Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1583461
MD5:76969acc42256771162be6f285de947c
SHA1:071c5791d9ca1c2382450c6ef09432e12e8b3ca2
SHA256:155854758b79cdee58f7df5c1a4a07d3b19b3d64a0a58b2e8faf6d8b67042f3c
Tags:NETexeMSILnjratuser-jstrosch
Infos:

Detection

DcRat, JasonRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DcRat
Yara detected JasonRAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 4696 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 76969ACC42256771162BE6F285DE947C)
    • Mxscspd_BelphegorShell.exe (PID: 4084 cmdline: "C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe" MD5: 412A8BBC3366FEC40120821A598EA26F)
  • cleanup
{"Server": "127.0.0.1,winner2025me.duckdns.org", "Ports": "7777", "Version": "JASON 2.1.1.0", "Autorun": "false", "Install_Folder": "AppData", "Install_File": "ScJlsrsfsks", "AES_key": "Jason\u2620LetThereBeCarnage", "Mutex": "Jason_CnzagnrahJcsdJcnzns", "AntiDetection": "null", "External_config_on_Pastebin": "false", "Startup_Delay": 1, "Certificate": "MIICRzCCAbCgAwIBAgIVANvS14Czjez/SMBBbB3uWUcyWLrFMA0GCSqGSIb3DQEBDQUAMHsxFTATBgNVBAMMDEphc29uIFNlcnZlcjEiMCAGA1UECwwZSmFzb27imKBMZXRUaGVyZUJlQ2FybmFnZTEkMCIGA1UECgwbSmFzb24g4pigIExldFRoZXJlQmVDYXJuYWdlMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwMTExMjMxNjM2WhcNMzQxMDIwMjMxNjM2WjAQMQ4wDAYDVQQDDAVKYXNvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjynhKPrWMiHM2a9rMcQru2BGPNnbfYw5w+W/mUM/lDUQ5E5yx5wWth03JiB+yflQvUkZ/3sDm/4JQfZxiqclLIAzkXrlBxhKbaLxcxa5slQJUaypWXxwdTTu2U2bgqrOINQFGqA4qGXWVqVelz75q5QEn3PVsM9ItRcx49FsqgsCAwEAAaMyMDAwHQYDVR0OBBYEFEhI7v6kRtjV16ycOMQ1r14L2GjJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAFnxCg0+lHwa/Nkl7yer/lKO2aejOkcEGbtTxKgLGEpVClTuTTw4wQX8lc7gd0Ik5pL5VtO37O+Aj/Ysl71zgh3dd9gDKb9Uil7SP3WK2fbC/kETm++Pxi4vl4W3C6j1l9jtMOHmaNZem3Z+o+8bfkBbWtFDqp7Sul3yagpHaQzU=", "ServerSignature": "PjTTtyMY2go0IqkgPP0auxgXaWgJgSfBrFldD2kTofVnrfY4Q95vIUygNkOfDvXg9exvugXRXULtJ8VIYdVAUyOCtJjL5nFEhxkiFTV+c2RYqmHMIDydwtPnsh4BRMNcgibqvLlT2WK6OP/jVV1EV8GVrduZ74e6ok24M2khfR0=", "Group": "HOME"}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeJoeSecurity_JasonRATYara detected JasonRATJoe Security
    SourceRuleDescriptionAuthorStrings
    00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
      00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
        00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
          00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
            Process Memory Space: file.exe PID: 4696JoeSecurity_JasonRATYara detected JasonRATJoe Security
              Click to see the 2 entries
              SourceRuleDescriptionAuthorStrings
              1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                  0.2.file.exe.39c3d90.1.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                    0.2.file.exe.3995570.2.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                      1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                        Click to see the 4 entries

                        System Summary

                        barindex
                        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 87.120.113.91, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, Initiated: true, ProcessId: 4084, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, ProcessId: 4084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ScJlsrsfsks
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-02T20:14:02.195868+010028424781Malware Command and Control Activity Detected87.120.113.917777192.168.2.549704TCP

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: file.exeAvira: detected
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackMalware Configuration Extractor: JasonRAT {"Server": "127.0.0.1,winner2025me.duckdns.org", "Ports": "7777", "Version": "JASON 2.1.1.0", "Autorun": "false", "Install_Folder": "AppData", "Install_File": "ScJlsrsfsks", "AES_key": "Jason\u2620LetThereBeCarnage", "Mutex": "Jason_CnzagnrahJcsdJcnzns", "AntiDetection": "null", "External_config_on_Pastebin": "false", "Startup_Delay": 1, "Certificate": "MIICRzCCAbCgAwIBAgIVANvS14Czjez/SMBBbB3uWUcyWLrFMA0GCSqGSIb3DQEBDQUAMHsxFTATBgNVBAMMDEphc29uIFNlcnZlcjEiMCAGA1UECwwZSmFzb27imKBMZXRUaGVyZUJlQ2FybmFnZTEkMCIGA1UECgwbSmFzb24g4pigIExldFRoZXJlQmVDYXJuYWdlMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwMTExMjMxNjM2WhcNMzQxMDIwMjMxNjM2WjAQMQ4wDAYDVQQDDAVKYXNvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjynhKPrWMiHM2a9rMcQru2BGPNnbfYw5w+W/mUM/lDUQ5E5yx5wWth03JiB+yflQvUkZ/3sDm/4JQfZxiqclLIAzkXrlBxhKbaLxcxa5slQJUaypWXxwdTTu2U2bgqrOINQFGqA4qGXWVqVelz75q5QEn3PVsM9ItRcx49FsqgsCAwEAAaMyMDAwHQYDVR0OBBYEFEhI7v6kRtjV16ycOMQ1r14L2GjJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAFnxCg0+lHwa/Nkl7yer/lKO2aejOkcEGbtTxKgLGEpVClTuTTw4wQX8lc7gd0Ik5pL5VtO37O+Aj/Ysl71zgh3dd9gDKb9Uil7SP3WK2fbC/kETm++Pxi4vl4W3C6j1l9jtMOHmaNZem3Z+o+8bfkBbWtFDqp7Sul3yagpHaQzU=", "ServerSignature": "PjTTtyMY2go0IqkgPP0auxgXaWgJgSfBrFldD2kTofVnrfY4Q95vIUygNkOfDvXg9exvugXRXULtJ8VIYdVAUyOCtJjL5nFEhxkiFTV+c2RYqmHMIDydwtPnsh4BRMNcgibqvLlT2WK6OP/jVV1EV8GVrduZ74e6ok24M2khfR0=", "Group": "HOME"}
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeReversingLabs: Detection: 52%
                        Source: file.exeReversingLabs: Detection: 39%
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeJoe Sandbox ML: detected
                        Source: file.exeJoe Sandbox ML: detected
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: 7777
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: 127.0.0.1,winner2025me.duckdns.org
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: JASON 2.1.1.0
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: Jason_CnzagnrahJcsdJcnzns
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: MIICRzCCAbCgAwIBAgIVANvS14Czjez/SMBBbB3uWUcyWLrFMA0GCSqGSIb3DQEBDQUAMHsxFTATBgNVBAMMDEphc29uIFNlcnZlcjEiMCAGA1UECwwZSmFzb27imKBMZXRUaGVyZUJlQ2FybmFnZTEkMCIGA1UECgwbSmFzb24g4pigIExldFRoZXJlQmVDYXJuYWdlMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwMTExMjMxNjM2WhcNMzQxMDIwMjMxNjM2WjAQMQ4wDAYDVQQDDAVKYXNvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjynhKPrWMiHM2a9rMcQru2BGPNnbfYw5w+W/mUM/lDUQ5E5yx5wWth03JiB+yflQvUkZ/3sDm/4JQfZxiqclLIAzkXrlBxhKbaLxcxa5slQJUaypWXxwdTTu2U2bgqrOINQFGqA4qGXWVqVelz75q5QEn3PVsM9ItRcx49FsqgsCAwEAAaMyMDAwHQYDVR0OBBYEFEhI7v6kRtjV16ycOMQ1r14L2GjJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAFnxCg0+lHwa/Nkl7yer/lKO2aejOkcEGbtTxKgLGEpVClTuTTw4wQX8lc7gd0Ik5pL5VtO37O+Aj/Ysl71zgh3dd9gDKb9Uil7SP3WK2fbC/kETm++Pxi4vl4W3C6j1l9jtMOHmaNZem3Z+o+8bfkBbWtFDqp7Sul3yagpHaQzU=
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: PjTTtyMY2go0IqkgPP0auxgXaWgJgSfBrFldD2kTofVnrfY4Q95vIUygNkOfDvXg9exvugXRXULtJ8VIYdVAUyOCtJjL5nFEhxkiFTV+c2RYqmHMIDydwtPnsh4BRMNcgibqvLlT2WK6OP/jVV1EV8GVrduZ74e6ok24M2khfR0=
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: null
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: HOME
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                        Networking

                        bar