Analysis Report jvHSccqW.exe

Overview

General Information

Sample Name:	jvHSccqW.exe
Analysis ID:	358594
MD5:	efeff4b4242776d6576b0fb18f35d52c
SHA1:	557fa8532f5340ee628df64cb9a199ef935f1dc5
SHA256:	2399e5acd8e6fec2e83de445cf83b598676f57fdfedd1f67a7872a5009866591
Tags:	AsyncRATexe
Infos:
Most interesting Screenshot:

Detection

AsyncRAT

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Yara detected AsyncRAT

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: jvHSccqW.exe

Avira: detected

Found malware configuration

Source: 00000000.00000000.219246907.0000000000FE2000.00000002.00020000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "newss.myq-see.com", "Ports": "1177", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "HMaZiL8g7SjFAvgHIXWZdtT729qvTY9R", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE3DCCAsSgAwIBAgIQAMDC8f2wXucoHHZWb62H+zANBgkqhkiG9w0BAQ0FADAPMQ0wCwYDVQQDDARmdWtlMCAXDTIxMDEwMzAwMDk1MFoYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDDARmdWtlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApN6Lx96xgRB2ew7bmjJo+AirgsTz5e47pySUi2lxHrb6HydPSeIMWx1FkowQbDiu9waY3LN+b3HZT0XWf8Ls6khK0RvqPdBU4PA3x5Ayg5P6UVox2pzxMuIEDWD5qabMZtf3Wf+yZXI6D4uYNBtc2vC3jiYLfzE24U0JCRWMB5rP8gbfWqna2o1d8gY+Q0HJw1p4xkq6k3y7rBRr5tdNdGzkP6Dn3o+YLaCr4O6sVeMC+MNbcAFNHEc7K+5txH/1YgnJ9l32wIHxTVjBsaeyf7P6zYbVhYvGkGWbQIdF3f5e1tys1NK4taEzVuHnCzdSCH+Ho0L8mVIHjqtAiqvskZxCplT0eh94b50iDmevZgdkFMN0wPloUdUrfHobL9y637Ni5Et8Jgmouw6GG3DUO3pOOCI88SsjnmLnKJauj1dYCp35FI4WdTLov1cv+gtdHxJqG8TroCjJ+p2aQ/AmsHaZbRGShu2V7eHti/JPvWuhaGm+wD8zo9pf+czwVEvv7T21haZlWMtNxiS3UUaTQkfmI10V37sOXEXbcpaEVAchD3QcL8DvpuTApmYL/nhnHPlA6ln21ty0sn2rvoTr4yUCfS0jjZNGK3rN3Z/YJkEZQ5myJ/4ONFxhQhgRx+0LC7TH0jLL9x6UexjZNdN51dhOU6vxfYFFVKW9cnKGZ0kCAwEAAaMyMDAwHQYDVR0OBBYEFGwlNXg0Bwn+JqaeWIOfs0fXpFeIMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEQItDXUfGw7/MGuEqw8skKgfI58JL5L/oJsvST3FeFD1JzIa9X4wIzhbXT3OqGsDn5AfJZ0I+cmmz6hSkbLbEaF3aN3vsXGSLaatftjB6Ek2JgGEHBeVxKKwJuNtfK83kpanZ4TKvMnLhqUTmEMMl2k8SIN8pO3MrYTHmzOVIJtYpEyXOnUH6PftjM4atDTrlS05jlgpPFXUhm9GSqcTcCjTNihXZdU+rMc9ruoSyd5AdsuJaeM0yKQNGw/p6p+2RpMEUqgVRz1XW61NOPQSubAwZJqHgoy0pthfsCNxu0s/0SfwvCoqWzcFsoQs/eX4KALk8ThrTfP+PW3nNuXjLymGGkww1Env/xCF4h3wqa4IKkyBYpatMEhqyyXPtuhQmDuk2lXbGrJQwDydFMm9nBbUB1FO/7vBege8cZvVJ+y2/6TYkimJZ/WMTSrcbHD5FgT9QbvfXO1vitvDxcSwhT1cfgIQwT40CgzpdswCkWsP6/CA8RLKZcerJEIW1c/Y0dCaT4dpPetC0lXmIBFU5eCD0FlOtBAigoHVqWBkIlE8morqQedXgPe9gXH6AWVxExDjqITOrDweETVpVvFY8q7TB7XhZPcEHvJFH0/3D9nBwObkxjv5HZx1kYCilHAkCbAU714DIN0nKdgY6km9Ntpp52wqrtbeY2Y9YQ9w5Dk", "ServerSignature": "MTAsavgxOutIMsaUSguW3Z+vRa7Czv4HK1F4b5ydoIcOoRYF06jsDGYbw2TAG4BXSn2zVnQhvNK4tFeH5qvxVSiGY2dIfW4h4BOb5+fbWBQ5WikeA72thrnmb/lJVQKnbs/jQSxZXrdIbD9i74whKkiA1VBJin26yQuvSa1s6d+x9I3DLsrylv5yW3LPtHu+TOjAyWJ5Iadsk1O1vkpN9aWpf6BQeNLbtz5D6btb7Y5X+rHoCyROyasfR8tW/dYlsBtk98dCjKaAERKdh71Vw7ekm7Jj4S+dbaeQtuCUIDevWuA+QcqcuP+WaWEgrCMhAoEoqj65M/sIymI0dvxYk15N72icZIsyFCCUuDDqdpF+ykOxyieGYTcZeU6/0toOS4zRGRwFQ4Y5bQPzODNlkdLdLZPEvOgH8hgUY/AyhWrx4Ok8r2acKwM6t2xhgQR6PCrNWHDHrzdjUqrTFmsn9C7asP0+lzrB/VDe9CVnWm0MN5pNAYS3IEGYZAmKU/3H3YIiLWoEb3UMyJckPoR8AlPmLhdkrGCu50K+Jp0b1GwLlF5cItQGrxsUXQeZdGEswNU1Q5SrGI45La3/IjsI/ODQbQEI+lu64ZFUj3HsqMN1TCAlNgKd44R6t1Cuf/rYkUaHdRVIufxMUqiuX6YcgxHpBENYgi4aylBXTuPBCkw=", "Group": "Default"}

