Loading ...

Play interactive tourEdit tour

Analysis Report Invoice No F1019855_PDF.vbs

Overview

General Information

Sample Name:Invoice No F1019855_PDF.vbs
Analysis ID:404165
MD5:ce4dcec84bfeba49404fa70f5d137645
SHA1:c31021953c59af126d0095bea70c26ca02a2d954
SHA256:ca85b069b028fc30a2af436344eae332ad6afe8a7e3904a48ee63948ab6c3133
Tags:NanoCoreRATvbs
Infos:

Most interesting Screenshot:

Detection

Nanocore AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6428 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ame.exe (PID: 6592 cmdline: 'C:\Users\user\AppData\Local\Temp\ame.exe' MD5: F7F64EC1756119F19D52FB140E22382F)
      • wscript.exe (PID: 6700 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
        • schtasks.exe (PID: 5544 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Notepads.exe (PID: 5444 cmdline: 'C:\Users\user\AppData\Roaming\Notepads.exe' MD5: F7F64EC1756119F19D52FB140E22382F)
    • fi.exe (PID: 6616 cmdline: 'C:\Users\user\AppData\Local\Temp\fi.exe' MD5: 86A588C5A10A04AF998DBAD9FF9A31D1)
  • dhcpmon.exe (PID: 6952 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 86A588C5A10A04AF998DBAD9FF9A31D1)
  • Notepads.exe (PID: 2152 cmdline: C:\Users\user\AppData\Roaming\Notepads.exe MD5: F7F64EC1756119F19D52FB140E22382F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ac555290-50d4-4120-9390-e76e4f94", "Group": "Start Up", "Domain1": "sys2021.linkpc.net", "Domain2": "", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4ibx53ALvuTHC2wskqA=="}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\fi.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\AppData\Local\Temp\fi.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
C:\Users\user\AppData\Local\Temp\fi.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    C:\Users\user\AppData\Local\Temp\fi.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 5 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1014d:$x1: NanoCore.ClientPluginHost
    • 0x1018a:$x2: IClientNetworkHost
    • 0x13cbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfeb5:$a: NanoCore
      • 0xfec5:$a: NanoCore
      • 0x100f9:$a: NanoCore
      • 0x1010d:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0xff14:$b: ClientPlugin
      • 0x10116:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x1003b:$c: ProjectData
      • 0x10a42:$d: DESCrypto
      • 0x1840e:$e: KeepAlive
      • 0x163fc:$g: LogClientMessage
      • 0x125f7:$i: get_Connected
      • 0x10d78:$j: #=q
      • 0x10da8:$j: #=q
      • 0x10dc4:$j: #=q
      • 0x10df4:$j: #=q
      • 0x10e10:$j: #=q
      • 0x10e2c:$j: #=q
      • 0x10e5c:$j: #=q
      • 0x10e78:$j: #=q
      00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1021d:$x1: NanoCore.ClientPluginHost
      • 0x1025a:$x2: IClientNetworkHost
      • 0x13d8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 52 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.dhcpmon.exe.424e434.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        7.2.dhcpmon.exe.424e434.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        7.2.dhcpmon.exe.424e434.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          3.0.ame.exe.500000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            1.2.wscript.exe.16c170d0090.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xe38d:$x1: NanoCore.ClientPluginHost
            • 0xe3ca:$x2: IClientNetworkHost
            • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            Click to see the 72 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary:

            barindex
            Sigma detected: WScript or CScript DropperShow sources
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\ame.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\ame.exe, ParentProcessId: 6592, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' , ProcessId: 6700

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Notepads.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Source: C:\Users\user\AppData\Local\Temp\ame.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Local\Temp\fi.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Found malware configurationShow sources
            Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ac555290-50d4-4120-9390-e76e4f94", "Group": "Start Up", "Domain1": "sys2021.linkpc.net", "Domain2": "", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4ibx53ALvuTHC2wskqA=="}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 81%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 90%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\AppData\Local\Temp\ame.exeVirustotal: Detection: 62%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\ame.exeReversingLabs: Detection: 75%
            Source: C:\Users\user\AppData\Local\Temp\fi.exeVirustotal: Detection: 81%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\fi.exeMetadefender: Detection: 90%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\fi.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\AppData\Roaming\Notepads.exeReversingLabs: Detection: 75%
            Multi AV Scanner detection for submitted fileShow sources
            Source: Invoice No F1019855_PDF.vbsVirustotal: Detection: 29%Perma Link
            Source: Invoice No F1019855_PDF.vbsReversingLabs: Detection: 23%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Notepads.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\ame.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\fi.exeJoe Sandbox ML: detected
            Source: 7.2.dhcpmon.exe.c40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 7.0.dhcpmon.exe.c40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 3.0.ame.exe.500000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 26.0.Notepads.exe.ee0000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 30.0.Notepads.exe.f40000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.2.fi.exe.4f70000.10.unpackAvira: Label: TR/NanoCore.fadte
            Source: 4.0.fi.exe.40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 4.2.fi.exe.40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: mscorrc.pdb source: fi.exe, 00000004.00000002.600584281.0000000004C80000.00000002.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs:
            Source: Malware configuration extractorURLs: sys2021.linkpc.net
            Connects to many ports of the same IP (likely port scanning)Show sources
            Source: global trafficTCP traffic: 79.137.109.121 ports 10090,0,1,4,9,11940
            Potential malicious VBS script found (has network functionality)Show sources
            Source: Initial file: zwLVbUFwZBZDbceUVAyKvSBZdGeuAMSuHWmohNPWzxPYjBKvHpkhxtBhvlsVpKwMjfvEpqnIkbKy.SaveToFile McuWOdLbqYeOPYiwaFEVWWSHoCSCcVdBKrzPZgVwoyASExZvjebwLKVpJnhMKIyUvcEXZTWtkIgY, JOszibYTglCXKYlUnHXtDSXmFsBPOvOQNEqqQpHaihrCgJSzpLUmlsiqrFtpZIElXmJGhvEx
            Source: global trafficTCP traffic: 192.168.2.6:49716 -> 79.137.109.121:11940
            Source: global trafficTCP traffic: 192.168.2.6:49725 -> 191.96.25.26:11940
            Source: Joe Sandbox ViewIP Address: 79.137.109.121 79.137.109.121
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownDNS traffic detected: queries for: sys2021.linkpc.net
            Source: ame.exe, 00000003.00000002.537233135.0000000002BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected AsyncRATShow sources
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6