xzOVzHLrsGqlFH+/d1r4/SbZs30jpbEWKQdrEXJqQemlE5goc6pQ11+uBVqHNBMSkU3MFtg=='
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, Settings.cs	Base64 encoded string: 'L81/McLYqt/xwbq9N3RFCcoEoaFTB5pi6Y4Xe/ExZsXVTZOCAcEFMBMMI6Yu/+n7PrnrXEJLEhcLEqmvE0Y1qg==', 'QQ3szPY0U0oOqD6157M9zuulEC5OsUjV10mxjMEt8dGAjKyhHs+l7B1n/munOsfbijmPR69Xt9CRLBy8t5w41lrPMSrnMxKSPJIk8dtSIIA=', 'nKWNgfTepj31gG/0NbILZIJAkgCb5/heZrpSotu90RKl3v85xVHfut53kkWlbZS3KJApzDCdsQnjBTJT+cNyi8qtthk/K//ekcDh3Qgs0oRvKLqXuZSmmq6APOUs6KoyVQF5nCBw8OHh9pxFdV+IwWO7T6v7oj2dTZSF+nrOVpE2fcaDkW3uqNvpr0hI5nuHkKt4vxR66q+s5pHhUyLgLB748K/W69+zlhPtvk5/xW4iwnd9dwyepP+pEjmj7g+XljVloJrcazYo6XjuB+gcNhVR5+hRPH18Ju3xSStfH/CIvnxdXYfkC4VwHiKCshbR1qVHQqHVtDZ3XSvn1Rnxt5DSkGK2Sc/mWyViUYhsjaNjn+nagWUQr7daCs8aARI4v2NJb5J5p8ZS8Yf/PeH/CrXqJKCj1JnxX+KIUYFk2Hah5ebs902/VSnQuCoYsHoekb3WnvMlc3uUKPPZcu9k8uMaD4tEuDhRSAfnzOmBAB1AB6gJxfisLH1hLhiaL/QnXOpQX/byhu+DnWUgIFGn70uLPOCvJegtyvxBjQkbnXYdqzIPqpm81kLjYHToCCHqhO/78bLWTLGX6sIcyIMNcZ9v/s+19O/wC0y+m1GpH5jk7FrCu8ekeDTeWaUzC8gwxPFzIir3u2uxprYVKFjeD+07/IrBhhaQpxWPb4/hNxbL1iLs4xFJjBsI5zs8AF8OvpN/h7d0LuD3py0irTxFyvq3/DMMd8qWI19hkE4hpIhcu0I9NbAARXTgxYzLkSpyU3cIWjoyXjHoKGWGlx2eNSIs4jr5leKUXKd5LCToB3ROqmn8Ga5WJzSqqvcNtrOe5Zh2PiPeoXNSgNKdXoh/yW4XMi1dVyr8j0vDzAGoHXbrexGv4MpHBS+6MlgC4e7/pictaJMrruQIEBkiXn5hU6Cvi0Hsdt/emmsn3N1jaqrscZnE1gWK5EXzrzOd7A7VbkpP9VC+C/QgC1omzOaEOIlNJafIjni5UCNbaTvADopExnRRxgH4VLtTg5cbQMlKXloYybDmYBZZe6Hg6qzFcGX6Em5djDfzUHiKBOY3dqPfSuQkR1bN0Jn5oLCrvENn', 'lcE7UGMkol49PPlclNhvDN8dQKqiNdU2LvNm18yWq9c1S8yF9h7Hux+oANcSRamvRT3dO4JcPhLjyY82IHLQ6Q==', 'PduhHMbzFOBTicEuaWh2qiGquR0mzvWx6ZZ+aKwpcgAeE6mmgxOVqD3cEudwugjqFXz62Nsk/5twwNvTGuFryA==', 'l6JrTVOBlUtPxl2xzOVzHLrsGqlFH+/d1r4/SbZs30jpbEWKQdrEXJqQemlE5goc6pQ11+uBVqHNBMSkU3MFtg=='

Source: xjXIE2ZFFSw4.exe, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: xjXIE2ZFFSw4.exe, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: FULL.exe.0.dr, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: FULL.exe.0.dr, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: xjXIE2ZFFSw4.exe, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke
Source: FULL.exe.0.dr, DInvokeCore.cs	Suspicious method names: .DInvokeCore.DynamicAPIInvoke

Source: FULL.exe, 00000007.00000002.2879895307.0000000001011000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <add name="persistenceProvider" type="System.Slnr

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/5@2/1

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

File created: C:\Users\user\AppData\Roaming\FULL.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\FULL.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\FULL.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF256.tmp

Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF256.tmp.bat""

Source: xjXIE2ZFFSw4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xjXIE2ZFFSw4.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xjXIE2ZFFSw4.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