Machine Learning detection for sample

Source: jvHSccqW.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.0.jvHSccqW.exe.fe0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.jvHSccqW.exe.fe0000.0.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: jvHSccqW.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: jvHSccqW.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: newss.myq-see.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49714 -> 154.16.67.107:1177

Source: unknown

DNS traffic detected: queries for: newss.myq-see.com

Source: jvHSccqW.exe, 00000000.00000003.295949209.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: jvHSccqW.exe, 00000000.00000003.295949209.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windows
Source: jvHSccqW.exe, 00000000.00000003.295949209.000000000582F000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: jvHSccqW.exe, 00000000.00000002.485611389.0000000003351000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: jvHSccqW.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.219246907.0000000000FE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.484166821.0000000000FE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jvHSccqW.exe PID: 6356, type: MEMORY
Source: Yara match	File source: 0.0.jvHSccqW.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jvHSccqW.exe.fe0000.0.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\jvHSccqW.exe	Code function: 0_2_0190D5F0	0_2_0190D5F0
Source: C:\Users\user\Desktop\jvHSccqW.exe	Code function: 0_2_01909530	0_2_01909530
Source: C:\Users\user\Desktop\jvHSccqW.exe	Code function: 0_2_01908C60	0_2_01908C60
Source: C:\Users\user\Desktop\jvHSccqW.exe	Code function: 0_2_0190F298	0_2_0190F298
Source: C:\Users\user\Desktop\jvHSccqW.exe	Code function: 0_2_01908918	0_2_01908918

Sample file is different than original file name gathered from version info

Source: jvHSccqW.exe, 00000000.00000002.484213116.0000000000FEE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs jvHSccqW.exe
Source: jvHSccqW.exe, 00000000.00000002.489036936.00000000058A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs jvHSccqW.exe
Source: jvHSccqW.exe, 00000000.00000002.489155695.0000000005C90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs jvHSccqW.exe
Source: jvHSccqW.exe, 00000000.00000002.485577057.0000000003330000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs jvHSccqW.exe
Source: jvHSccqW.exe, 00000000.00000002.489025524.0000000005890000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs jvHSccqW.exe
Source: jvHSccqW.exe, 00000000.00000002.489396058.0000000005DC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs jvHSccqW.exe
Source: jvHSccqW.exe	Binary or memory string: OriginalFilenameStub.exe" vs jvHSccqW.exe

