Play interactive tourEdit tour
Analysis Report xGrfj8RvYg.exe
Overview
General Information
Detection
AsyncRAT
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AsyncRAT
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Non Interactive PowerShell
Tries to load missing DLLs
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: AsyncRAT |
---|
{"Server": "216.230.75.62", "Ports": "1107", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "windonws.exe", "AES_key": "SZyWY7zJ1VdyEsSSd7sfsCsuxNXhSZI0", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAMKnEVcvuQIQtAqxOy+oYTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNTE5MTM0ODQ1WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJvrsFgFjIMG1rYF1vehk3BhjSHAlQ5Noq7MIKWRa9CgdZHCTN/Gh9VwaWUYqMuzn6F4pGWgSAmwwuuouwlMe4g37Srpvawl5ocRkOnMC4MAsh08mucPg8f/kUN3DFtqO2yfgr3i83yX9keSdfqaCRcUoXh8Qhqa5F8Mlkd2yVOcsZvmTvaLsCtRZo9YOMZ/fnPBzu2NS+xv3qaqW723pMfbrFS04iokkSp5pRQhQRWPCNJ737a0ac9gBS/g1nAuElqEl62AgbprR6YAqsbsrSDo6kOEx7t071C7gbJaO4lu33Kchi/gIC3ftleFFQhqjWTIfxcOp/kuej5DIHH9QvyE12oi1qFc8dn+EVZ2yENyQcx4NOx73zUmFh20JIMW2x4qOfuT+MkkUstDEezdXOec8PzkGMhclDzMmhD3ZA1oIGnsupJHRTTPqMHHw8tx48rj09Xv4TQARpmMffPbW+GmunkNmKHqOsMN8oj2iVwbRK7mg+UJfUyQ+hhTz/AqeWaoRGjLJVSX/R6fs2uWXX6GD8ECOxEJfnm5hLQxwr0RRwOLqu+oVMvFqOZ3+4G1UD7QIIPESId0n6EdnDCLIGuk6PqXpqR7QQU+zvRmeK6VHOH/btjAYUNkEAM6gO0Z6hk6xDeCGxXnqtr3FWyk7V9FZoi4OSzqDPvyYf849Q1nAgMBAAGjMjAwMB0GA1UdDgQWBBR2rTenBO42ADwEdSVfGFG7Id35BjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBkM4Am3dA31vOlVb3L4HKAuNkOPN+Iw4uslCNRYxtAc3xbiaqC8tXWcNvzNWfVdTOYjdEbo8g5+weIaD7D5vmoHzvkkyEm9+1EMMl8KcMo4I/jQmvObI74N31e43thfQb0OPP32xc3M2gRpxplMLyPGl9M22u8r5tQPo2JX/YpP5oa8gSZLo4LK2grkQLI45aGm1CWuqrpReCckH6UZOoR2EeDHf+VDcSrNQ0KJUG6tyEWWUg0FTs0hham+juKVb7Ai9ktQekAfJpAz0GGIXjd4YRwug5GabiJTbL5vW64E8q38Lz/rITER9f1Tho9r7bw9EKTGp1Q6MB9PSLHxOBeefDvpxIO6G+O8p+s7Gd5GEFDkF9z6UxVeJifhI4G2fwTz3IkbpzlZ2lBslkCy/iHGYSRDwOvhA+VDmzKXJHoW7BK1PgBQcZ2m+N8BNIHScqCanzHjQhoFMJL9f7r+/rqtJ/ranxVgK+66zGwMf6MW3u9PF93O3bln9A7Yr6dEhKReQDi0R9/qhJbqisz7Fmo8/6zn715MHHfz2pRPGlPFQKuqug8RfieY8maAZj11TUtQuOiToVFoRQHtbT1JjYQXTq++aXZA47BRKFnqmVIj+zLGHo/FkWbraZL+35yLAfwwlE/YopW+uYFcIHAHgDQhWmfD7MuiwYAY4YtNkgi5g==", "ServerSignature": "hb4rbDi2yorRia4zVii6fBe5zR5qZuT/oNzKkm5RCPxVI+DpAg6tP0HKmjqKbYbfXixb6DODIWmirNXfb6RavFFZFj5L1BSmGSCWmeVDM/IkG1v7H8053Uky0QHQ2bPzEIhio/2bZG7nxydLDiWz7jOA5hTZddxPN8Br/tFDBgOA2YvoFolDN/SyqFz61tucLLLKImugUQPB4sHE/xkAyXi1gtGQ/16xTSWjEKwIRYr/7rvSmfWpY/5oDiJvkWS/1MZAIQNLY1fyi9FRErVVeUnnTikLjZhOkouk7/QdJsJez78RuLjg+I5tTMBYhxG6q81sg7SrqotPY0sK3ZZAKaU4Vrmy1LKrBMpNQv3JiIWlI/lS56GB2bN/TA9sLcKAATEeWREuz8l/bJURfyZFk91OWqZ1mHwEXQGj5Wttm8jf+gG2TbMHgCPcpwFUFMqB7fSQIKv+pU1KOAvU64CUeLTzks4X5N8aHvduxLez78VMAyXSa2PWbv9znaxZZWCGScStHepOMiR4AXViv5F4HTb8v2nZ2x60Q0rMNmZ3T1yMA+WbdCeNBQDFD8roIU7iXGsheZ3Cfnd9MOYde+KESXBKyoZGdGoocdgu9NTzxVBAZ9fOUEXjXRfS6fh+dnAJc0GNGimVg/1EX6Q+xeKnpb2b73IU7G28wz78gQndt1Y=", "Group": "Default"}
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
webshell_asp_obfuscated | ASP webshell obfuscated | Arnim Rupp |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
PowerShell_Case_Anomaly | Detects obfuscated PowerShell hacktools | Florian Roth |
| |
PowerShell_Case_Anomaly | Detects obfuscated PowerShell hacktools | Florian Roth |
| |
PowerShell_Case_Anomaly | Detects obfuscated PowerShell hacktools | Florian Roth |
| |
Click to see the 2 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: MSHTA Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag: |