File read: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe "C:\Users\user\Desktop\xjXIE2ZFFSw4.exe"
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF256.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FULL.exe C:\Users\user\AppData\Roaming\FULL.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\FULL.exe "C:\Users\user\AppData\Roaming\FULL.exe"
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF256.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\FULL.exe "C:\Users\user\AppData\Roaming\FULL.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: xjXIE2ZFFSw4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: xjXIE2ZFFSw4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A77DD push ecx; retf	0_2_00007FFD9B8A785C
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A2458 push ebx; retf	0_2_00007FFD9B8A252A
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Code function: 0_2_00007FFD9B8A00BD pushad ; iretd	0_2_00007FFD9B8A00C1
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 7_2_00007FFD9B8B77DD push ecx; retf	7_2_00007FFD9B8B785C
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 7_2_00007FFD9B8B00BD pushad ; iretd	7_2_00007FFD9B8B00C1
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 8_2_00007FFD9B8A77DD push ecx; retf	8_2_00007FFD9B8A785C
Source: C:\Users\user\AppData\Roaming\FULL.exe	Code function: 8_2_00007FFD9B8A00BD pushad ; iretd	8_2_00007FFD9B8A00C1

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

File created: C:\Users\user\AppData\Roaming\FULL.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: xjXIE2ZFFSw4.exe, type: SAMPLE
Source: Yara match	File source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.xjXIE2ZFFSw4.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1631861328.0000000000732000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1661055131.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\FULL.exe, type: DROPPED

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"'

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: xjXIE2ZFFSw4.exe, type: SAMPLE
Source: Yara match	File source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.xjXIE2ZFFSw4.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1631861328.0000000000732000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1661055131.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\FULL.exe, type: DROPPED

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\FULL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Roaming\FULL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: xjXIE2ZFFSw4.exe, FULL.exe.0.dr

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Memory allocated: E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Memory allocated: 1AA60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Memory allocated: 1B020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Memory allocated: 16F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Memory allocated: 1B040000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe TID: 7088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe TID: 7260	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe TID: 7300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: FULL.exe, 00000007.00000002.2889039919.000000001BA7A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF256.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\FULL.exe "C:\Users\user\AppData\Roaming\FULL.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe	Queries volume information: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Queries volume information: C:\Users\user\AppData\Roaming\FULL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FULL.exe	Queries volume information: C:\Users\user\AppData\Roaming\FULL.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\xjXIE2ZFFSw4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: xjXIE2ZFFSw4.exe, type: SAMPLE
Source: Yara match	File source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.xjXIE2ZFFSw4.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xjXIE2ZFFSw4.exe.2c005e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1631861328.0000000000732000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1661055131.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\FULL.exe, type: DROPPED

Source: xjXIE2ZFFSw4.exe, 00000000.00000000.1631861328.0000000000732000.00000002.00000001.01000000.00000003.sdmp, xjXIE2ZFFSw4.exe, 00000000.00000002.1661055131.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, FULL.exe.0.dr	Binary or memory string: MSASCui.exe
Source: xjXIE2ZFFSw4.exe, 00000000.00000000.1631861328.0000000000732000.00000002.00000001.01000000.00000003.sdmp, xjXIE2ZFFSw4.exe, 00000000.00000002.1661055131.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, FULL.exe.0.dr	Binary or memory string: procexp.exe
Source: xjXIE2ZFFSw4.exe, 00000000.00000000.1631861328.0000000000732000.00000002.00000001.01000000.00000003.sdmp, xjXIE2ZFFSw4.exe, 00000000.00000002.1661055131.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, FULL.exe.0.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.1661055131.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2880963232.000000000302D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1710297798.000000000304D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FULL.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FULL.exe PID: 7280, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.1661055131.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2880963232.000000000302D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1710297798.000000000304D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xjXIE2ZFFSw4.exe PID: 6896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FULL.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FULL.exe PID: 7280, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	1 Scripting	2 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
xjXIE2ZFFSw4.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
xjXIE2ZFFSw4.exe	100%	Avira	HEUR/AGEN.1307453
xjXIE2ZFFSw4.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\FULL.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Roaming\FULL.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\FULL.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rusia.duckdns.org	46.246.14.10	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	xjXIE2ZFFSw4.exe, 00000000.00000002.1661055131.0000000002BFA000.00000004.00000800.00020000.00000000.sdmp, FULL.exe, 00000007.00000002.2880963232.0000000003548000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.246.14.10	rusia.duckdns.org	Sweden		42708	PORTLANEwwwportlanecomSE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430613
Start date and time:	2024-04-24 00:20:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xjXIE2ZFFSw4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/5@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 24 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: xjXIE2ZFFSw4.exe

Simulations

Behavior and APIs

Time	Type	Description
23:20:57	Task Scheduler	Run new task: FULL path: "C:\Users\user\AppData\Roaming\FULL.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
46.246.14.10	xw8oKxLrOnt6.exe	Get hash	malicious	Remcos	Browse
	bPbV.exe	Get hash	malicious	Njrat	Browse
	bOVV.exe	Get hash	malicious	Njrat	Browse
	bOX1.exe	Get hash	malicious	Njrat	Browse
	bOYE.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rusia.duckdns.org	xyyDAUDPeYEH.exe	Get hash	malicious	Njrat	Browse	46.246.6.20
	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	bUBL.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	x6Xw7vcuD9zM.exe	Get hash	malicious	Njrat	Browse	46.246.14.23
	bTAB.exe	Get hash	malicious	Njrat	Browse	46.246.80.3
	xbd0vU3xnyOS.exe	Get hash	malicious	Njrat	Browse	46.246.6.7
	x38kbgLd6bPu.exe	Get hash	malicious	Njrat	Browse	46.246.12.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PORTLANEwwwportlanecomSE	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	188.126.94.80
	xVcsGL5R1Nbh.exe	Get hash	malicious	Njrat	Browse	46.246.6.20
	xyyDAUDPeYEH.exe	Get hash	malicious	Njrat	Browse	46.246.6.20
	xzcQo6GenFVf.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.14.5
	tajma.x86-20240422-0535.elf	Get hash	malicious	Mirai, Okiru	Browse	188.126.69.245
	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	bUBL.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	bUBD.exe	Get hash	malicious	Njrat	Browse	46.246.14.22
	xutnF2gKGTTy.exe	Get hash	malicious	AsyncRAT	Browse	46.246.4.3