Uses 32bit PE files

Source: jvHSccqW.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: jvHSccqW.exe, Client/Settings.cs	Base64 encoded string: 'xjAr2iPJC2iJ+2CveITMT3iyJYbeCtjLsXVSXfhPjQ2mu/N+EQG8LtddC6VG2YepJicnitdBMhxlkuJ9WigjsQ==', 't65m9ichioTw5NwvXoSAB/xrLZPaNj2oSBOWGJXp4p4hsFKptjXLFWWFymSpj0qoCzF3wAb19CNWSSS6hHRfYBBBWTTYjxPCqRqv1P1N2Lw=', 'LSpYyWHnBJTlbll+sbysj2rZPcCY+qJj7D9pDY5JVmyqaeNgVsDqC57feFeQVgOwROi5IouysmBVnB9wM6UaTfhD0vo0+s2cIRJRHUOe3Hg=', 'nkb96ORAKm9eRtYbwlBjBG9JAAFc4EgRgxg2A0kIkcmUyFFT7ybvQsmffqAv3Aq9b8P3cUoEl8G/tPq0FHPj/F8XWOMYvxvI5v2nOFjdRv+m9WuGAV29NW2OmOs95d9Wbdi/fp0AxvnSSzt/g7CXTY5twH0zZUi78VUWmsJtSJU0aSAZAiYj1/aghhIAsAKGXdA2uazOW5DrklS7XS/OUOL2etlMt89dgeKTq8htpfhdIADii9tGQebse68Gynes402rDvB6kA/5Gdpjxgxr0IK1DjU1GK51GyrCmSvY41zgU3LePXXk0PtWwFtOF8nVfQZQmKeW5HChgeMK2jPDEtAK6C3tVVnb5hvZUuV5Tyth/q7xPfmzs7W42kmDIE8B2/AT8vtvyrMbvnJeFa+YqCq7F9XMaQedwSQuMD/AX6dLHNtbwvwlBSFSbNzRZ9QEZde3Cky8jmsYQj6lLnjd3xU3ARs7rYgVPNCxQp1dpdgTIVrkeNd0O9ITQyxM5Sq2Un1BdxaFj1UgGkM/7YhUCzIzzHQlqhctLOqr/EmLdxyAUwDLNDl7C0nsk+T+eMAMutTfaCQzXzM+F+IyqTUCQOVa0QHNJPkDSOJvGzdmrSi24V0KsLKxKp+anW04b1NpNeRIlZHN+E+FaO7FPMIqGBI5fcyBdO33ddWKC1k0vCx9QocNP8txztqkFJwa1bJ8YD56BmZgZ++0+9yXcoUvfsv5WMaEQCApMwET92b11pbeztZLV2XnwkbFPkexhGA30WejIJOtPeQ2fJWuGjZCcsWmXU4oNQO6WzIgA95CPYe/uP0jN4SAPDXYX/SGOqEGuOs5+YgO52GWM5GD+M9Db7yIOou20NHmZD+18vX3JBh1tdYwdFn7p9F0cL9xTs6d0PGDva82N+FxZMxO1HXIVIwSg028HzYSnCzqu6lUsMFDOEidvg4KMUjf4BRLsgMfaWFZXCZdjwmWJ26yFjmf5MT1ZKqaYj8Mw/rcntnY8IsRSwY7fGlEGbwGQ2Y6yGFHsv1BCUlznMwicVtVlNxxHQlVPyEkmMcVm8FhY4FedAo3MPgfvzNODU/v0dn5bEPEynRKky4VjVz1LWHFrPy+2JKxIZCE06pBhjoJaH0wE8wYbhviqHdgOIfp0cca0kM9pW35dCMVm0TnJ1Zy3BQeJ24825CwZiEYQp0AdigxSauSVMMS8uo3oNCqXJnVPPMXBfi17PaBLc8uPtA7gfVgvm4/Ej61P/NNlsyvVkbeeQiSn2Z5xik2WlSffqEfJSBZXO+vDoS9DuIY+6LwWZizTAfTbFAfyDFBvhr2E2sB18Ok2YxZuxgMUSpCR38MINvaqkM/HF1xFpy/1tsmRXd+BJoXo+nDrQrnKqDZf+rgosWNXWedYMAlpKhjcKDrbuUeygB2061W+BO6P2bInqgX+PkpctbgQQjsToLG3wB/4r0x2Z2mzQ1/GWm8FJ/nYGR8Uw6NsNBlTpmIxCrqoczAuh2LNpZW6FSP/KWBzrbdXh8X7V/YBwxJv8VOEtIFI6Kc8KDgh7FJWDB4L7tuuzVbOHGtlg2Xw2Nt5gNutIIs3LAt5NAijy136jHgfLdJaWKQ76o8xK2MJLQnr1ykNh0zPfav1UDrbROLGhKDIOpIBbnktw5yuLFbFQKHYYQwhKYTX21/1pEX0K/ZD+6iPisTvd2OLIB43BA0j97Yr2UqijD9Trql5+hzRsfXLKWqHYwtWDQw0AY/qk+ShlW1w4HZclszzl7H6mZVYBwy4MnMxjhBXsj4Nc1Menovk/s7Qt3QFrC+W+78Vtpb68iUS6aL3xH18aNzLA0mo5kOvabUjgZGyaaJT7F9RgK64xi0v2R4eDIZWgOhNxoPSksXRg7lje2Ti/e8x7Kx6GigHul3M1/bqWTm1dwzz5iO6tYDQ+aofmX2fWnSK+4uWAetK/rejwSb8GXED99vz9ulASEbOUBGaHKzSltZf6NnVGHNbEJaMdHAXvT4MxW8txkJNsm5kw40DiGZouu8+KkdCnW+Dg086ytRk4p6GekUci9mlKTuw6gWRY6KOQpL/eEjorC9stye1TMiJDvJVEkRjTau16SEadtApubngvIwPgHd1PPYgjCSBxzBnJckwNwxGxC6brtwYxEEdZN173+P5Z29/RiRBzlWjfYWGb4xGlmxd18HsCYB0lJG5ATXHn4J6HMISYxiARtj0NMUn6oX7cFSwKd0bCO1OeajGjcHPsxKazJWTf1hApg/1NJd3x/R1+MT1c1ldRGoKNTPNJtg3P86H8eLRFeXx+TzFHnwV8WCS8KU', 'LVENKTde2btwpyksp2hI5gKhtQ97MzdaqZJt5TB+FpjLaj7XKNKyGZXIUiTuvU6zHBwSFmxeNJG+Jbx8YK/5tWifSHDYJJhPu6myyqYdsz2xjkMIfPRk9Byj+jmoI/kS16HyhzDHql1bM2NPFeD4KCIPcQGPe7LRB2UvlSWW6Q2MuqqpZT753hMg91X9pM2AzXdC3R6Cc/rTjjqRYoxG6XPoLeJlXXZOUO6PTCVhu2Z2CGiTtqdczrZ0Uw/dwUE/tpL4teYjoIzuceYOeJBG+IAgsVZNj7GzKkUR7VXKOs3WuXYaTB6bRV6/XJ8lSzOKSjYJxj6+MEaMlk5//V0MeL/H3KQuugwntW7xWFVcCV7fKzbGUNjxmyQ
Source: 0.0.jvHSccqW.exe.fe0000.0.unpack, Client/Settings.cs	Base64 encoded string: 'xjAr2iPJC2iJ+2CveITMT3iyJYbeCtjLsXVSXfhPjQ2mu/N+EQG8LtddC6VG2YepJicnitdBMhxlkuJ9WigjsQ==', 't65m9ichioTw5NwvXoSAB/xrLZPaNj2oSBOWGJXp4p4hsFKptjXLFWWFymSpj0qoCzF3wAb19CNWSSS6hHRfYBBBWTTYjxPCqRqv1P1N2Lw=', 'LSpYyWHnBJTlbll+sbysj2rZPcCY+qJj7D9pDY5JVmyqaeNgVsDqC57feFeQVgOwROi5IouysmBVnB9wM6UaTfhD0vo0+s2cIRJRHUOe3Hg=', 'nkb96ORAKm9eRtYbwlBjBG9JAAFc4EgRgxg2A0kIkcmUyFFT7ybvQsmffqAv3Aq9b8P3cUoEl8G/tPq0FHPj/F8XWOMYvxvI5v2nOFjdRv+m9WuGAV29NW2OmOs95d9Wbdi/fp0AxvnSSzt/g7CXTY5twH0zZUi78VUWmsJtSJU0aSAZAiYj1/aghhIAsAKGXdA2uazOW5DrklS7XS/OUOL2etlMt89dgeKTq8htpfhdIADii9tGQebse68Gynes402rDvB6kA/5Gdpjxgxr0IK1DjU1GK51GyrCmSvY41zgU3LePXXk0PtWwFtOF8nVfQZQmKeW5HChgeMK2jPDEtAK6C3tVVnb5hvZUuV5Tyth/q7xPfmzs7W42kmDIE8B2/AT8vtvyrMbvnJeFa+YqCq7F9XMaQedwSQuMD/AX6dLHNtbwvwlBSFSbNzRZ9QEZde3Cky8jmsYQj6lLnjd3xU3ARs7rYgVPNCxQp1dpdgTIVrkeNd0O9ITQyxM5Sq2Un1BdxaFj1UgGkM/7YhUCzIzzHQlqhctLOqr/EmLdxyAUwDLNDl7C0nsk+T+eMAMutTfaCQzXzM+F+IyqTUCQOVa0QHNJPkDSOJvGzdmrSi24V0KsLKxKp+anW04b1NpNeRIlZHN+E+FaO7FPMIqGBI5fcyBdO33ddWKC1k0vCx9QocNP8txztqkFJwa1bJ8YD56BmZgZ++0+9yXcoUvfsv5WMaEQCApMwET92b11pbeztZLV2XnwkbFPkexhGA30WejIJOtPeQ2fJWuGjZCcsWmXU4oNQO6WzIgA95CPYe/uP0jN4SAPDXYX/SGOqEGuOs5+YgO52GWM5GD+M9Db7yIOou20NHmZD+18vX3JBh1tdYwdFn7p9F0cL9xTs6d0PGDva82N+FxZMxO1HXIVIwSg028HzYSnCzqu6lUsMFDOEidvg4KMUjf4BRLsgMfaWFZXCZdjwmWJ26yFjmf5MT1ZKqaYj8Mw/rcntnY8IsRSwY7fGlEGbwGQ2Y6yGFHsv1BCUlznMwicVtVlNxxHQlVPyEkmMcVm8FhY4FedAo3MPgfvzNODU/v0dn5bEPEynRKky4VjVz1LWHFrPy+2JKxIZCE06pBhjoJaH0wE8wYbhviqHdgOIfp0cca0kM9pW35dCMVm0TnJ1Zy3BQeJ24825CwZiEYQp0AdigxSauSVMMS8uo3oNCqXJnVPPMXBfi17PaBLc8uPtA7gfVgvm4/Ej61P/NNlsyvVkbeeQiSn2Z5xik2WlSffqEfJSBZXO+vDoS9DuIY+6LwWZizTAfTbFAfyDFBvhr2E2sB18Ok2YxZuxgMUSpCR38MINvaqkM/HF1xFpy/1tsmRXd+BJoXo+nDrQrnKqDZf+rgosWNXWedYMAlpKhjcKDrbuUeygB2061W+BO6P2bInqgX+PkpctbgQQjsToLG3wB/4r0x2Z2mzQ1/GWm8FJ/nYGR8Uw6NsNBlTpmIxCrqoczAuh2LNpZW6FSP/KWBzrbdXh8X7V/YBwxJv8VOEtIFI6Kc8KDgh7FJWDB4L7tuuzVbOHGtlg2Xw2Nt5gNutIIs3LAt5NAijy136jHgfLdJaWKQ76o8xK2MJLQnr1ykNh0zPfav1UDrbROLGhKDIOpIBbnktw5yuLFbFQKHYYQwhKYTX21/1pEX0K/ZD+6iPisTvd2OLIB43BA0j97Yr2UqijD9Trql5+hzRsfXLKWqHYwtWDQw0AY/qk+ShlW1w4HZclszzl7H6mZVYBwy4MnMxjhBXsj4Nc1Menovk/s7Qt3QFrC+W+78Vtpb68iUS6aL3xH18aNzLA0mo5kOvabUjgZGyaaJT7F9RgK64xi0v2R4eDIZWgOhNxoPSksXRg7lje2Ti/e8x7Kx6GigHul3M1/bqWTm1dwzz5iO6tYDQ+aofmX2fWnSK+4uWAetK/rejwSb8GXED99vz9ulASEbOUBGaHKzSltZf6NnVGHNbEJaMdHAXvT4MxW8txkJNsm5kw40DiGZouu8+KkdCnW+Dg086ytRk4p6GekUci9mlKTuw6gWRY6KOQpL/eEjorC9stye1TMiJDvJVEkRjTau16SEadtApubngvIwPgHd1PPYgjCSBxzBnJckwNwxGxC6brtwYxEEdZN173+P5Z29/RiRBzlWjfYWGb4xGlmxd18HsCYB0lJG5ATXHn4J6HMISYxiARtj0NMUn6oX7cFSwKd0bCO1OeajGjcHPsxKazJWTf1hApg/1NJd3x/R1+MT1c1ldRGoKNTPNJtg3P86H8eLRFeXx+TzFHnwV8WCS8KU', 