Play interactive tourEdit tour
Windows Analysis Report ms.bin
Overview
General Information
Detection
AsyncRAT
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Malware_QA_update | VT Research QA uploaded malware - file update.exe | Florian Roth |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security |
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Click to see the 7 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Click to see the 11 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Regsvr32 Anomaly | Show sources |
Source: | Author: Florian Roth, oscd.community: |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Antivirus detection for dropped file | Show sources |
Source: | Avira: | ||
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Window detected: |