Process:	C:\Users\user\AppData\Roaming\FULL.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	642
Entropy (8bit):	5.349816875832946
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6KhaWzAbDLI4MNepQZav:ML9E4KQwKDE4KGKZI6KhBsXE4Npv
MD5:	55835A31031747B565CBC66334D871A1
SHA1:	AF3A9B50351E526BCF1E92439582879058C5B61E
SHA-256:	24767E6188A6BFB1E67FFE50E07D8637386463A8101E06B397B3DA6DF18CEBCD
SHA-512:	65A2E4918D74455BEC6143AAD22234C4E5273B4F45D671933D64D45A76AEEEE8A82CFEBDDF774E2E8956BEEA5EB6DE903BF790D8112E67929D848E51A6185604
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xjXIE2ZFFSw4.exe.log

Download File

Process:	C:\Users\user\Desktop\xjXIE2ZFFSw4.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	642
Entropy (8bit):	5.349816875832946
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6KhaWzAbDLI4MNepQZav:ML9E4KQwKDE4KGKZI6KhBsXE4Npv
MD5:	55835A31031747B565CBC66334D871A1
SHA1:	AF3A9B50351E526BCF1E92439582879058C5B61E
SHA-256:	24767E6188A6BFB1E67FFE50E07D8637386463A8101E06B397B3DA6DF18CEBCD
SHA-512:	65A2E4918D74455BEC6143AAD22234C4E5273B4F45D671933D64D45A76AEEEE8A82CFEBDDF774E2E8956BEEA5EB6DE903BF790D8112E67929D848E51A6185604
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpF256.tmp.bat

Download File

Process:	C:\Users\user\Desktop\xjXIE2ZFFSw4.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	5.071644389251521
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5ot+kiEaKC5MrVymqRDt+kiE2J5xAInTRIJ7HVZPy:hWKqTtT6wknaZ5Mrsmq1wkn23fTWVk
MD5:	B993F8D6A94B04A2B2F3F97F165E4A58
SHA1:	A02349D1054A14A2A3638A0C78468D4C4DB6DCFE
SHA-256:	D13E45A58796A77AA5D2C6F45487365929EA0DFBCD1DC488AF9B2851E152211B
SHA-512:	7FEC3DAF4D053DD34F95E06F587927376942A41049E5072F35AB5CFFA4CF4696780B0B12ACCF6B00D8FD7942BB08804F02211D31D558B0078C274CF6F1DED36A
Malicious:	false
Reputation:	low
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\FULL.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpF256.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\FULL.exe

Download File

Process:	C:\Users\user\Desktop\xjXIE2ZFFSw4.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	5.825885449011946
Encrypted:	false
SSDEEP:	1536:FBtb3plA0aTdeKvR9GVyGbbuwk2iGRZVclN:FBtb3plA0aTRvR0kGbbudWzY
MD5:	231E83DA0623F80D134940CC17528EB3
SHA1:	99E2C48F98984B2802E62F8E54EC5773088E6B13
SHA-256:	EC722B1E3FDF6F67C84676D86E717A7BD559F0EB0E28E53F6BCACC97581D6654
SHA-512:	A04A6261D0F06130D19C9E2C753FAB53E55579E630D645AD9EBD5C392932C79C089CA3E6CFAA03AA056607023B607303A7B37B4A9FC6E700F8605E152F252328
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\FULL.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\FULL.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\FULL.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a................................. ... ....@.. .......................`............@.................................\...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........e..\|............................................................W......H3.......W......3........./.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(C......2~.....oD....s....%r...po....(h...r...p(....o....o....o....( ... ....(.....s....%r...po....r...po....%r...po.....o....o....( ...Vs.........si.........~"......"...F.(+...~!...o....*&...o.