'LVENKTde2btwpyksp2hI5gKhtQ97MzdaqZJt5TB+FpjLaj7XKNKyGZXIUiTuvU6zHBwSFmxeNJG+Jbx8YK/5tWifSHDYJJhPu6myyqYdsz2xjkMIfPRk9Byj+jmoI/kS16HyhzDHql1bM2NPFeD4KCIPcQGPe7LRB2UvlSWW6Q2MuqqpZT753hMg91X9pM2AzXdC3R6Cc/rTjjqRYoxG6XPoLeJlXXZOUO6PTCVhu2Z2CGiTtqdczrZ0Uw/dwUE/tpL4teYjoIzuceYOeJBG+IAgsVZNj7GzKkUR7VXKOs3WuXYaTB6bRV6/XJ8lSzOKSjYJxj6+MEaMlk5//V0MeL/H3KQuugwntW7xWFVcCV7fKzbGUNjxmyQ
Source: 0.2.jvHSccqW.exe.fe0000.0.unpack, Client/Settings.cs	Base64 encoded string: 'xjAr2iPJC2iJ+2CveITMT3iyJYbeCtjLsXVSXfhPjQ2mu/N+EQG8LtddC6VG2YepJicnitdBMhxlkuJ9WigjsQ==', 't65m9ichioTw5NwvXoSAB/xrLZPaNj2oSBOWGJXp4p4hsFKptjXLFWWFymSpj0qoCzF3wAb19CNWSSS6hHRfYBBBWTTYjxPCqRqv1P1N2Lw=', 'LSpYyWHnBJTlbll+sbysj2rZPcCY+qJj7D9pDY5JVmyqaeNgVsDqC57feFeQVgOwROi5IouysmBVnB9wM6UaTfhD0vo0+s2cIRJRHUOe3Hg=', 'nkb96ORAKm9eRtYbwlBjBG9JAAFc4EgRgxg2A0kIkcmUyFFT7ybvQsmffqAv3Aq9b8P3cUoEl8G/tPq0FHPj/F8XWOMYvxvI5v2nOFjdRv+m9WuGAV29NW2OmOs95d9Wbdi/fp0AxvnSSzt/g7CXTY5twH0zZUi78VUWmsJtSJU0aSAZAiYj1/aghhIAsAKGXdA2uazOW5DrklS7XS/OUOL2etlMt89dgeKTq8htpfhdIADii9tGQebse68Gynes402rDvB6kA/5Gdpjxgxr0IK1DjU1GK51GyrCmSvY41zgU3LePXXk0PtWwFtOF8nVfQZQmKeW5HChgeMK2jPDEtAK6C3tVVnb5hvZUuV5Tyth/q7xPfmzs7W42kmDIE8B2/AT8vtvyrMbvnJeFa+YqCq7F9XMaQedwSQuMD/AX6dLHNtbwvwlBSFSbNzRZ9QEZde3Cky8jmsYQj6lLnjd3xU3ARs7rYgVPNCxQp1dpdgTIVrkeNd0O9ITQyxM5Sq2Un1BdxaFj1UgGkM/7YhUCzIzzHQlqhctLOqr/EmLdxyAUwDLNDl7C0nsk+T+eMAMutTfaCQzXzM+F+IyqTUCQOVa0QHNJPkDSOJvGzdmrSi24V0KsLKxKp+anW04b1NpNeRIlZHN+E+FaO7FPMIqGBI5fcyBdO33ddWKC1k0vCx9QocNP8txztqkFJwa1bJ8YD56BmZgZ++0+9yXcoUvfsv5WMaEQCApMwET92b11pbeztZLV2XnwkbFPkexhGA30WejIJOtPeQ2fJWuGjZCcsWmXU4oNQO6WzIgA95CPYe/uP0jN4SAPDXYX/SGOqEGuOs5+YgO52GWM5GD+M9Db7yIOou20NHmZD+18vX3JBh1tdYwdFn7p9F0cL9xTs6d0PGDva82N+FxZMxO1HXIVIwSg028HzYSnCzqu6lUsMFDOEidvg4KMUjf4BRLsgMfaWFZXCZdjwmWJ26yFjmf5MT1ZKqaYj8Mw/rcntnY8IsRSwY7fGlEGbwGQ2Y6yGFHsv1BCUlznMwicVtVlNxxHQlVPyEkmMcVm8FhY4FedAo3MPgfvzNODU/v0dn5bEPEynRKky4VjVz1LWHFrPy+2JKxIZCE06pBhjoJaH0wE8wYbhviqHdgOIfp0cca0kM9pW35dCMVm0TnJ1Zy3BQeJ24825CwZiEYQp0AdigxSauSVMMS8uo3oNCqXJnVPPMXBfi17PaBLc8uPtA7gfVgvm4/Ej61P/NNlsyvVkbeeQiSn2Z5xik2WlSffqEfJSBZXO+vDoS9DuIY+6LwWZizTAfTbFAfyDFBvhr2E2sB18Ok2YxZuxgMUSpCR38MINvaqkM/HF1xFpy/1tsmRXd+BJoXo+nDrQrnKqDZf+rgosWNXWedYMAlpKhjcKDrbuUeygB2061W+BO6P2bInqgX+PkpctbgQQjsToLG3wB/4r0x2Z2mzQ1/GWm8FJ/nYGR8Uw6NsNBlTpmIxCrqoczAuh2LNpZW6FSP/KWBzrbdXh8X7V/YBwxJv8VOEtIFI6Kc8KDgh7FJWDB4L7tuuzVbOHGtlg2Xw2Nt5gNutIIs3LAt5NAijy136jHgfLdJaWKQ76o8xK2MJLQnr1ykNh0zPfav1UDrbROLGhKDIOpIBbnktw5yuLFbFQKHYYQwhKYTX21/1pEX0K/ZD+6iPisTvd2OLIB43BA0j97Yr2UqijD9Trql5+hzRsfXLKWqHYwtWDQw0AY/qk+ShlW1w4HZclszzl7H6mZVYBwy4MnMxjhBXsj4Nc1Menovk/s7Qt3QFrC+W+78Vtpb68iUS6aL3xH18aNzLA0mo5kOvabUjgZGyaaJT7F9RgK64xi0v2R4eDIZWgOhNxoPSksXRg7lje2Ti/e8x7Kx6GigHul3M1/bqWTm1dwzz5iO6tYDQ+aofmX2fWnSK+4uWAetK/rejwSb8GXED99vz9ulASEbOUBGaHKzSltZf6NnVGHNbEJaMdHAXvT4MxW8txkJNsm5kw40DiGZouu8+KkdCnW+Dg086ytRk4p6GekUci9mlKTuw6gWRY6KOQpL/eEjorC9stye1TMiJDvJVEkRjTau16SEadtApubngvIwPgHd1PPYgjCSBxzBnJckwNwxGxC6brtwYxEEdZN173+P5Z29/RiRBzlWjfYWGb4xGlmxd18HsCYB0lJG5ATXHn4J6HMISYxiARtj0NMUn6oX7cFSwKd0bCO1OeajGjcHPsxKazJWTf1hApg/1NJd3x/R1+MT1c1ldRGoKNTPNJtg3P86H8eLRFeXx+TzFHnwV8WCS8KU', 'LVENKTde2btwpyksp2hI5gKhtQ97MzdaqZJt5TB+FpjLaj7XKNKyGZXIUiTuvU6zHBwSFmxeNJG+Jbx8YK/5tWifSHDYJJhPu6myyqYdsz2xjkMIfPRk9Byj+jmoI/kS16HyhzDHql1bM2NPFeD4KCIPcQGPe7LRB2UvlSWW6Q2MuqqpZT753hMg91X9pM2AzXdC3R6Cc/rTjjqRYoxG6XPoLeJlXXZOUO6PTCVhu2Z2CGiTtqdczrZ0Uw/dwUE/tpL4teYjoIzuceYOeJBG+IAgsVZNj7GzKkUR7VXKOs3WuXYaTB6bRV6/XJ8lSzOKSjYJxj6+MEaMlk5//V0MeL/H3KQuugwntW7xWFVcCV7fKzbGUNjxmyQ

