Windows Analysis Report
ePI4igo4y1.exe

Overview

General Information

Sample name: ePI4igo4y1.exe
renamed because original name is a hash value
Original sample name: 76935bfc6a1783ae507f5af7bb7a5691.exe
Analysis ID: 1432120
MD5: 76935bfc6a1783ae507f5af7bb7a5691
SHA1: 11de68dc07c94d552afaca0e3d9d5950ced39b3a
SHA256: 9cb9f9145a6ee0e02edeb9bc4def3214418342fe7e3a130ba8511a1c8ed77fcd
Tags: 32AsyncRATexetrojan
Infos:

Detection

AsyncRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AsyncRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Found suspicious QR code URL
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ePI4igo4y1.exe Avira: detected
Found malware configuration
Source: ePI4igo4y1.exe Malware Configuration Extractor: AsyncRAT {"Ports": ["3323"], "Server": ["94.156.128.246"], "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "Nqmv2wcVsrvOtblyG8sJBjCK4OtVpmu+0MeaEENdF0nNwRBS2ufhHl+dHxPk9rtPNZIeP4yX29qDlc6C3SBJna8aLLUbuTswGiGbzTvgG3Kof2hq3JsexjXflK9EnTPJtiN2AXv6Il0e00efLcWM2f3XJQg2DdfixbLC35+xB+s="}
Multi AV Scanner detection for submitted file
Source: ePI4igo4y1.exe ReversingLabs: Detection: 76%
Source: ePI4igo4y1.exe Virustotal: Detection: 75% Perma Link
Machine Learning detection for sample
Source: ePI4igo4y1.exe Joe Sandbox ML: detected

Phishing
barindex
Found suspicious QR code URL
Source: QR Code extractor URL: http://
Source: QR Code extractor URL: http://
Source: QR Code extractor URL: 439391902758926017610517255313142298274480438044440121118994274987582850918190225834287726796126916145629914721733522710987616657314017765228865740646039848432710886743079548303442292437255394730948145864446775953265103441173709868657701742473083641111846265878297930501228044440623708994274155610283273472685443265118076120507592582475581488374897107878413328648070843912630936634157
Source: QR Code extractor URL: 439391902758926017610517255313142298274480438044440121118994274987582850918190225834287726796126916145629914721733522710987616657314017765228865740646039848432710886743079548303442292437255394730948145864446775953265103441173709868657701742473083641111846265878297930501228044440623708994274155610283273472685443265118076120507592582475581488374897107878413328648070843912630936634157
Source: unknown HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.168.112.67:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: ePI4igo4y1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2052265 ET TROJAN Observed Malicious SSL Cert (VenomRAT) 94.156.128.246:3323 -> 192.168.2.4:49730
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 94.156.128.246:3323
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1714134708629Host: self.events.data.microsoft.comContent-Length: 7976Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BELCLOUDBG BELCLOUDBG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.128.246
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGJu7rrEGIjAoqyexFOGLbT8aLOaA_R2zVcAlbcD7V11k6B8b8yEPzaS9F1blMUQnJ9DYpXZ_bH4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-12; NID=513=ajmUOexKwGMh0AvseEoWnqvqvcnjinuBPSdrVSftflPccZwEDAhTnWaTaY0UcGkJWJwwLniKDkt6ugI1rLHDeVR4Ks1DuZUZDuWm9lIyv24LXQCiHULnjblafcAxqSR7bwKUIInEF3BIYHF7fOTdyu4xbWUfEWcX0pr572m3BSY
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGJu7rrEGIjDDcv02CuPdWY5ubddYolN9oRq8ljClcTTSomnqqiNV12SKZZRW_Od0MHXrWW8249YyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-12; NID=513=ajmUOexKwGMh0AvseEoWnqvqvcnjinuBPSdrVSftflPccZwEDAhTnWaTaY0UcGkJWJwwLniKDkt6ugI1rLHDeVR4Ks1DuZUZDuWm9lIyv24LXQCiHULnjblafcAxqSR7bwKUIInEF3BIYHF7fOTdyu4xbWUfEWcX0pr572m3BSY
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=E+L9AauZ856Cb3R&MD=8gCfUGcc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=E+L9AauZ856Cb3R&MD=8gCfUGcc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1714134708629Host: self.events.data.microsoft.comContent-Length: 7976Connection: Keep-AliveCache-Control: no-cache
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: tmp8896.tmp.dat.0.dr, tmp8834.tmp.dat.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tmp8896.tmp.dat.0.dr, tmp8834.tmp.dat.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp8896.tmp.dat.0.dr, tmp8834.tmp.dat.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp8896.tmp.dat.0.dr, tmp8834.tmp.dat.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp8896.tmp.dat.0.dr, tmp8834.tmp.dat.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp8896.tmp.dat.0.dr, tmp8834.tmp.dat.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp8896.tmp.dat.0.dr, tmp8834.tmp.dat.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tmp8A4E.tmp.dat.0.dr String found in binary or memory: https://support.mozilla.org
Source: tmp8A4E.tmp.dat.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp8A4E.tmp.dat.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: tmp8876.tmp.dat.0.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: tmp8876.tmp.dat.0.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: tmp8876.tmp.dat.0.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: tmp8876.tmp.dat.0.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: tmp8896.tmp.dat.0.dr, tmp8834.tmp.dat.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp8896.tmp.dat.0.dr, tmp8834.tmp.dat.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp8A4E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org
Source: tmp8A4E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmp8A4E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: places.raw.0.dr, tmp8A4E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp8A4E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: places.raw.0.dr, tmp8A4E.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.168.112.67:443 -> 192.168.2.4:49758 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: ePI4igo4y1.exe, type: SAMPLE
Source: Yara match File source: 0.0.ePI4igo4y1.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1696607809.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ePI4igo4y1.exe PID: 6808, type: MEMORYSTR
Contains functionality to log keystrokes (.Net Source)
Source: ePI4igo4y1.exe, Keylogger.cs .Net Code: KeyboardLayout

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: ePI4igo4y1.exe, type: SAMPLE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.ePI4igo4y1.exe.6f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Sample file is different than original file name gathered from version info
Source: ePI4igo4y1.exe, 00000000.00000000.1696607809.00000000006F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameClientAny.exe" vs ePI4igo4y1.exe
Source: ePI4igo4y1.exe Binary or memory string: OriginalFilenameClientAny.exe" vs ePI4igo4y1.exe
Yara signature match
Source: ePI4igo4y1.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.ePI4igo4y1.exe.6f0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: ePI4igo4y1.exe, Settings.cs Base64 encoded string: 'QFJhPLgtKAYj87j1RSbCi7457Eerjv5kX0vQpvlTFpq+JXUD4tpy/ItrkMUITi/KJk5vTnhAHgfoFks++dJnAA==', 'vtOx+iCLD+JTIjYNnRhR3P8c1/P8ql3gO84za1eAD36+0/5VuKjFDuxUp/EnClfSio2tzTzGToGfdvJI+j9N3w==', 'Rxv11xqYRSU671YgnMqPGXZIj/1uhwJElyPx3QRAf24RlH/rJeDTqlqJ3EerWRxASL6UM2WvY8sSH+9OKlA2sg==', 'V1MoP38pI2VkZx9VSy0IQJecq/pqz9PrqiWjhSlpGRw5Vf7uWxrtAtdkw509em6tGb4e7jvqVqQdoObNQG6o8ysGHOdrUIC34AzGaNG3IU8=', 'zGyBu+3tDn1XY2phASQ5NLGEL6iNd6goB1MQqoBVHMbLFCxmGf07itws4E2D2G37jy4LjIJxFw6sdLXqlEoO+Q5aia2J1RuxCdBRedScBbc15FexR66JZF6u99ZDQB3odphiO2lo6dfq6PAVXdu2HTvgPFB4QoM2CIVIMyOesA1BYOA23i+/bVK47z31IQ7DYNmQO5hn+Phm9sXgVOPEI35kbwAlvEqxfNHyQGI1eQfwwlp4SaQDj+e3Tnu5tCOFQf+Vx1xnlA+4mKi387CsRK3RSVRvy8mS4S8Xy6E+JeM=', 'HQqfqju2rXY5+8M9liB04ye/XqBOgqtehyBeH1KQShhq3bDDs/saicSZ2qWJZI25G6P6L6iXSw/4mpA8haentQ==', 'hn57Sj9G8FikFnOIKdmovP/H+RMklvUYoWUU1Q7PWmbSfewWLWzKzp4j6V1BEQQ/zZgtqzBlgyvvKxsAfeqT9w==', 'nOjJ0IYbmXFewa+4w4iSn+K1WE0qhdgLFHNlLjMQbvPd7/WUBEORc+9mJaGpHmyJ0VLdvMVwnFw6r13EnTZ3Wg==', 'g3NashaO27Eb8YpILukPQTwQwLMb1cCX9a9jO/tSqV1QDLGCI05aVgoBey/EizAvOBMM+COSFstqKF6R5pT3lQ=='
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@16/14@2/4
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File created: C:\Users\user\AppData\Roaming\MyData Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Mutant created: NULL
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Mutant created: \Sessions\1\BaseNamedObjects\dhhtyh7D3j798D3JY73DJ
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File created: C:\Users\user\AppData\Local\Temp\tmp8834.tmp Jump to behavior
Source: ePI4igo4y1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ePI4igo4y1.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\ePI4igo4y1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tmp8864.tmp.dat.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: ePI4igo4y1.exe ReversingLabs: Detection: 76%
Source: ePI4igo4y1.exe Virustotal: Detection: 75%
Source: unknown Process created: C:\Users\user\Desktop\ePI4igo4y1.exe "C:\Users\user\Desktop\ePI4igo4y1.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1984,i,4947626736655423658,5044590235731121884,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1984,i,4947626736655423658,5044590235731121884,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: ePI4igo4y1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ePI4igo4y1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: ePI4igo4y1.exe, ClientSocket.cs .Net Code: Invoke System.AppDomain.Load(byte[])

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: ePI4igo4y1.exe, type: SAMPLE
Source: Yara match File source: 0.0.ePI4igo4y1.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1696607809.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ePI4igo4y1.exe PID: 6808, type: MEMORYSTR
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\4C67EC226C1C2FB3C434 BEA19E2DECE602CED1D3DF8C825A993F3D412C2A4D4D87EAA39F44BA4FB39E82 Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: ePI4igo4y1.exe, type: SAMPLE
Source: Yara match File source: 0.0.ePI4igo4y1.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1696607809.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ePI4igo4y1.exe PID: 6808, type: MEMORYSTR
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ePI4igo4y1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ePI4igo4y1.exe Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Memory allocated: C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Memory allocated: 1A9E0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Window / User API: threadDelayed 654 Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Window / User API: threadDelayed 9189 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ePI4igo4y1.exe TID: 7632 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe TID: 7888 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe TID: 7896 Thread sleep count: 654 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe TID: 7896 Thread sleep count: 9189 > 30 Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ePI4igo4y1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ePI4igo4y1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: ePI4igo4y1.exe, Keylogger.cs Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: ePI4igo4y1.exe, DInvokeCore.cs Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: ePI4igo4y1.exe, AntiProcess.cs Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Queries volume information: C:\Users\user\Desktop\ePI4igo4y1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: ePI4igo4y1.exe, type: SAMPLE
Source: Yara match File source: 0.0.ePI4igo4y1.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1696607809.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ePI4igo4y1.exe PID: 6808, type: MEMORYSTR
AV process strings found (often used to terminate AV products)
Source: ePI4igo4y1.exe, 00000000.00000000.1696607809.00000000006F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: MSASCui.exe
Source: ePI4igo4y1.exe, 00000000.00000000.1696607809.00000000006F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: procexp.exe
Source: ePI4igo4y1.exe, 00000000.00000000.1696607809.00000000006F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\ePI4igo4y1.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\ePI4igo4y1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432120 Sample: ePI4igo4y1.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 23 Snort IDS alert for network traffic 2->23 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 9 other signatures 2->29 6 ePI4igo4y1.exe 2 26 2->6         started        10 chrome.exe 1 2->10         started        process3 dnsIp4 15 94.156.128.246, 3323, 49730, 49753 BELCLOUDBG Bulgaria 6->15 31 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->31 33 Tries to harvest and steal browser information (history, passwords, etc) 6->33 17 192.168.2.4, 138, 3323, 443 unknown unknown 10->17 19 239.255.255.250 unknown Reserved 10->19 12 chrome.exe 10->12         started        signatures5 process6 dnsIp7 21 www.google.com 142.250.64.196, 443, 49731, 49732 GOOGLEUS United States 12->21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.64.196
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
94.156.128.246
 unknown Bulgaria
44901 BELCLOUDBG true

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
www.google.com 142.250.64.196 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/async/ddljson?async=ntp:2 false
    		high
    https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
      		high
      https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGJu7rrEGIjDDcv02CuPdWY5ubddYolN9oRq8ljClcTTSomnqqiNV12SKZZRW_Od0MHXrWW8249YyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
        		high
        https://www.google.com/async/newtab_promos false
          		high
          https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
            		high
            https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGJu7rrEGIjAoqyexFOGLbT8aLOaA_R2zVcAlbcD7V11k6B8b8yEPzaS9F1blMUQnJ9DYpXZ_bH4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
              		high