\Device\Null

Download File

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.825885449011946
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	xjXIE2ZFFSw4.exe
File size:	64'512 bytes
MD5:	231e83da0623f80d134940cc17528eb3
SHA1:	99e2c48f98984b2802e62f8e54ec5773088e6b13
SHA256:	ec722b1e3fdf6f67c84676d86e717a7bd559f0eb0e28e53f6bcacc97581d6654
SHA512:	a04a6261d0f06130d19c9e2c753fab53e55579e630d645ad9ebd5c392932c79c089ca3e6cfaa03aa056607023b607303a7b37b4a9fc6e700f8605e152f252328
SSDEEP:	1536:FBtb3plA0aTdeKvR9GVyGbbuwk2iGRZVclN:FBtb3plA0aTRvR0kGbbudWzY
TLSH:	83535B00279CC965E2AD4AF8BCF2950146B1C9772102DA5E7CC814DB6B9FFC64A123FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a................................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4109ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x61CAEDB8 [Tue Dec 28 10:58:00 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1095c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe9b4	0xea00	e3729c70e0a03a9468a36df865e30103	False	0.492588141025641	data	5.8593627761280365	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xdf7	0xe00	6abcb87f121c4b14112361dcefec0ef9	False	0.40122767857142855	data	5.110115746826057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	b1388e694154bf6e19835a68482b6ee3	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x120a0	0x2d4	data			0.4350828729281768
RT_MANIFEST	0x12374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 00:21:00.927364111 CEST	49730	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:01.359601974 CEST	1993	49730	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:01.862138033 CEST	49730	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:02.342142105 CEST	1993	49730	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:02.846611977 CEST	49730	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:03.361687899 CEST	1993	49730	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:03.862139940 CEST	49730	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:04.298540115 CEST	1993	49730	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:04.799644947 CEST	49730	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:05.216152906 CEST	1993	49730	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:10.264822960 CEST	49731	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:10.783751965 CEST	1993	49731	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:11.283997059 CEST	49731	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:11.704761028 CEST	1993	49731	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:12.208487988 CEST	49731	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:12.704704046 CEST	1993	49731	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:13.205907106 CEST	49731	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:13.674380064 CEST	1993	49731	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:14.174633026 CEST	49731	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:14.657335043 CEST	1993	49731	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:19.660396099 CEST	49738	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:20.105123043 CEST	1993	49738	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:20.612176895 CEST	49738	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:21.007555962 CEST	1993	49738	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:21.518482924 CEST	49738	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:21.916994095 CEST	1993	49738	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:22.424686909 CEST	49738	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:22.897321939 CEST	1993	49738	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:23.409111977 CEST	49738	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:23.881187916 CEST	1993	49738	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:28.894610882 CEST	49739	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:29.374242067 CEST	1993	49739	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:29.877783060 CEST	49739	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:30.335619926 CEST	1993	49739	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:30.846566916 CEST	49739	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:31.275182009 CEST	1993	49739	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:31.784148932 CEST	49739	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:32.225373030 CEST	1993	49739	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:32.737202883 CEST	49739	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:33.208398104 CEST	1993	49739	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:38.222635031 CEST	49740	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:38.702404976 CEST	1993	49740	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:39.205915928 CEST	49740	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:39.668797970 CEST	1993	49740	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:40.174690008 CEST	49740	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:40.604600906 CEST	1993	49740	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:41.112211943 CEST	49740	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:41.530150890 CEST	1993	49740	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:42.034046888 CEST	49740	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:42.497343063 CEST	1993	49740	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:47.503839970 CEST	49741	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:47.992697001 CEST	1993	49741	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:48.502810001 CEST	49741	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:48.958600998 CEST	1993	49741	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:49.471615076 CEST	49741	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:49.946408033 CEST	1993	49741	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:50.455929041 CEST	49741	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:50.893457890 CEST	1993	49741	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:51.409046888 CEST	49741	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:51.910841942 CEST	1993	49741	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:56.925884962 CEST	49743	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:57.404757977 CEST	1993	49743	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:57.909204960 CEST	49743	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:58.310458899 CEST	1993	49743	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:58.815351963 CEST	49743	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:21:59.241559982 CEST	1993	49743	46.246.14.10	192.168.2.4