Source: 0.0.jvHSccqW.exe.fe0000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.jvHSccqW.exe.fe0000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: jvHSccqW.exe, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: jvHSccqW.exe, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.jvHSccqW.exe.fe0000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.jvHSccqW.exe.fe0000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\jvHSccqW.exe

Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk

Source: jvHSccqW.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jvHSccqW.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\jvHSccqW.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\jvHSccqW.exe	Code function: 0_2_00FE39AC push 720A0000h; retf 0024h	0_2_00FE39B1
Source: C:\Users\user\Desktop\jvHSccqW.exe	Code function: 0_2_00FE2A66 push 0000003Eh; retn 0000h	0_2_00FE2DC0
Source: C:\Users\user\Desktop\jvHSccqW.exe	Code function: 0_2_00FE2F81 push eax; ret	0_2_00FE2F95
Source: C:\Users\user\Desktop\jvHSccqW.exe	Code function: 0_2_00FE7201 push es; iretd	0_2_00FE7202

Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\jvHSccqW.exe	Window / User API: threadDelayed 4909			Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Window / User API: threadDelayed 4795			Jump to behavior

Source: C:\Users\user\Desktop\jvHSccqW.exe TID: 6600	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe TID: 6676	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe TID: 6676	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe TID: 6684	Thread sleep count: 4909 > 30	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe TID: 6684	Thread sleep count: 4795 > 30	Jump to behavior

Source: jvHSccqW.exe, 00000000.00000002.489155695.0000000005C90000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: jvHSccqW.exe	Binary or memory string: vmware
Source: jvHSccqW.exe, 00000000.00000003.444659868.0000000005883000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: jvHSccqW.exe, 00000000.00000002.489155695.0000000005C90000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: jvHSccqW.exe, 00000000.00000002.489155695.0000000005C90000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: jvHSccqW.exe, 00000000.00000002.489155695.0000000005C90000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: jvHSccqW.exe, 00000000.00000003.268119312.000000000169F000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: jvHSccqW.exe, 00000000.00000002.485386872.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: jvHSccqW.exe, 00000000.00000002.485386872.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: jvHSccqW.exe, 00000000.00000002.485386872.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: jvHSccqW.exe, 00000000.00000003.268119312.000000000169F000.00000004.00000001.sdmp	Binary or memory string: Program ManagerE7227815
Source: jvHSccqW.exe, 00000000.00000002.485386872.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: jvHSccqW.exe, 00000000.00000002.485386872.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\jvHSccqW.exe	Queries volume information: C:\Users\user\Desktop\jvHSccqW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\jvHSccqW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

ID:	358594
Product:	CloudBasic
Start time:	22:03:17
Start date:	25.02.2021
Sample:	jvHSccqW.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	efeff4b4242776d6576b0fb18f35d52c
SHA1:	557fa8532f5340ee628df64cb9a199ef935f1dc5
SHA256:	2399e5acd8e6fec2e83de445cf83b598676f57fdfedd1f67a7872a5009866591
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59134 bytes, 1 file	E92176B0889CC1BB97114BEB2F3C1728	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	246BEC775D58E976C2E5A9367B1E0B71	1D3EFCA090254B07E9E8407257D9E6DCCCED7755	65397B6692B8A7BB9E00260AD65276CDE902A51E2D06DA53828E4AA091BA67C9

Analysis Report jvHSccqW.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs