Edit tour
Windows
Analysis Report
xwuh6EHyYm.exe
Overview
General Information
Sample name: | xwuh6EHyYm.exerenamed because original name is a hash value |
Original sample name: | 3B5A9930C02E7E42AC52627179137656.exe |
Analysis ID: | 1431456 |
MD5: | 3b5a9930c02e7e42ac52627179137656 |
SHA1: | c7c8753c5ff727097fdf8b02b457d34e6f88ac18 |
SHA256: | 5d6a67ab649ed8610da623191e8925e4804c9d0eb424b8f50be64b20c098a890 |
Tags: | AsyncRATexeRAT |
Infos: | |
Detection
AsyncRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AsyncRAT
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match
Classification
- System is w10x64
- xwuh6EHyYm.exe (PID: 5064 cmdline:
"C:\Users\ user\Deskt op\xwuh6EH yYm.exe" MD5: 3B5A9930C02E7E42AC52627179137656) - RegAsm.exe (PID: 7152 cmdline:
#system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 5352 cmdline:
#system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6352 cmdline:
#system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6312 cmdline:
#system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
{"Ports": ["7654"], "Server": ["172.160.240.225"], "Mutex": "J9GKTh1eD4ee", "Certificate": "MIIE8jCCAtqgAwIBAgIQALFTXP9pxztw7ybT+benGTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMzIyMTA0MDE0WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK9unb26jV+8WjRx2wi06Ti2h+PRxc4EDH40tvi/P/A40fcZTX8CgCQWyghbIxODmcB9mzQATFhkhWGnmnRV2wcSgP8EqfqpQTv94RGpGWyxR1WZtm328HVpNHsKUEczS9OE6EcSKmLjoV5u76DAUjkwGFcsjxpWMYWq1nqLJMQbP+CT8US29KRjlZWLNbMe2Zmf2HHLIT5VrFG3+o1IYgsJXghf+dM3oE+l2TYpPQiBYVr2HItV0aRAMW3XXS3tp8wtzHm6MBlrhJFvHfjZ7mfhqY+ZVBl4Cwv08z1fy8FaFgFvIHFmJLX+0W1Uz1fk9Mgyfnq35+HFEJglK6ldicExTQvndSQCl1OifbcFkRNupVfyIP605S0J16QJwxx1tzatZ/GOpOhWZvoIQHqaQAIFonTdoVgr5dZgesvB5pGlqJtWQ1r86wW3Due7exzb1+TvT47ywbVvuOFTXAXOb3OPIv9/7p0qXpzxeFnucLGz9dMWOIOGTJ/YSmPxhbM2Eb4MDg+LZot4oFV2R2ivHitNWZ1dkoxYPwfpHsjL8KJBUsxP7yi+0Yg3MK0ee52aRAq/w9vBadQrSvJGpY5deh5GBTsi9jhf86ZxMzFFBqzkjPWoFSeWgvmnbQb/bYcdPVXvKIU/KxLr7mopxxle3KiCKvFsuoP+lZIGQn9zNsoHAgMBAAGjMjAwMB0GA1UdDgQWBBQylJN6i02YXx9B2gX2CgYC6GWn7TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAY9B9YL8vKs6b9UqrSx2nPhbZCM4N8m0vByVqv+8W2RPtCimnMnWP56RmDSBMOG6Q+0+OPkAXL7kE7DLfEos8/6xb3WcEdSs7QjoVsH4bIWTtPdNOqexHvnrwJQdfo3KLLBcV54zZRijOpiEp5sG7Dmt6ELGe2Ki0lLMgweu/nyNA0RS1c4yMFKC1IC14FBXau5+JKfi+RzIazlJilwJ7CmMU6JAOI9i5XENELxFFPC2mi6LtsEKBSd4rmIXJRfoQDU+lC8UZ3eq4uZmOyKwZVf8lO0VmCuCH5ztN0VAV4qFe2KJEBl9HsDCk6gAgHq2lnZrCnbAjOu769DwQZsTBSVxRLF6J9nCyCYpQxdCpd2H3wPcx5S3vvgZP+NDuUdnlaOimS01DRQPA/Q6zNlsGctEAGLF8FQIasJ/73irn3LBrBFIVN+gONPWOlmiQR8xP7KTOZY6lJcOGNjLrBOeUzcsjZjBUX5EdZ9cDE/KmrsOfx3oW9q4PEkpVYpM4maEeyTeppn9nIKux7voOAGzcYZWWR6YbGwVgjOLZP+EGFR6gL5e2SoPS8yqvreFeYmgSkAxPNJPaYIVu8ZBx91h4xc88nB4yOuzucBrkJoPZw2TFfLXwAJYH/Z61LsEsk/40qcJ0p2HSbkB28vfUd/2vWfL9nnK9rjXSEuVLyDNFbHQ==", "Server Signature": "dln0d26m7j9pvozKWneKRbwcweOPZcXpuh13ma7W8EcxihvJqv6k7Ln/vJ5azG9Ie5ah1foF/2VBYekoCzer5TGAsFhnXX48BKlhRIkazq+I60CW7pn2JHlyXinbxW3cTt2BKICg8L56PCg7K2PHy+jnJ/HBgciompMHfBAmj1haIQG36d99GvgiZ+o8hW1bFAtXsZAJ1OhGRyaIWZT42+WOk9qJawTbJaaytPccgjbFyWdWJvxDDgq9C/n5xF6htbsWQulvbqeGcdY5KVOMzIhRJMuGOxMownjW7MK7gZNjsHbJHtGhrOJoIxDwvGYWXyqZ7wcwy34cHKA0S5O/JZ/Mcoot0F4vkQIwYzZYB/j42SGoPIAcr0Rdor82dp0ip3EG/Im+nq7XM/+H2AYjATNdaG7Lgq26kJW1eQsU+NQXzGx6ecsxc7dSBpqKz/TKbg/7x/gYEMHDF/bYTdDk7hogyTp/IfcySUAeRvuKRZSKe6EbX+sIVl4GV4NpBJYDnGXxHELD5qN2ENYI6hNdwVwUahbZO1j5h6BwVe5Rjo4hybcfO4Czovxj5DNxleffV8mbRapGsDaA5H+rqGhL7030Gc8XVtbRZ/wKnkLBcgnk/we7yUEOz49/64WAEzchCEzDXqHPd0g/wwaO2KygQG700MyNjY7XXOEYbipiD3U="}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Click to see the 9 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
Click to see the 19 entries |
⊘No Sigma rule has matched
Timestamp: | 04/25/24-07:42:00.418689 |
SID: | 2030673 |
Source Port: | 7654 |
Destination Port: | 49730 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/25/24-07:42:00.418689 |
SID: | 2035595 |
Source Port: | 7654 |
Destination Port: | 49730 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |