Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
850.exe

Overview

General Information

Sample name:850.exe
Analysis ID:1571223
MD5:bbcb59d0329221e6ab409c0aceaef72a
SHA1:317a9e5220efc1438df0957a7199377b8fc400d1
SHA256:31f50eda5a542daad800246c8c8824650f1523bde4c3e944acda96c10fe3b0f7
Tags:AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
.NET source code contains potential unpacker
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

  • System is w10x64
  • 850.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\850.exe" MD5: BBCB59D0329221E6AB409C0ACEAEF72A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
{"Server": "65.21.198.54", "Port": "850", "Version": "A 13", "MutexName": "AsyncMutex_5552454", "Autorun": "false", "Group": "true"}
SourceRuleDescriptionAuthorStrings
850.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    850.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      850.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xd998:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x10e38:$a2: Stub.exe
      • 0x10ec8:$a2: Stub.exe
      • 0x9dac:$a3: get_ActivatePong
      • 0xdbb0:$a4: vmware
      • 0xda28:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0xaedc:$a6: get_SslClient
      850.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xda2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0xd82a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        Process Memory Space: 850.exe PID: 6920JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: 850.exe PID: 6920INDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x1cf68:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          SourceRuleDescriptionAuthorStrings
          0.0.850.exe.bc0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            0.0.850.exe.bc0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.0.850.exe.bc0000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
              • 0xd998:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
              • 0x10e38:$a2: Stub.exe
              • 0x10ec8:$a2: Stub.exe
              • 0x9dac:$a3: get_ActivatePong
              • 0xdbb0:$a4: vmware
              • 0xda28:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
              • 0xaedc:$a6: get_SslClient
              0.0.850.exe.bc0000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
              • 0xda2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
              No Sigma rule has matched
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 850.exeAvira: detected
              Source: 00000000.00000002.3739841417.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "65.21.198.54", "Port": "850", "Version": "A 13", "MutexName": "AsyncMutex_5552454", "Autorun": "false", "Group": "true"}
              Source: 850.exeReversingLabs: Detection: 76%
              Source: 850.exeVirustotal: Detection: 79%Perma Link
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: 850.exeJoe Sandbox ML: detected
              Source: 850.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 850.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Source: Yara matchFile source: 850.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.7:49702 -> 65.21.198.54:850
              Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54
              Source: unknownTCP traffic detected without corresponding DNS query: 65.21.198.54

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Source: Yara matchFile source: 850.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTR

              System Summary

              barindex
              Source: 850.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 850.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: C:\Users\user\Desktop\850.exeCode function: 0_2_0150E3280_2_0150E328
              Source: 850.exe, 00000000.00000000.1286757447.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs 850.exe
              Source: 850.exe, 00000000.00000002.3740948439.0000000005929000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 850.exe
              Source: 850.exeBinary or memory string: OriginalFilenameStub.exe" vs 850.exe
              Source: 850.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 850.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 850.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 850.exe, kfzEcsqnbPQk.csBase64 encoded string: 'Ywh6U9qkjx6Igc50M0jq7mCp9YdS2+tErnz3TBprAM/E0LZx1RjeeLwKMBMSIWTM2jODABl5q0EawqA4UXhPMg==', 'LMqlOIdy0lT5vXKb/LByp02UrAf791yfcXm1S8p4mu1rsH1QLqXUR4GLUFvzkDvfnMlZB1654Jvbf1uvae8qLg==', 'pE3eIOm2LFhxkKn7axUb9gNIzs1lLZLQEZu6Llneg0JBkLktf1oe0QlUmeeLJMG5+ZvIur/p+W8Wx9k6sL6PzQ==', 'JhS10/4XyoYM5zsZHsfughEczac6KjCdW3sv0DX4NNCaKSdsaZdh9zy9qK3GTFwExVfhaCKv4wjkX3RD7fK4VA==', 'Qxtb3t29aWPI9yCMcMcs7FWNfHXR0+CIr8eKXdMJx5t9HjqX/1XXF3dePQDl1fqmyTmwE11CvQbRtaxVoOARoCfEseKJooiDuq03rZ/uvUg=', 'q9x8MVD4p/aYnW3586Ve/EWNwn7mwWGz8R1mYGRc9BPnVj/KKqmvdoTb8eRRQ4lU3QIHUuDXFVgPymfV7lovs26p1vhG1b65HkvRRaGc0XxbJTDV40fOBLlbe2jBCZ0/WCEWx0eNSPjQxkCKaLZKbayeSLNmTSSjZrbFqtytdJFBLRAr8VXCaJHipnWArde6up37MDZRQO2pcyNhFKBdDwUjMaRdZ0GLb7e/EI9JwLcf1/1DIGqBeLRNbG4GrLxZxtHe4i94Etkn6l+Yj8BpO8ueWmd0MFLd6kV5FicwmBO8P2XMnv68/lk8RloOKivCKDnmCLyUnxMQ5lPFMoRRDKXin6nHlt3FW6Zc6qbo1voDlWrghYuEemDx0OAkvux2FG9liHq+TJ4wInf1/q5/VguaDl/O+pgmq7CcMuwaoE83e8xyBOLDFkUnI9XjZjYhOEfR8yT70T0cKSMsfinTDzgRpJDaGQl4wNLySV306PW3/kXviL3m9fMslYU8nHnVo+01TiTR3MXpR8nsPDwo3G9tbITgGtfpO5pwGkxxHkGywVYh2ymQ9nzf5J+F69QLWZrOG3nzP2/cb7mM4r1xnb2ZqdbNqXHS9ZTYUzXBzSGu0V54UvRLRmgq6Hsk+JYIh1Rd+TzJ6bPLaCSdGiGunYdu8jLA8biuh1x1l3EKwvIOX9VJfoe+/Vf4rUFGFdAymXy4ey5P/iaQsbS8LRpZsLFq4ldHHXL0WePQ+mtoCueXS7RvsnfcTLZTKkhgb+ABr38TjnfDY5eFD4rQjJirtsLFTv/pWDw7XosxgXP0htym0Q3L0ebyckR0+Bh2n5wIocmEp0xuybT5r8xuP8cgVUsQHYib2ovSpUpP7IDfsabhFkGjyvwur6qHRFjfnwUEGWb3WLrjwRWXLl7Ortx3rTrSVrci0ATZNS+sk1sr/dnbbIgY6gijam+VKkixz4xWd3pWGtuKXAynuN6y5czgacVFl62aR6iVKFjh/kleuZ+IHkDudYaL0fxXxJcApe706fgYWkLAV9onyekFmpr0mOL70EduXvfigEv8hBTjVQoPlbpc5O0Ntt84YNNtyqEsKXUfG9kiPllyPYZT4EIRNdYqaCJX3TW6XIfgcOxKPiss1zPhHfPMAlBbTifBkHvzQ/Rr00LLixLs2Xq30S24IeNKc1QYm2Xkp9y0smyOLjRLnGS2zGzzw8nFGGYoHw2y0Zpi51CZQhEPGuDD1XLYxRHS9ZC+zSUj8qwh3yZZy+6K7LVcj65DeDx2mBAr5IAtO50Nz+3AqDCLNkqP7nGSMHDx4PrRFJlp4NEdFDYKPaJ8Dyl8Ch9ih1W+n/+uHhLdTGIpcN+CjjjpnZuC2NMHZ9UGtIfIpQWSrwsLE+uhk9dt289n407VZB9OdDVl+zVoxR1R3aUU3BH290a0wAy4PL6qkCgIF8wz4GqW1FmIKrGcGKuAyU9P7neA7pPFe35S5f8ianx4d8J4pfW13eNCkAjH9juxwEFe+fcDxSWwMu33rsHsAtrAcqGOZmqcRnxO5djlPXedo7xR51g9jNE7QpHTTgrwPQc+LNOgaA/k8pH9QNhenqhjUyihLRawHWSYBV2HmnysEREe44ZZ/Anr1TFFRpmTZ1WAj+19prxvJWAiEuhLpcsq8PzlLrIOMbOL2I4/5G8Lw5c4tRwr83R6D7R/lhiFp1kKsTKjlHLr47D/VD/f44F1s/rX+kItHESInHQqLjuc0z2tfxtIibA1CUwBh44s27zF1Gr7wV8oYZggqkewu6ZGyYAtLbGJf4X6DYrhU6+nIb7x0MTarmMkXUcVDCsF9T/Ro920o6G7NILzKkQQNuYAmj+ZSZ7zmsBKlOkTlWPV0WO248Hqe8cxrMK3xKNSOe3X0MDSNd+F4SCYPl/MnXxqdk4yrOFEVTLsnr/V83wT9BLLsbmXxfciAyRaVuL2L3MLXOXe9YlmLJSgdoFUcIpCEpQh745g8Zbvtny+c1TEMN3tBPrgb73BwxREiA8N0+tf3/QxiA741cwyTcQpysmSGvaZmCeJSi/nWje8aaUgI28kv6YrJImXWx8tx6Q8jvR83yeRPJcEU2Hz/UBLfY1XxoPiQBVIaKdNjAMkhXCA0DwHCa2x9HOcHJYd2Kuwb5VigSNN0VDpWl/8HRujrmPmrCUZLCGQiZj91iUhHeFk0xtsLKzkb33oCuynK4733Y8JMgRiH9rtdXZxNJkZPOAyEmAr+0nP+jgaC0exIHx+Zzpd5wYKSmYZif+sES7LoPgdc4dWeEryzPW9//Bf/4U5+6j7L4QA99pzvR8wA5ZS+ChFF3lyTjD8o/WRbjefbyjKhMTwn6bk/H8=', 'pz/ogAaRcWOtGNi20ZaWWMw3e97soaq/cIHLCuz+pexDz7HYAP5dt6yydvuNGXNKgfPxlWLqYuxHs+LY9GE/LhWaNvK04CuCP1+sWdUJWyPTu5cuTBN67Sp1s8VCrfGKplYHBXMr+oCI8vAOGZg4getDTKxSYcSmCPnPWFm
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\850.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_5552454
              Source: C:\Users\user\Desktop\850.exeMutant created: NULL
              Source: 850.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 850.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\850.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 850.exeReversingLabs: Detection: 76%
              Source: 850.exeVirustotal: Detection: 79%
              Source: C:\Users\user\Desktop\850.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\850.exeSection loaded: schannel.dllJump to behavior
              Source: 850.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 850.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Source: 850.exe, yTXDgdzKkUZEy.cs.Net Code: zZEnjKEUPGrPh System.AppDomain.Load(byte[])
              Source: 850.exe, sJzixzjPUkf.csHigh entropy of concatenated method names: 'IfExTTjnktaX', 'MozAIbYaGW', 'SVsWodqLZneal', 'oIUANkEUIesYI', 'PuvDQwjHBTjnz', 'kzvhUTSjSSX', 'IQnjbAXBKPH', 'XaLeNchVQTI', 'cGXsmtmllnwPOZ', 'NtfFBQDmlfM'

