Play interactive tourEdit tour
Windows Analysis Report aQKifdER74.exe
Overview
General Information
Detection
AsyncRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Yara detected AsyncRAT
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: AsyncRAT |
---|
{"Server": "5.230.84.50,104.37.174.26,216.250.249.156", "Ports": "1465,1759,1985", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "CviFBxAIEOzETfTuvyDMiePzFR0znzEi", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQANdB+FD1mUGLSlrjGJfQJTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNjI4MTUxMzQ5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJvmEbrEMzWo9JVpGbRwr3ek4iSx3sTcir9kldR41s+m9ewITiP3v0iC1d37Fokd0nq7baUSl3ivke7VdVJH3GvMmk+jCHGZlj2jar2hP5MO1mBSXFNyS38n1S6zBBco7qzTOBRnVwcQ+eFRYAk1/euE91dSPr1Rw4gCvnMtx6dLcFz6DvcAFc6haT2Vgex+ZkZwROCvDwkUokWJ8Ca5FnlHk681btEPoe0LHsPfM8UaT2VJGet/BstnXAOysbfwaUmshmkylc3aGT0sYoxnJPv1Czgj33a5WYG3SaoFYPErq+EG858A54myZktmY5bPDKxpO3jYZ3KoOmMoXnwBqQwNfSM/e9A22HyMdXRhNeHxgWrOuodVraygXwJUeXXaFcOCyXk5A6Wiu9ikkRsduIVWPLd83pvh+nY0tT82pmNNJz0xWopaHWGRkC76m8r5vdTN4O12biMl2kA1NLBNny7qA+L7rTBdBfWBhsvgtgcWhouFpT2zZ4ZgThx6cahnnWY8inHVVU/mGXN66gSQ7LjtMtfZi9Anc61Y+XIYCvApnGcM3R4wfOrxnV1ng9AtRYSXw14nhqdihw34UMHnQgXPPO3iVPwtK1L1WQF+hoSSLjlaIKr+B/tqSXFBn1sqP4iVPpIWNXlLJqOsNsb31q3JA/F7Rm63oGJLdPGyYU+nAgMBAAGjMjAwMB0GA1UdDgQWBBQe+aHUFc74O2+SJXH0Dvr61LagrzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAjncBHX6jCdTvHIuMWERJZ3kkkLg6uC51M6GGm1QHgLi3mO9GDfahgQZn1kSt7KBNxbc1QWh+EefejC68CauufM0m6RvrDrlrbwR7oyz/IMiQOlQXJH6KTo2qkkiWDc9vA6iUHi0Fc1cbG8otK8lYR0YBWWOmKKRDm0dDh2L+UXs4xVqUA2jgjku5D7yCiXG/CGo9Wm1TXmBrE7Jy08jF7PrdxTYp35miXUIAnf00heEASaK4JjO6yjXKRAl4SPTDDAiZiB9zF/dOlOwLir5gQZbL3IVDg29qL/fJvX7j+MxAwmIswdGCPcmVpuIcZV3ATQUtDf0fy0LW9tkTkZbAHZACC7fr4OSDz4DnGC6N/eL4MQ3i3IivOZTVH1tuq6RBBz7V0iZovpSjL12bSDmP7Fisj61iJpFYrHazO7kCY1rYYAvagboLuXfkVL2jaV/0PkIHTKJPoSPlug2u7BG/uGmyAd6UrXLa6anb2+1vxM0BuJc9SRm8Whig4ft9IS8mA3n1X/zY5pDh2Q4uGuqQ8Z8KuMASrB1R2g4+W7H4Nqa7Tsts4AzGI5bL7pOHpBvHTfDnhrbVSwFx3xthUfS4oQoR91bE/vJApNj8UtOSj7BfVCP7z/PYlRcc8CJXAh+7I68gfHVay5biuglStAKzEnPJlHdfD1PcpMlLsi7hBAw==", "ServerSignature": "BWoBc4eZBohdpLz283Tm3ZmxQ/7rKPDhHYADzF5w5DhgFbEdVbBgtrFu3y/tqN5+E3837aUiVvzOy/3qcLfDqqElMvqshWn2xwYrC4aDGwSG6TuED0v9sr/hdMIWsigM5d8QmxBagXj5ltNZ6ojCinxdEtSMOYVfYCKDD9b4Vf4vyNy7N9iEMfS5RSVHcI8G+10qKJZ/hezSEq60mZ0yIW/9FcAkfPD3trFkmMHiPaVZdnIPwnpdQN/EyU3kZpq3QIpR3ZULNAyH2cFhN5sgETgnfYMe5Cy3IUAwFN01FMGfaVTgG5DOFJBtWUstwtfhTL1l/+aqpwXY60foEma7MPo8tCN12Rj+4PT0DzZ8iRV0QvRNLnWeHw5emGOwsZIi/ItJiJi9RPQzOBlggFeJsr4ASow/nxLb5mIyXto0iS2ufIUq9i07QEMlRY4kt5JZBRauGtoCsrsfgo5D10UUleej2NfA2yAJ9wTznV1A/vLg241+oFk8fpgejIvhn7ofQ8igOAaGeQ6RcPvhvy1qx4l8/znhwwWLxRNxwO8aMZ4F6CkX0+n4yTNxKRs95SQqvWYQxgwWiIreJj/8czEyAENl9ne7iREFzEblANU+cKOW0px+0rktn+fSForeL2piJOA3yQ9K8/idHf/XQ+qkOZmdQc42zm9ajey1dtPJcn0=", "Group": "IZGroup"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Click to see the 4 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Possible Applocker Bypass | Show sources |
Source: | Author: juju4: |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |