Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp |
Avira: detection malicious, Label: TR/Spy.Gen |
Source: 00000007.00000002.4721778629.0000000002C61000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1,twinks234.duckdns.org,", "Port": "6606,7707,8808", "Version": "AWS | 3Losh", "MutexName": "mafiaEXE", "Autorun": "false", "Group": "true"} |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp |
Virustotal: Detection: 60% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe (copy) |
Virustotal: Detection: 60% |
Perma Link |
Source: Iu4csQ2rwX.msi |
ReversingLabs: Detection: 50% |
Source: Iu4csQ2rwX.msi |
Virustotal: Detection: 44% |
Perma Link |
Source: unknown |
HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49732 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49743 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 20.42.65.94:443 -> 192.168.2.4:49772 version: TLS 1.2 |
Source: |
Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: Iu4csQ2rwX.msi, 6c70ae.msi.1.dr, MSI7206.tmp.1.dr |
Source: C:\Windows\System32\msiexec.exe |
File opened: z: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: x: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: v: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: t: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: r: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: p: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: n: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: l: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: j: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: h: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: f: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: b: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: y: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: w: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: u: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: s: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: q: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: o: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: m: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: k: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: i: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: g: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: e: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: c: |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File opened: a: |
Jump to behavior |
Source: Malware configuration extractor |
URLs: twinks234.duckdns.org |
Source: Malware configuration extractor |
URLs: |
Source: unknown |
DNS query: name: twinks234.duckdns.org |
Source: Yara match |
File source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED |
Source: global traffic |
HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1714035143184Host: self.events.data.microsoft.comContent-Length: 7974Connection: Keep-AliveCache-Control: no-cache |
Source: Joe Sandbox View |
JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4 |
Source: Joe Sandbox View |
JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1 |
Source: unknown |
DNS traffic detected: query: twinks234.duckdns.org replaycode: Name error (3) |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.165.165.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 199.232.214.172 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.47.204.65 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 199.232.214.172 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.47.204.65 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.42.65.94 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dp3LT5UDBFGklVa&MD=ECx2K67C HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com |
Source: global traffic |
HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dp3LT5UDBFGklVa&MD=ECx2K67C HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com |
Source: global traffic |
DNS traffic detected: DNS query: twinks234.duckdns.org |
Source: unknown |
HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1714035143184Host: self.events.data.microsoft.comContent-Length: 7974Connection: Keep-AliveCache-Control: no-cache |
Source: unknown |
Network traffic detected: HTTP traffic on port 49675 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49732 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49743 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49732 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49772 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49772 -> 443 |
Source: unknown |
HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49732 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49743 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 20.42.65.94:443 -> 192.168.2.4:49772 version: TLS 1.2 |
Source: Yara match |
File source: Iu4csQ2rwX.msi, type: SAMPLE |
Source: Yara match |
File source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY |
Source: Yara match |
File source: C:\Windows\Installer\6c70ae.msi, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED |
Source: Iu4csQ2rwX.msi, type: SAMPLE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: Iu4csQ2rwX.msi, type: SAMPLE |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000007.00000002.4721202096.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: mafiachroom.exe PID: 7300, type: MEMORYSTR |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Windows\Installer\6c70ae.msi, type: DROPPED |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: C:\Windows\Installer\6c70ae.msi, type: DROPPED |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: C:\Windows\System32\msiexec.exe |
File created: C:\Windows\Installer\6c70ae.msi |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File created: C:\Windows\Installer\SourceHash{BE13E8ED-EE1E-41EA-93EE-21B2B781511E} |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File created: C:\Windows\Installer\inprogressinstallinfo.ipi |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
File created: C:\Windows\Installer\MSI7206.tmp |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\mafiachroom.exe |
Code function: 7_2_029FE048 |
7_2_029FE048 |
Source: Joe Sandbox View |
Dropped File: C:\Windows\Installer\MSI7206.tmp FD622CF73EA951A6DE631063ABA856487D77745DD1500ADCA61902B8DDE56FE1 |
Source: Iu4csQ2rwX.msi |
Binary or memory string: OriginalFilenameStub.exe" vs Iu4csQ2rwX.msi |
Source: Iu4csQ2rwX.msi |
Binary or memory string: OriginalFilenameGoogleUpdateSetup.exe< vs Iu4csQ2rwX.msi |
Source: Iu4csQ2rwX.msi, type: SAMPLE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: Iu4csQ2rwX.msi, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 7.0.mafiachroom.exe.7c0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000007.00000002.4721202096.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 00000007.00000000.1669483984.00000000007C2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: mafiachroom.exe PID: 7300, type: MEMORYSTR |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: C:\Windows\Installer\6c70ae.msi, type: DROPPED |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: C:\Windows\Installer\6c70ae.msi, type: DROPPED |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files.cab, type: DROPPED |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: C:\Users\user\AppData\Local\Temp\MW-bf5b098d-e722-4cb5-9ffe-2c0760c327a0\files\19846695766e49c9ae2db4b896af4d3a$dpx$.tmp\d6568875baf18047a674d73da59f1fb3.tmp, type: DROPPED |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: d6568875baf18047a674d73da59f1fb3.tmp.5.dr, AtjEEKOEuHXUOep.cs |
Base64 encoded string: 'ksQPxnES2fM8HYnhktKYQddmpNNvaPZcZXlbPq8AMWbKnoeQXFPkfKVZ8UfTiDguZfOWZMfUXSgI7Ux3e+eSPQ==', 'SgQXL2QA4L9vwixmFL+JxlZfG6w8CiqLoFBV7G5CTA/DicQG+u5K2c7VX9fxnYDGxOz0G8YT9YiLMQpmhmojdNqFs06hw1ygjn44iXtNlvF4W6GHuHxbJQCJK0mWHXKk', 'sr5Xdq1ax701VPJO+EBt6ZHFQhv3uIoSV0Ju2Ui5tbo5pZda+YCweYpmscCN+cVtHAm6niAwKAWhUZCUOm3JKw==', 'jv5uHnH//wFnNAlX7HNmfB0Jw/o6M/zg3tmOk3tWdhNPu8QqEMWxNuaUPPKUTIuE0scC4rZXJRp3DRpa8ZNLD4qYDfltUcGU3fEhfdwacUgvDumV6CIIBMIjP1hV+zwRrU1YZMWfd/z+xb2zQmTM9182ZXEM92QMuZNXzxcpGATdtnY69M0DXjhMNyqubejSfDJD3rLbiN1aU12jDV4VWFgiHv/S/OHxI8On7rkaU08/qnxDHy5qxb7TldPQwcTglySVqzBIICjoyf1CUet8tXPzi0t31Xvms9EpRkqjlGfXR2s8khdXLJbfO70aaN38UigP75kJXemV6FlDl6xCdX8SDDuQA/fVCv390SGxEWEN6bOo2gvBi86P4qfEJTodN2uoNTf5OakXJCaIhi7MhBgQ6ElEuhFmDQXmkQlh+/JBV9JdOH74laUv1c3pNXWAdhrdDCcSlHzPy1DEUXQQRhVDgwkBGo2X4D4u818VgqooyD/AP/h/jclOzYcNC7Hzzm9zd+hgQxIkDUcK7HcLL3xPUzGSbuhsDAwi7HNlPbkockc5D1LBLvXgftT7fxTMdE3Sd65Gtcrc01eKqtsZTgYT5Pp/HoSS+WS37tt4xGh9ypCnz3ZY2FzmA7RMOXz9+Ya7Iy4ckBjzxsmsk5WTNICea1BrLvlN7pllgW1bxW1xcqTNEtLrQzpwcMxYQbqu7Zqu6yOh535jDgcLdCtHsOkX6lR3R8ppI+zKxUm+7KuVR+33PY93IIRDJ0kbrbaI65WXyAVp+apX42zAGzvLusbFSb9KX7tY5D1N038vwKEfjsfieHUUXjuRuTXj2NDI/dq1ifOUo8WLn9auhVfwZ4qsxO3wIZV2Wxa5+0a7slmMjFwJmv4Ela6TXQMxOtLfAsVQHWvPDZ1dYogxKcPQ+cT8VnU8lTVihQUc1Cj6TyXG7yCp1XGVsslwbLQIzxwUsYpULIpVfhG1t/+PLNuM+ex+oUVW+JkiLcul/9LEwep3EVhPOVeK/9Sd3JYKdTVbVPhwPuTR2KVMJqPNhrFNNZQoP8WturkpLq+/TY/FMJFWu1Mf14UOryBjPu2kKA18VXM89h7JZjsWYDTvEsCaJ5yqrPm2CQ50MXeWbbE5bsAzC5ru4WBxf+o/wbvRqq9Ce7wskm2Hl9PcCYHMOHj5FxTBSSb8XkzwyjkoACAtk2x/PCBNYy/d+S4+uaJTPGnYy4sH3ml9cmvF79u8h++Jqn/ZhLgDfl7xyOYUTWueDnvRiRxsAdnfxahPHD8GC4AqJE7MvlzGMc+ZAx2PKd1u9RhEdkyOPQMLNZsAGj9XSqG/HO2+eImZ+4V8WokmDKCZP7rwkARHZPscJ9N99oOKkFeMaQ397HIo869BqUh621m9+ReUMtlW9kY2OFG1hr2ODcNP7Q8wByq7BYSrJ/n6+Ael6afm6Y7yHxxSfm31D8Zni5GV3qUZwrlzLDMGfQZ/HOX/9KVT6iLoff0YhB6hsR0XHUViJoxjB9+CaSsuviii/46jybxSA6zzl1FFjOFPU1rl6+nqxwXcfPOaKqYeRbAlhIWCVcbz3VuBTi7su5tCE+XAP3XUnZG6uyWJNjjkcac5lWUYa/xhalMUsUuueA9bNZ8ExzAyJuHnza9lvtMIMbh+Wy6I4PVtgqSaQwYxKVUMui5bAEJq9BVVud8eKWYY+ex/eS1jqUeVFm6KL5otk7hflexlTli/jYCX/V7Q/1Qx5Ao33wWjymwdiITf+pCUffG1Tjq8zUmS4uHar6AtlBE0TNB8PkfQLWfwJYBARITB7Tn2uADQYW/U1OR0GTIPbFWfsHufQm4rYKauCqjqueuu4s7jNHhQHRRelzb6JgkXlpCC0ovTbI8Sii1CUqG/LAQzoY8qofiSkLqoyqn93hSB4VP97y1Dzzq7XhkMUO/LmPnChAzK3swIToGizA0Sr9FQ5N7yYjXm2ptv8aJNy05QQoJaaXcmUIdrgHhsK4bAZ6leBUh6IX7bPgfMz9GsXY/i2gsbVBtzk2O1ZvbGvct9v1cb7TJdFtk4n64QylnoJnvzVrMC1WfR7iGt1rKfiwN6xO3goeis5z6DH5xgOcEsBlTGPMgsVJz3UHbv2WXnBd0dNVObHUysnZIOZ |