Apr 24, 2024 00:21:59.752953053 CEST	49743	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:00.238116026 CEST	1993	49743	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:00.752815962 CEST	49743	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:01.184041023 CEST	1993	49743	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:06.568893909 CEST	49744	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:07.056308031 CEST	1993	49744	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:07.565326929 CEST	49744	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:08.010200024 CEST	1993	49744	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:08.518476963 CEST	49744	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:08.934366941 CEST	1993	49744	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:09.440520048 CEST	49744	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:09.945023060 CEST	1993	49744	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:10.455949068 CEST	49744	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:10.952145100 CEST	1993	49744	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:15.958380938 CEST	49745	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:16.386327982 CEST	1993	49745	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:16.893609047 CEST	49745	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:17.374826908 CEST	1993	49745	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:17.880045891 CEST	49745	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:18.428427935 CEST	1993	49745	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:18.940581083 CEST	49745	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:19.432857990 CEST	1993	49745	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:19.940453053 CEST	49745	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:20.415724039 CEST	1993	49745	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:26.336668968 CEST	49746	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:26.822957993 CEST	1993	49746	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:27.331048012 CEST	49746	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:27.792258978 CEST	1993	49746	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:28.299756050 CEST	49746	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:28.778945923 CEST	1993	49746	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:29.284157991 CEST	49746	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:29.763557911 CEST	1993	49746	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:30.268685102 CEST	49746	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:30.727788925 CEST	1993	49746	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:35.738709927 CEST	49747	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:36.140537024 CEST	1993	49747	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:36.643506050 CEST	49747	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:37.061086893 CEST	1993	49747	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:37.565406084 CEST	49747	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:37.971230984 CEST	1993	49747	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:38.487369061 CEST	49747	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:38.964709997 CEST	1993	49747	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:39.471693039 CEST	49747	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:39.964049101 CEST	1993	49747	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:44.979595900 CEST	49748	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:45.379686117 CEST	1993	49748	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:45.893712044 CEST	49748	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:46.290133953 CEST	1993	49748	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:46.799812078 CEST	49748	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:47.213186026 CEST	1993	49748	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:47.721756935 CEST	49748	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:48.116842031 CEST	1993	49748	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:48.627939939 CEST	49748	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:49.016241074 CEST	1993	49748	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:54.020977020 CEST	49749	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:54.471116066 CEST	1993	49749	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:54.987315893 CEST	49749	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:55.399317980 CEST	1993	49749	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:55.909197092 CEST	49749	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:56.374089956 CEST	1993	49749	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:56.877937078 CEST	49749	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:57.336500883 CEST	1993	49749	46.246.14.10	192.168.2.4
Apr 24, 2024 00:22:57.846710920 CEST	49749	1993	192.168.2.4	46.246.14.10
Apr 24, 2024 00:22:58.375329971 CEST	1993	49749	46.246.14.10	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 00:21:00.686517000 CEST	53148	53	192.168.2.4	1.1.1.1
Apr 24, 2024 00:21:00.921545029 CEST	53	53148	1.1.1.1	192.168.2.4
Apr 24, 2024 00:22:06.333283901 CEST	49838	53	192.168.2.4	1.1.1.1
Apr 24, 2024 00:22:06.567931890 CEST	53	49838	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 00:21:00.686517000 CEST	192.168.2.4	1.1.1.1	0x258b	Standard query (0)	rusia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 00:22:06.333283901 CEST	192.168.2.4	1.1.1.1	0x4460	Standard query (0)	rusia.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 00:21:00.921545029 CEST	1.1.1.1	192.168.2.4	0x258b	No error (0)	rusia.duckdns.org		46.246.14.10	A (IP address)	IN (0x0001)	false
Apr 24, 2024 00:22:06.567931890 CEST	1.1.1.1	192.168.2.4	0x4460	No error (0)	rusia.duckdns.org		46.246.14.10	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:20:52
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\xjXIE2ZFFSw4.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xjXIE2ZFFSw4.exe"
Imagebase:	0x730000
File size:	64'512 bytes
MD5 hash:	231E83DA0623F80D134940CC17528EB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1631861328.0000000000732000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1661055131.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.1661055131.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.1661055131.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.1660448779.0000000000B94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.1661055131.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:20:55
Start date:	24/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"' & exit
Imagebase:	0x7ff6f21c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:20:55
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:20:55
Start date:	24/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF256.tmp.bat""
Imagebase:	0x7ff6f21c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:20:55
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:20:55
Start date:	24/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "FULL" /tr '"C:\Users\user\AppData\Roaming\FULL.exe"'
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:20:55
Start date:	24/04/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3
Imagebase:	0x7ff65a1b0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:20:57
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Roaming\FULL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\FULL.exe
Imagebase:	0xb30000
File size:	64'512 bytes
MD5 hash:	231E83DA0623F80D134940CC17528EB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000007.00000002.2880963232.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000007.00000002.2879895307.0000000001011000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000007.00000002.2880963232.000000000302D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000007.00000002.2880963232.000000000302D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\FULL.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\FULL.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\FULL.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	00:20:58
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Roaming\FULL.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\FULL.exe"
Imagebase:	0xe90000
File size:	64'512 bytes
MD5 hash:	231E83DA0623F80D134940CC17528EB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.1709688213.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.1710297798.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000008.00000002.1710297798.000000000304D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.1710297798.000000000304D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	44.9%
Total number of Nodes:	49
Total number of Limit Nodes:	3

Executed Functions

Function 00007FFD9B8A7418 Relevance: 1.9, APIs: 1, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1665787514.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_xjXIE2ZFFSw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d82b24f36b2c5ee425dbc0b767a3a54e553ed839866c74f8d85b5e625d359a
Instruction ID: f4c263bc0c94faadbc55bfe45bc482ccbd418ebe55316afae3ae00f3ebb86363
Opcode Fuzzy Hash: c9d82b24f36b2c5ee425dbc0b767a3a54e553ed839866c74f8d85b5e625d359a
Instruction Fuzzy Hash: C4C14831E0CA0D4FE72DEB6898266F977E1EF99310F44417ED45AC31DAEE2868078791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A8708 Relevance: 1.6, APIs: 1, Instructions: 126
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FFD9B8A87D4

Memory Dump Source

Source File: 00000000.00000002.1665787514.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_xjXIE2ZFFSw4.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 9bcc4dc18577248d41b7f47d7d0d92544910e75f818dda8f48d7917facc0de07
Instruction ID: 7a87d1f70402374b3ab96592078dce3dd5f84a488bc3b45e1d58c29d38a7dc05
Opcode Fuzzy Hash: 9bcc4dc18577248d41b7f47d7d0d92544910e75f818dda8f48d7917facc0de07
Instruction Fuzzy Hash: B431B331A1CB4C8FDB5CDB5CA8166ED77E1EB98320F00426FE04DD3296DA74A9458BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A5D66 Relevance: .5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1665787514.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_xjXIE2ZFFSw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56423adde24acd2833670a8dad534373116d9fff71c2404d1e83a9455164d82d
Instruction ID: 7bdd2d656b8dc4f0aee64b2d317557b2fdb1ad3934a906236fa8347fd6f4b43b
Opcode Fuzzy Hash: 56423adde24acd2833670a8dad534373116d9fff71c2404d1e83a9455164d82d
Instruction Fuzzy Hash: C6F1C770A09A4D8FEBA8DF28C855BE977E1FF58310F04426EE85DC7295DF3499818B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A6B12 Relevance: .5, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1665787514.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_xjXIE2ZFFSw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e824393bad76764ce350ffcdc3572a0085fddaaabf5cc96cbf2f88a2073f6742
Instruction ID: 94a45c12613f6a0151621a340ece140a129be24aa7fe86fdf81ac9babcca309f
Opcode Fuzzy Hash: e824393bad76764ce350ffcdc3572a0085fddaaabf5cc96cbf2f88a2073f6742
Instruction Fuzzy Hash: 73E1D570A09A4D8FEBA8DF28C8657E977E1FF58310F04426ED84DC7295DF74A9418B81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9B8A04B8 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665787514.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_xjXIE2ZFFSw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888c65a30d67acf69043d46820a7a5e4ae5351785fa4dc662934aa77e83e54f4
Instruction ID: 9373c4e5a02d19c6b822b02ec3ab51fe13ceea65765c2b15c0557083491c2aa2
Opcode Fuzzy Hash: 888c65a30d67acf69043d46820a7a5e4ae5351785fa4dc662934aa77e83e54f4
Instruction Fuzzy Hash: 1ED15621F0DA494FF72DAB6898665B977D1EF99310B04417EE49AC31EBED2878038391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A847E Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665787514.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_xjXIE2ZFFSw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a539f5738dd3b36994e7642b8aae479c7b39b984163811ac343aa0ebbcb5e797
Instruction ID: 850af5916dad7896007a2a2ba3cbfdd3b3d69c7c393a53dc021dd0babc6adb38
Opcode Fuzzy Hash: a539f5738dd3b36994e7642b8aae479c7b39b984163811ac343aa0ebbcb5e797
Instruction Fuzzy Hash: B9513231E0DB494AE32ABBB18C654FA77E1EF99210B44447ED497C34DBED28B4078252

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A7D8D Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1665787514.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_xjXIE2ZFFSw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a2add857d59da24138b609c01089e6c1daf692ad1478f6fc543d7e2ece03f7
Instruction ID: d586edc954e10b2a7de69623416d10b5e46713452eedaf848a6166832c137577
Opcode Fuzzy Hash: f6a2add857d59da24138b609c01089e6c1daf692ad1478f6fc543d7e2ece03f7
Instruction Fuzzy Hash: 5E411531E18A094AE72DFB618C665FA73E1EF58314F44443ED49BC34DAED38B5078682

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: FULL.exePID: 7256, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	18.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	4

Executed Functions

Function 00007FFD9B8B7418 Relevance: 1.9, APIs: 1, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2890201364.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8b0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd7834e23a39fa11d29bac8ba648241efa7edd9452ee47092491d2baeb2b760
Instruction ID: b694c71774a9cfbad8bc88f29105e5ec1e6669de1eec19787f1753921094f901
Opcode Fuzzy Hash: 4dd7834e23a39fa11d29bac8ba648241efa7edd9452ee47092491d2baeb2b760
Instruction Fuzzy Hash: 6BC11831E0CA0D4FE72DAB7898666FA77E1EF99310F04417ED45AC31DADE2868078781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8B8708 Relevance: 1.6, APIs: 1, Instructions: 126
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FFD9B8B87D4

Memory Dump Source

Source File: 00000007.00000002.2890201364.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8b0000_FULL.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 22eea38f2f0d70449b339aa630a95c665c9df49eade625dd0150f0ec411f3b30
Instruction ID: 2def842cec042165d48fcdccfdf9d1222ef4da15783f207aaf866525d11a62a8
Opcode Fuzzy Hash: 22eea38f2f0d70449b339aa630a95c665c9df49eade625dd0150f0ec411f3b30
Instruction Fuzzy Hash: 0931B331A1CB5C8FDB1C9B5CA8166ED77E1EB98320F00426FE04ED3296DA70A9458BC1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: FULL.exePID: 7280, Parent PID: 6824COMMON

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	3

Executed Functions

Function 00007FFD9B8A7418 Relevance: 1.9, APIs: 1, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a5000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3552f14b8a0a0f5acd744e700b69946686f9d6657a8d414b0e79fcf55e80b19a
Instruction ID: f4c263bc0c94faadbc55bfe45bc482ccbd418ebe55316afae3ae00f3ebb86363
Opcode Fuzzy Hash: 3552f14b8a0a0f5acd744e700b69946686f9d6657a8d414b0e79fcf55e80b19a
Instruction Fuzzy Hash: C4C14831E0CA0D4FE72DEB6898266F977E1EF99310F44417ED45AC31DAEE2868078791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A8708 Relevance: 1.6, APIs: 1, Instructions: 126
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FFD9B8A87D4

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a5000_FULL.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 18c29e9bd076a72736ec96729a141eac9de9078362c304bf8389e5fc56cdfe82
Instruction ID: 7a87d1f70402374b3ab96592078dce3dd5f84a488bc3b45e1d58c29d38a7dc05
Opcode Fuzzy Hash: 18c29e9bd076a72736ec96729a141eac9de9078362c304bf8389e5fc56cdfe82
Instruction Fuzzy Hash: B431B331A1CB4C8FDB5CDB5CA8166ED77E1EB98320F00426FE04DD3296DA74A9458BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A0BB1 Relevance: 1.4, Strings: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#CM_^, xrefs: 00007FFD9B8A0C11, 00007FFD9B8A0D70

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID: #CM_^
API String ID: 0-2311673530
Opcode ID: daf2283f92c0b0683a7b50a3465dc679255bd3ffee826fca48caf50eb2deee17
Instruction ID: fc78bfe2832b67cad1a6543e190289a393b222483232a9862f5478331f1e9faf
Opcode Fuzzy Hash: daf2283f92c0b0683a7b50a3465dc679255bd3ffee826fca48caf50eb2deee17
Instruction Fuzzy Hash: 6551B021F2F65F4AFBB577E480716BD6290AF49B08F120439E45D961E3DD1DBA4082A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A0738 Relevance: 1.4, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M_^), xrefs: 00007FFD9B8A077A

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID: M_^)
API String ID: 0-1230036679
Opcode ID: e3699e87c4f444fb4092538a707958e28fd05ae6c2b53af5d9232b40a53aae62
Instruction ID: fdeb46232630ab7c81770d154210313dbb116fb3575b88d415d4133cefc6ae23
Opcode Fuzzy Hash: e3699e87c4f444fb4092538a707958e28fd05ae6c2b53af5d9232b40a53aae62
Instruction Fuzzy Hash: 3A212563B094698BE65AB76CACB95E937D0DF9422C70502B2D09CCB0D3EC2834879695

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A1C95 Relevance: .3, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56be7f81c8a7c1f120b3fb8a6649a8ad3ae59f617e40f42a86d23a2b706f6b64
Instruction ID: 98d99aae012a555fe69b8cbe7ea34a5ba99fdff19505b834c7ea25cec82b96c0
Opcode Fuzzy Hash: 56be7f81c8a7c1f120b3fb8a6649a8ad3ae59f617e40f42a86d23a2b706f6b64
Instruction Fuzzy Hash: C9913A62F1E94E4FE7A9B77C58696B877D2EF99200B0502BBD05DC72DBDD186C028381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A2585 Relevance: .3, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e5d15d2e0cfc31f2158725a86c720101cdf51e780c6f35d34ed8c3e4296c8e
Instruction ID: a44ca32d30f5d1b094973a20cd3a91cb7f53fda9db44d76e041328278ac1f6e2
Opcode Fuzzy Hash: a6e5d15d2e0cfc31f2158725a86c720101cdf51e780c6f35d34ed8c3e4296c8e
Instruction Fuzzy Hash: 2091F931B0E94E4FEBB8AFA885655B977D2FF98350B05017AD00EC32E6DE28BD418751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A0E7E Relevance: .3, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1107400f7df2b4c5d86a95dc32f84696af3fcaf22755371019b446bfa822b773
Instruction ID: f07a2f1cb4ecb41d31431b24bc44b7d0d2093eb5e6dad88ce516775b4e66b558
Opcode Fuzzy Hash: 1107400f7df2b4c5d86a95dc32f84696af3fcaf22755371019b446bfa822b773
Instruction Fuzzy Hash: F7911A20B1EA898FC756F77884709A53BE2EF8A20079540F9E04CC7597CE3E9942C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A365C Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32d2352d3ca071bb7c93c31028c8b336ea088bcae2c8a1a972a3fe13778fd69
Instruction ID: b60a4a27c676790c5c6327d1d282ede0e35e89bcb4bc0a6f74d6d1d7d3063aa2
Opcode Fuzzy Hash: c32d2352d3ca071bb7c93c31028c8b336ea088bcae2c8a1a972a3fe13778fd69
Instruction Fuzzy Hash: 56518471908A1C8FDB68DF58D855BE9BBF1FF59310F0082AAD04DD3292DE34A9858F81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A14C8 Relevance: .2, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7922aac201a0a7820adf3709a20df0e55f4ca82e4ff97432fc63f1ff1ab6957d
Instruction ID: a799c31b59e5e71fe55a9bf8f7d296a2b63fd4f38d7716752e5a27afb6daa331
Opcode Fuzzy Hash: 7922aac201a0a7820adf3709a20df0e55f4ca82e4ff97432fc63f1ff1ab6957d
Instruction Fuzzy Hash: D8517321B1990D4FEB98FBAC84A5BB873E2EF9C750F550179D00ED32D6DE28A842C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A1239 Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56bc92a4919b4212dd402bd6f31d904882f51678d24678c6aebc61bb471555b
Instruction ID: d5447bd7158733f7ef50430bec305985b4a54c6c088b24c312a363e0952cf6a2
Opcode Fuzzy Hash: b56bc92a4919b4212dd402bd6f31d904882f51678d24678c6aebc61bb471555b
Instruction Fuzzy Hash: DE411A21B1DA490FE759E75894267B977D1EF9A314F0501BEE48EC32D6DE18AC028392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A2A38 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc285f7e4c0bd0d75a8cd670513ea122d523811abec723c8b8585925281a381
Instruction ID: 0c06afddde69e74ac1137c5a78ad2bbc3c254cc36583afe4566637f3da4fe6be
Opcode Fuzzy Hash: 7dc285f7e4c0bd0d75a8cd670513ea122d523811abec723c8b8585925281a381
Instruction Fuzzy Hash: B641133190CB588FDB2CDFA898566E97BE0EF55321F00426FD08AC3292DE74A4468791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A1F8D Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4d13351f46df7530dad4e527a317202b46582ded233817c78d8c27d194a67a
Instruction ID: b78d5f07ec49b9ba991c7b6fa1e0f0fbe03b9904ad85372d64b928e89bd1d94f
Opcode Fuzzy Hash: 3a4d13351f46df7530dad4e527a317202b46582ded233817c78d8c27d194a67a
Instruction Fuzzy Hash: F2413A30F09A894FD796FB7888696B97BE1EF89314B0400FAE00CC71E3DE289841C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A166D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d54bca8d07e797d01b69738f8c381f10c9e9b247fa23a3ff3a4c8c3aae6db53
Instruction ID: f14604e7489d855c4c14295e5846e5ab6963d1b12d7b690938d2c1d2845fdbbc
Opcode Fuzzy Hash: 7d54bca8d07e797d01b69738f8c381f10c9e9b247fa23a3ff3a4c8c3aae6db53
Instruction Fuzzy Hash: EE215131B1991D8FDBA8FBACD4655BDB3E2EF8D611B410276D11ED3295CE24A8018790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A13E5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5c95ac88546809c1cbad396418b83f34c88f76b949baa1b2c1b9a22fb86012
Instruction ID: ce4ca9a39ea6f1560b09a14ebbd89854e6cb6376956f6c2f309510d68cf0ca96
Opcode Fuzzy Hash: bf5c95ac88546809c1cbad396418b83f34c88f76b949baa1b2c1b9a22fb86012
Instruction Fuzzy Hash: 2C11A320A0FAC84FE387E3785868AA47FE1AF8B214B1A01F7D088CB0B7C9584945C312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A07C8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f3be14a6fe67dd0eee1965fc07e3c4acf90ee6837214139eca04deaab3684f
Instruction ID: 20240a29d1770219f8fe7148459786c1f71cd96a4baac1cbd356f0cee0ef46f1
Opcode Fuzzy Hash: b6f3be14a6fe67dd0eee1965fc07e3c4acf90ee6837214139eca04deaab3684f
Instruction Fuzzy Hash: 06F02B21B0981D5FF798F26C54F8AFD27D1DF9C22971400B7E04CC3197EC18A8828341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A13A3 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1902addfb70e577174bc903c6ad7a2700bbd20b7b9a2d40a19ad955d3a6e93e1
Instruction ID: dd308aa31df0770a939f7a460617637933b6e0e7efa980725fdee659fda5858c
Opcode Fuzzy Hash: 1902addfb70e577174bc903c6ad7a2700bbd20b7b9a2d40a19ad955d3a6e93e1
Instruction Fuzzy Hash: 70E0E57250D64C1EEB08AA59AC17CF77BA8DA87274B00015FF29D81063F0127923C266

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A07E0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7498fe73d2e0c44fb775c7bba7234e8303c2806aa19779d28cf7d0c020e363
Instruction ID: 10d73a90174af0be67b8a6da6ff5583b7bdf36568e2a0bc72608b9866e1da4be
Opcode Fuzzy Hash: ea7498fe73d2e0c44fb775c7bba7234e8303c2806aa19779d28cf7d0c020e363
Instruction Fuzzy Hash: 93E02B21B15C0C1FE7D4F76C4498F7D12C1EB9C2157110076E40CC32AADC149C818351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A2560 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1716733410.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b8a0000_FULL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ea6f61483fe33f1df37bac147940462f8ee128e6ed77072dc074a202811cb9
Instruction ID: 3cb401cfc91bce11a837f61182e150bc9549f742821392fb34b965e7280f05d1
Opcode Fuzzy Hash: b3ea6f61483fe33f1df37bac147940462f8ee128e6ed77072dc074a202811cb9
Instruction Fuzzy Hash: DCC01210E9B20B00ECF437F416721B412411F0D704FC60874D89D411E3DD5FF6550472

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xjXIE2ZFFSw4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FULL.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xjXIE2ZFFSw4.exe.log

C:\Users\user\AppData\Local\Temp\tmpF256.tmp.bat

C:\Users\user\AppData\Roaming\FULL.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
xjXIE2ZFFSw4.exe

Function 00007FFD9B8A7418 Relevance: 1.9, APIs: 1, Instructions: 426
COMMON

Function 00007FFD9B8A8708 Relevance: 1.6, APIs: 1, Instructions: 126
nativeCOMMON

Function 00007FFD9B8A5D66 Relevance: .5, Instructions: 475
COMMON

Function 00007FFD9B8A6B12 Relevance: .5, Instructions: 464
COMMON

Function 00007FFD9B8B7418 Relevance: 1.9, APIs: 1, Instructions: 426
COMMON

Function 00007FFD9B8B8708 Relevance: 1.6, APIs: 1, Instructions: 126
nativeCOMMON