              Boot Survival

              barindex
              Source: Yara matchFile source: 850.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTR
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\850.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: Yara matchFile source: 850.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTR
              Source: 850.exeBinary or memory string: SBIEDLL.DLLM\B(BC1|[13])[A-ZA-HJ-NP-Z0-9]{26,45}\B
              Source: C:\Users\user\Desktop\850.exeMemory allocated: 1500000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\850.exeMemory allocated: 2ED0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\850.exeMemory allocated: 4ED0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\850.exeWindow / User API: threadDelayed 3790Jump to behavior
              Source: C:\Users\user\Desktop\850.exeWindow / User API: threadDelayed 6198Jump to behavior
              Source: C:\Users\user\Desktop\850.exe TID: 1648Thread sleep count: 3790 > 30Jump to behavior
              Source: C:\Users\user\Desktop\850.exe TID: 1648Thread sleep time: -3790000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\850.exe TID: 1648Thread sleep count: 6198 > 30Jump to behavior
              Source: C:\Users\user\Desktop\850.exe TID: 1648Thread sleep time: -6198000s >= -30000sJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\850.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: 850.exeBinary or memory string: vmware
              Source: 850.exe, 00000000.00000002.3739345563.0000000001292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\850.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\850.exeProcess Stats: CPU usage > 42% for more than 60s
              Source: C:\Users\user\Desktop\850.exeProcess token adjusted: DebugJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\850.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\850.exeQueries volume information: C:\Users\user\Desktop\850.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\850.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\850.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\850.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\850.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Source: Yara matchFile source: 850.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTR

              Stealing of Sensitive Information

              barindex
              Source: 850.exe, 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: FalseQ\AppData\Roaming\Exodus\exodus.conf.json
              Source: 850.exe, 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: FalseQ\AppData\Roaming\Exodus\exodus.conf.json
              Source: 850.exe, 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: FalseQ\AppData\Roaming\Exodus\exodus.conf.json
              Source: 850.exe, 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AtomicI\AppData\Roaming\binance\Preferences
              Source: 850.exe, 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: InstalledK\AppData\Roaming\Ledger Live\app.json
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Scheduled Task/Job
              1
              Scheduled Task/Job
              1
              Scheduled Task/Job
              121
              Virtualization/Sandbox Evasion
              OS Credential Dumping21
              Security Software Discovery
              Remote Services1
              Archive Collected Data
              1
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading
              1
              DLL Side-Loading
              1
              Disable or Modify Tools
              LSASS Memory121
              Virtualization/Sandbox Evasion
              Remote Desktop Protocol1
              Data from Local System
              1
              Non-Standard Port
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Obfuscated Files or Information
              Security Account Manager1
              Process Discovery
              SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Software Packing
              NTDS1
              Application Window Discovery
              Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading
              LSA Secrets13
              System Information Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.