Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
q2e132qweertgd.exe.bin.exe

Overview

General Information

Sample name:q2e132qweertgd.exe.bin.exe
Analysis ID:1634173
MD5:ce936711c2d764e67a57275d6d7b309c
SHA1:df21d4952edb1d1e14153080fbe23a367e07660e
SHA256:b6b4f3d76be11cba85b433e54f37181dc669422de50b3f9db049196d96e241c2
Tags:AsyncRATexeuser-TornadoAV_dev
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • q2e132qweertgd.exe.bin.exe (PID: 7960 cmdline: "C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exe" MD5: CE936711C2D764E67A57275D6D7B309C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
q2e132qweertgd.exe.bin.exeJoeSecurity_XWormYara detected XWormJoe Security
    q2e132qweertgd.exe.bin.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x9865:$str01: $VB$Local_Port
    • 0x9889:$str02: $VB$Local_Host
    • 0x81db:$str03: get_Jpeg
    • 0x86c2:$str04: get_ServicePack
    • 0xa3dd:$str05: Select * from AntivirusProduct
    • 0xaac7:$str06: PCRestart
    • 0xaadb:$str07: shutdown.exe /f /r /t 0
    • 0xab8d:$str08: StopReport
    • 0xab63:$str09: StopDDos
    • 0xac59:$str10: sendPlugin
    • 0xacd9:$str11: OfflineKeylogger Not Enabled
    • 0xae31:$str12: -ExecutionPolicy Bypass -File "
    • 0xb2de:$str13: Content-length: 5235
    q2e132qweertgd.exe.bin.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xb477:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xb514:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xb629:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xb1f9:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1176313217.00000000007E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1176313217.00000000007E2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xb277:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xb314:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xb429:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xaff9:$cnc4: POST / HTTP/1.1
      Process Memory Space: q2e132qweertgd.exe.bin.exe PID: 7960JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Process Memory Space: q2e132qweertgd.exe.bin.exe PID: 7960JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.q2e132qweertgd.exe.bin.exe.7e0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.q2e132qweertgd.exe.bin.exe.7e0000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x9865:$str01: $VB$Local_Port
            • 0x9889:$str02: $VB$Local_Host
            • 0x81db:$str03: get_Jpeg
            • 0x86c2:$str04: get_ServicePack
            • 0xa3dd:$str05: Select * from AntivirusProduct
            • 0xaac7:$str06: PCRestart
            • 0xaadb:$str07: shutdown.exe /f /r /t 0
            • 0xab8d:$str08: StopReport
            • 0xab63:$str09: StopDDos
            • 0xac59:$str10: sendPlugin
            • 0xacd9:$str11: OfflineKeylogger Not Enabled
            • 0xae31:$str12: -ExecutionPolicy Bypass -File "
            • 0xb2de:$str13: Content-length: 5235
            0.0.q2e132qweertgd.exe.bin.exe.7e0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xb477:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xb514:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xb629:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xb1f9:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: q2e132qweertgd.exe.bin.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: q2e132qweertgd.exe.bin.exeVirustotal: Detection: 73%Perma Link
            Source: q2e132qweertgd.exe.bin.exeReversingLabs: Detection: 84%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: q2e132qweertgd.exe.bin.exeString decryptor: https://pastebin.com/raw/64jXYT6E
            Source: q2e132qweertgd.exe.bin.exeString decryptor: <DaGang>
            Source: q2e132qweertgd.exe.bin.exeString decryptor: <Xwormmm>
            Source: q2e132qweertgd.exe.bin.exeString decryptor: Fake XWorm
            Source: q2e132qweertgd.exe.bin.exeString decryptor: RWorm
            Source: q2e132qweertgd.exe.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49719 version: TLS 1.2
            Source: q2e132qweertgd.exe.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Connects to a pastebin service (likely for C&C)
            Source: unknownDNS query: name: pastebin.com
            Source: global trafficTCP traffic: 192.168.2.4:49721 -> 23.84.85.170:1738
            Source: global trafficHTTP traffic detected: GET /raw/64jXYT6E HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
            Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: unknownTCP traffic detected without corresponding DNS query: 23.84.85.170
            Source: global trafficHTTP traffic detected: GET /raw/64jXYT6E HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: pastebin.com
            Source: q2e132qweertgd.exe.bin.exe, 00000000.00000002.3632704623.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: q2e132qweertgd.exe.bin.exe, 00000000.00000002.3632704623.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/64jXYT6E
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49719 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Process Memory Space: q2e132qweertgd.exe.bin.exe PID: 7960, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: q2e132qweertgd.exe.bin.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: q2e132qweertgd.exe.bin.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.q2e132qweertgd.exe.bin.exe.7e0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.0.q2e132qweertgd.exe.bin.exe.7e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1176313217.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeCode function: 0_2_00007FFC3DC771BB0_2_00007FFC3DC771BB
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeCode function: 0_2_00007FFC3DC77F6B0_2_00007FFC3DC77F6B
            Source: q2e132qweertgd.exe.bin.exe, 00000000.00000000.1176328946.00000000007F0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameq2e132qweertgd.exe4 vs q2e132qweertgd.exe.bin.exe
            Source: q2e132qweertgd.exe.bin.exeBinary or memory string: OriginalFilenameq2e132qweertgd.exe4 vs q2e132qweertgd.exe.bin.exe
            Source: q2e132qweertgd.exe.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: q2e132qweertgd.exe.bin.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: q2e132qweertgd.exe.bin.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.q2e132qweertgd.exe.bin.exe.7e0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.0.q2e132qweertgd.exe.bin.exe.7e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1176313217.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: q2e132qweertgd.exe.bin.exe, cnxdFwAVfKrF7Hvf0aDVk5e3riNyq.csCryptographic APIs: 'TransformFinalBlock'
            Source: q2e132qweertgd.exe.bin.exe, cnxdFwAVfKrF7Hvf0aDVk5e3riNyq.csCryptographic APIs: 'TransformFinalBlock'
            Source: q2e132qweertgd.exe.bin.exe, YgHjhkKi6RVzc36c6c5iqx2CFhcU3.csCryptographic APIs: 'TransformFinalBlock'
            Source: q2e132qweertgd.exe.bin.exe, Pwkis2CZC8X99oO2Hd4O0I9MACMFNO61I5Un3yqaHJAc.csBase64 encoded string: 'QKV0VkhGHfuJAdp2JLWyQry1L9B6afTeEUagVfbtDBdwOb3MIIqFYJ/kuN+ApRU3'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/2
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeMutant created: NULL
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeMutant created: \Sessions\1\BaseNamedObjects\PPyQuRJ1a1Vw1mmd
            Source: q2e132qweertgd.exe.bin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: q2e132qweertgd.exe.bin.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: q2e132qweertgd.exe.bin.exeVirustotal: Detection: 73%
            Source: q2e132qweertgd.exe.bin.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: q2e132qweertgd.exe.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: q2e132qweertgd.exe.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: q2e132qweertgd.exe.bin.exe, lJPpAODL7qmSBFy0BobhDeibAyXoZiwIy7HeDePFUk3Z.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Pwkis2CZC8X99oO2Hd4O0I9MACMFNO61I5Un3yqaHJAc.UFWrGA1WC7NVKiyhS6QWWftkGnL3jxuKfR9PzlfwACll,Pwkis2CZC8X99oO2Hd4O0I9MACMFNO61I5Un3yqaHJAc._8JZ8tu3hmVGZeHEbszmEKqBF0BCzgKjtzXESxeN5vcBi,Pwkis2CZC8X99oO2Hd4O0I9MACMFNO61I5Un3yqaHJAc.QkILzP9He1AOzqiYhmPWelUQ8USYGxJl1txUseQ68iol,Pwkis2CZC8X99oO2Hd4O0I9MACMFNO61I5Un3yqaHJAc.MVwSC2bMVFzxj9vyGqsxs6ZhHFXIpR6oyLBULc0Z4NLl,cnxdFwAVfKrF7Hvf0aDVk5e3riNyq.b2A21cXYfJ6FXqKRc4akzcHiPDqPP()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: q2e132qweertgd.exe.bin.exe, lJPpAODL7qmSBFy0BobhDeibAyXoZiwIy7HeDePFUk3Z.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{n7xcSA20P9ze9CwITRX8A0V10xcBo[2],cnxdFwAVfKrF7Hvf0aDVk5e3riNyq._0BBBs7BMu6BTatSAIpdjXw4xsxOhN(Convert.FromBase64String(n7xcSA20P9ze9CwITRX8A0V10xcBo[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: q2e132qweertgd.exe.bin.exe, lJPpAODL7qmSBFy0BobhDeibAyXoZiwIy7HeDePFUk3Z.cs.Net Code: PDOloscPpnylKlwgL6mQICTjM1umQMxI29wZpuyMD3Ja System.AppDomain.Load(byte[])
            Source: q2e132qweertgd.exe.bin.exe, lJPpAODL7qmSBFy0BobhDeibAyXoZiwIy7HeDePFUk3Z.cs.Net Code: cJXDkHqD8eME6fCA5DmbNyNf6X4gzsxLTUHIqJY3FRZo System.AppDomain.Load(byte[])
            Source: q2e132qweertgd.exe.bin.exe, lJPpAODL7qmSBFy0BobhDeibAyXoZiwIy7HeDePFUk3Z.cs.Net Code: cJXDkHqD8eME6fCA5DmbNyNf6X4gzsxLTUHIqJY3FRZo
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeCode function: 0_2_00007FFC3DC719CD push E95DD11Bh; ret 0_2_00007FFC3DC71A19
            Source: q2e132qweertgd.exe.bin.exe, hggqAOWGf0ubeXSjF3q8ph5lJ58Xr.csHigh entropy of concatenated method names: '_44JhhaBWG688ydBgEalDUGuoyoegY', 'NRSOcveXw9HnljpG2GqAjzVt7wo9R', 'kbFaoDPbIGHHZmpFyzQM6L9Zn47EC', '_2M04wVe7iC0m58eLlKIs12vwOvev2jz6a691fBu6QgKfgLZwdYmGNAOpYWrGPN', 'iZcCG6LRiDaqZsoq9GFc0Eu6D9VMMlCgLSUJALUfYbY94dkX02AXQN85eTxdPa', 'ZIrIArB5WVylG7FfihEmJLQxz1VGXg4WiqYwhBoQcSS2ffqjqnl3zsY8U1QZNs', 'amIW1m1ZKKmMeOu9QivBsZPQ6JyCsbKhacRSIquoYaZQy6aZlvpyPf7roHqgkf', 'QPGY99ifGW9xNOmWQQZOxQ57xIN0SWPyEhp90V2BdxeFPmSwUGX887f4N7Xd41', 'O0tpM7OWHfqgWORkr7Ou1sDvpqnee0L3vrx4lOx5vW5Py3Df9CpZeX9PKkk9uW', 'ZJZKdWwc4zTPwwjHSMvnf3B0OClBJCFao1jj0inwwCcJGOQd9uCV6zhbwfB5JU'
            Source: q2e132qweertgd.exe.bin.exe, Pwkis2CZC8X99oO2Hd4O0I9MACMFNO61I5Un3yqaHJAc.csHigh entropy of concatenated method names: 'cnHttKAmfMMGWjnGuJDgjWXcO7iDJ', 'nrZ1VvZUNfrFr08VU2KUedqFEsTh3', 'nohIDAc9KzMM8LzfCU1E8cEMxMKA9', 'uhhC8o5zegwHJUAQbLBe5kZfVoYwl'
            Source: q2e132qweertgd.exe.bin.exe, Q2xNmgxhe94L3GYlXs6exJL7bk5Rjv3vBlDReypf4GnT.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'RpexKZhO2YGWggOQRqMNB8rurFKkY', '_4l3QehojsKsRTdu5qsYTj2rQp0yva', 'EUu8a4cHEvH8wojWQSg0FME8aP5bm', 'PKor1gpCXHEVuaZpT4krCTk8ZiZ89'
            Source: q2e132qweertgd.exe.bin.exe, hnqIWUzgRz5IT4Rgp7hICGoIRcjNA4LTvwhwAUIVhEVZ.csHigh entropy of concatenated method names: 'XpMnkDopCuZPfCxV5X7DxWdVKaBYGdIMhmjLPj7znTRw', '_6md3gt2YrSojuBIkhjKRLOLtjYfBvU1Yx1fwvVImTddI', 'Ok9QFmTHjB2l1eAL7GeS21f376NI4PE76NCie6u5tXNs', 'UEecbTkWmXuZs2VUfVKgHPKUfA0dqtl0BIx5WcLjPYHz', 'BB4pKQkyqMC618WJbe1xio8jQdEPM', '_7edwp8CtPSfGQH8L8VhjWfwiKuDJ2', '_9G5hqskwrESy3dVC2kAkAqjwNCLfq', 'GPfRqsh6Sq6bA7gnxN6xwMGW4REvK', 'PPXj71WPM1UVeG5YT2n0HeMwnjAv1', 'nmIUnYNugKpZU8txZWePP34EH6TFU'
            Source: q2e132qweertgd.exe.bin.exe, OuFmlCNtoCyAtZy2uWCKKjx6Och5KFaw9MGZeXceUQT8.csHigh entropy of concatenated method names: 'rXHK6T4Tf3h9iIGsW7Q40AtLwujPdwhBT50p5KtDYb4b', 'OaMHYlWZlFNKkLBsohrZwkA5khrRB8FR0wXJ0hCw1AfK', '_1aVpux1z0oENcWfPVRMWTLr8giZggUGmdfolcnag92nk', '_64FtEFD9ROTpaYX2kY3xHwdAIrOYf6uqThYb91ed2B1m', 'qW2t4m6gd5iVPKEd0b2H9aXVULPvGzglEPg1DkQAnBL8', '_1lTdcaiovI5bxUG6bUqQWPAy9dnpPjhubWjWXbVvIuln', 'aAn9BvGHthXx4Ilqfy7QqNYriHPhN4y3QGrFYia98TG6', '_7TD6WFSvHJ2TID1PoXgu8o9rWKK9x489E9v7SO76c4dj', 'k3DyDvFSvzVWxOzpc1bI8TUblhyXULp4dd24mPvkEEir', 'puXYen8WGcqaFej4U1eAiHWtRZ7T9kOA2MMJ1CAKxCam'
            Source: q2e132qweertgd.exe.bin.exe, cnxdFwAVfKrF7Hvf0aDVk5e3riNyq.csHigh entropy of concatenated method names: 'PuLbw4cm8ighGjhaorqLU3TynVzOz', '_2FSkw5Hdh1D6kWXSaM3rQF6qJEfic', 'sWHstpVufUBPGFGB450Gy10cJd3B4', 'cCug26JHZE5Ij2ciMEdWXhosgIghx', 'fCQjavzYsGljT0Udi4EkwNHPd3S2M', 'fzzq0K9GHsr5msCNtOi1SvDI9vImO', '_7MONbDFPowMLAJIqRBTF7j72bjFhI', 'dR7PRUY8OC0i2D52WbILTwUP9daAt', 'M3rdNNyRk4GQRyWIAs8m3o70jlP8G', 'eSPnsRGx7XfrnCJsN9PqFuotfmfJh'
            Source: q2e132qweertgd.exe.bin.exe, YgHjhkKi6RVzc36c6c5iqx2CFhcU3.csHigh entropy of concatenated method names: 'tjb487PUhxxWiekG4m6wR9JF4JV1j', '_6nK0HgzXcNI9dywSRRiPy5d2xxOy7', 'rsimUB9p2OHyhczQkWXvfbS6XamGo', 'keDWwWgxll90GSfe7IQ8VZPcMqYwU', 'DOvPWiCz9jAfHX1OpLA4ncbRCCpHw'
            Source: q2e132qweertgd.exe.bin.exe, lJPpAODL7qmSBFy0BobhDeibAyXoZiwIy7HeDePFUk3Z.csHigh entropy of concatenated method names: 'XLvBXaQBY0TTHNabfxZgQq1OKkK3kLPdqXAsm3KVkBdp', 'PDOloscPpnylKlwgL6mQICTjM1umQMxI29wZpuyMD3Ja', 'dGHi2jtlZbpbALsuyp67CHAZK7RVBAsCdYYTU9OVtwz7', 'GbGe47hs6u3Qm1uX3HpOuXBusADC6qDFxMknafmbrOQJ', 'zDdLxMoqJajeoYqA8e9FcNsOu7qcd61iH10ntfka2e4h', 'cTLXb6lTe1nS1Th2eGIMMJKVjyXlwNQBmYsnMmR4Rhdl', 'zReTLjBbP90O18NnMUEq3dZwtymv38sUTE9ratMevU8T', 'y8ehiNTBAyYHCcjCBSKHv6mBWzL9ePu3adzN78HhzC3E', 'yCYSbyZrK1qdjnUvCfU4AfKoEtFJLGAvZx88YApB0Cym', 's09pYEOuTP7IrXnlYAFCJWMTWE2HhjfMpYoHWQ4EKBju'
            Source: q2e132qweertgd.exe.bin.exe, cZuD9jCt7mV5j9U7k3g1z8mFd6GSw.csHigh entropy of concatenated method names: 'mgzk46hCEloXQMqckwtwSsbAaYKWf', 'nJQikQmbi2PoleZALlHNm9MkRYmD3', 'b2yWwKzjckO3twF1JeC7REEqGGtjU', 'q1SbCA0e727sLllYGEQs8HKHlDmxP', 'Fy4z4zhl9ClgdJdWQDlOCdjcC6l5U'

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Process Memory Space: q2e132qweertgd.exe.bin.exe PID: 7960, type: MEMORYSTR
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Process Memory Space: q2e132qweertgd.exe.bin.exe PID: 7960, type: MEMORYSTR
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeMemory allocated: 1030000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeMemory allocated: 1AA70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWindow / User API: threadDelayed 3514Jump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWindow / User API: threadDelayed 6333Jump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exe TID: 7192Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exe TID: 7216Thread sleep count: 3514 > 30Jump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exe TID: 7216Thread sleep count: 6333 > 30Jump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: q2e132qweertgd.exe.bin.exe, 00000000.00000002.3631748987.0000000000D52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeQueries volume information: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Process Memory Space: q2e132qweertgd.exe.bin.exe PID: 7960, type: MEMORYSTR
            Source: q2e132qweertgd.exe.bin.exe, 00000000.00000002.3634114597.000000001BB40000.00000004.00000020.00020000.00000000.sdmp, q2e132qweertgd.exe.bin.exe, 00000000.00000002.3634114597.000000001BB7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\q2e132qweertgd.exe.bin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: q2e132qweertgd.exe.bin.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.q2e132qweertgd.exe.bin.exe.7e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1176313217.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: q2e132qweertgd.exe.bin.exe PID: 7960, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: q2e132qweertgd.exe.bin.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.q2e132qweertgd.exe.bin.exe.7e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1176313217.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: q2e132qweertgd.exe.bin.exe PID: 7960, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		OS Credential Dumping121
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		LSASS Memory131
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Obfuscated Files or Information            		NTDS13
            System Information Discovery            		Distributed Component Object ModelInput Capture1
            Ingress Tool Transfer            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing            		LSA SecretsInternet Connection DiscoverySSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input Capture3
            Application Layer Protocol            		Data Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.