Edit tour

Windows Analysis Report
DCwTjs2dTP.exe

Overview

General Information

Sample Name:	DCwTjs2dTP.exe
Analysis ID:	679101
MD5:	2ed2a1d6604afeaa681f4c66dcd84194
SHA1:	6134d837220afe9377cd78950c8aca43dde08d8c
SHA256:	2a48fa5118bf1c97de6a6b7b0a45bcc95bd678d54f31e2f2d003e5f3ea49c780
Tags:	DCRatexeRAT
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected DcRat

Yara detected AsyncRAT

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Machine Learning detection for sample

Yara detected Generic Downloader

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

DCwTjs2dTP.exe (PID: 5664 cmdline: "C:\Users\user\Desktop\DCwTjs2dTP.exe" MD5: 2ED2A1D6604AFEAA681F4C66DCD84194)

cmd.exe (PID: 2612 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5128 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 6128 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5344 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

sihost.exe (PID: 5352 cmdline: "C:\Users\user\AppData\Roaming\sihost.exe" MD5: 2ED2A1D6604AFEAA681F4C66DCD84194)

cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "techandro.giize.com,hsolic.duckdns.org", "Ports": "6906,6907", "Version": " 1.0.7", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "sihost.exe", "AES_key": "w28XgttPSPRfTrqDPtKQKIftMUNaIi1O", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICKzCCAZSgAwIBAgIVANmCJqwMXdgA6yyfZkFj0aZTsu+7MA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2Rldk5vZGUxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMTEwMjAwODIxNThaFw0zMjA3MjkwODIxNThaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoRh2gPhcjrCexqYsTMZyZzR9nvXDArts2Pxe7vU8QXZ/2N2LtomHs8oIRK8BSNIq8pybY9t19WGwPVl1go5W14d1Gku1DmuB7h/osKUvia9151iX4HtEJzVUZ21JY54BTSNkrB7mO9MIt+NPmW+T434g9pwjXeLqwPn9vNMjlDwIDAQABozIwMDAdBgNVHQ4EFgQUAiSCu6ZEkdGGrjqlINwtfX5B6ncwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCYJ/7raO8AXKrzJF9npX6m1mUuFIiPNrmznT/3GogAp/JEDW8keA7Mq+IuMV5zjeQ6jrHVToqCFDUPGd3/yMbwmDlQMYjuj+bNl5f5m2pjHKTX1B/QuUUUPLJ/kXiGOb2zml6uK4n5siqJB5Dhza1QKxnOe0RDyLEnlkVondXy6A==", "ServerSignature": "ZbnE26z/kUoafAYsNOaYAdifPsyY0NUimw56hYN83bmpUDLwVLP2BeWbnk3Mb+RyC7+/9H+auM6ptQK6ib0j+DbOdeQNsf+okOIez8zETDI0UKu51c+FUimCHgyZK+I5Z5tXrRFLS4JhVTH6rhdkluo83hNFkwm6R8TV62hDMtE=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x115fbc:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x111f7:$b2: DcRat By qwqdanchun1 0x20733:$b2: DcRat By qwqdanchun1 0x20977:$b2: DcRat By qwqdanchun1 0x24e4b:$b2: DcRat By qwqdanchun1
0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x3175d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x316ac:$s2: L2Mgc2NodGFza3MgL2
0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x28bb:$b2: DcRat By qwqdanchun1 0x8cf3:$b2: DcRat By qwqdanchun1 0x8f2f:$b2: DcRat By qwqdanchun1
00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x17991:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd13e:$q1: Select * from Win32_CacheMemory 0xd17e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1cc:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd21a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd77a:$s1: DcRatBy
0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x678c:$a2: timeout 3 > NUL 0x67b8:$a3: START "" " 0x28d8:$b1: DcRatByqwqdanchun 0x2505f:$b2: DcRat By qwqdanchun1
0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1c6f:$b2: DcRat By qwqdanchun1
0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1c3b:$b2: DcRat By qwqdanchun1 0x1e77:$b2: DcRat By qwqdanchun1
0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xdddb:$b2: DcRat By qwqdanchun1
00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6e1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1ab4:$b1: DcRatByqwqdanchun 0xd5f8b:$b2: DcRat By qwqdanchun1
0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x8b87:$b2: DcRat By qwqdanchun1
0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xc6f:$b2: DcRat By qwqdanchun1
00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x587e7:$b2: DcRat By qwqdanchun1
Process Memory Space: DCwTjs2dTP.exe PID: 5664	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: DCwTjs2dTP.exe PID: 5664	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: DCwTjs2dTP.exe PID: 5664	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xcbf1:$a1: havecamera 0x14850:$b1: DcRatByqwqdanchun 0x3f712:$b1: DcRatByqwqdanchun 0x3f726:$b1: DcRatByqwqdanchun 0x42326:$b2: DcRat By qwqdanchun1
Process Memory Space: sihost.exe PID: 5352	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: sihost.exe PID: 5352	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x16682:$b1: DcRatByqwqdanchun 0x16696:$b1: DcRatByqwqdanchun 0x2b41:$b2: DcRat By qwqdanchun1 0x1f283:$b2: DcRat By qwqdanchun1 0x22062:$b2: DcRat By qwqdanchun1 0x3ce73:$b2: DcRat By qwqdanchun1 0x962c2:$b2: DcRat By qwqdanchun1
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.DCwTjs2dTP.exe.abb0000.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.DCwTjs2dTP.exe.abb0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xb33e:$q1: Select * from Win32_CacheMemory 0xb37e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xb3cc:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xb41a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.DCwTjs2dTP.exe.abb0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xb97a:$s1: DcRatBy
0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd13e:$q1: Select * from Win32_CacheMemory 0xd17e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1cc:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd21a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd77a:$s1: DcRatBy
10.2.sihost.exe.54d0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x2f95d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x2f8ac:$s2: L2Mgc2NodGFza3MgL2
10.2.sihost.exe.3b4cbb0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x3175d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x316ac:$s2: L2Mgc2NodGFza3MgL2
10.2.sihost.exe.3b4cbb0.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x2f95d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x2f8ac:$s2: L2Mgc2NodGFza3MgL2
10.2.sihost.exe.54d0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x3175d:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x316ac:$s2: L2Mgc2NodGFza3MgL2
Click to see the 6 entries

Snort Signatures

ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) - Source IP: 182.186.88.126 - Destination IP: 192.168.2.3

Timestamp:	182.186.88.126192.168.2.36906497402848152 08/05/22-09:16:42.961653
SID:	2848152
Source Port:	6906
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DCwTjs2dTP.exe

ReversingLabs: Detection: 50%

Antivirus / Scanner detection for submitted sample

Source: DCwTjs2dTP.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\sihost.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\sihost.exe

ReversingLabs: Detection: 50%

Machine Learning detection for sample

Source: DCwTjs2dTP.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sihost.exe

Joe Sandbox ML: detected

Source: 0.0.DCwTjs2dTP.exe.b10000.0.unpack

Avira: Label: TR/Dropper.MSIL.Gen

Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "techandro.giize.com,hsolic.duckdns.org", "Ports": "6906,6907", "Version": " 1.0.7", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "sihost.exe", "AES_key": "w28XgttPSPRfTrqDPtKQKIftMUNaIi1O", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICKzCCAZSgAwIBAgIVANmCJqwMXdgA6yyfZkFj0aZTsu+7MA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2Rldk5vZGUxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMTEwMjAwODIxNThaFw0zMjA3MjkwODIxNThaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoRh2gPhcjrCexqYsTMZyZzR9nvXDArts2Pxe7vU8QXZ/2N2LtomHs8oIRK8BSNIq8pybY9t19WGwPVl1go5W14d1Gku1DmuB7h/osKUvia9151iX4HtEJzVUZ21JY54BTSNkrB7mO9MIt+NPmW+T434g9pwjXeLqwPn9vNMjlDwIDAQABozIwMDAdBgNVHQ4EFgQUAiSCu6ZEkdGGrjqlINwtfX5B6ncwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCYJ/7raO8AXKrzJF9npX6m1mUuFIiPNrmznT/3GogAp/JEDW8keA7Mq+IuMV5zjeQ6jrHVToqCFDUPGd3/yMbwmDlQMYjuj+bNl5f5m2pjHKTX1B/QuUUUPLJ/kXiGOb2zml6uK4n5siqJB5Dhza1QKxnOe0RDyLEnlkVondXy6A==", "ServerSignature": "ZbnE26z/kUoafAYsNOaYAdifPsyY0NUimw56hYN83bmpUDLwVLP2BeWbnk3Mb+RyC7+/9H+auM6ptQK6ib0j+DbOdeQNsf+okOIez8zETDI0UKu51c+FUimCHgyZK+I5Z5tXrRFLS4JhVTH6rhdkluo83hNFkwm6R8TV62hDMtE=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Code function: 0_2_0ABC4E4C CryptFindOIDInfo,

Source: DCwTjs2dTP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 182.186.88.126:6906 -> 192.168.2.3:49740

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: techandro.giize.com
Source: Malware configuration extractor	URLs: hsolic.duckdns.org

Source: Joe Sandbox View

ASN Name: PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK

Source: global traffic

TCP traffic: 192.168.2.3:49740 -> 182.186.88.126:6906

Source: sihost.exe, 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: sihost.exe, 0000000A.00000002.521463363.0000000000E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: sihost.exe, 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabw
Source: DCwTjs2dTP.exe, 00000000.00000002.533258191.0000000003196000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.531132514.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: unknown

DNS traffic detected: queries for: techandro.giize.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR

Source: sihost.exe, 0000000A.00000002.520705153.0000000000E4A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 10.2.sihost.exe.54d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.sihost.exe.3b4cbb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.sihost.exe.3b4cbb0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.sihost.exe.54d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 10.2.sihost.exe.54d0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.sihost.exe.3b4cbb0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.sihost.exe.3b4cbb0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.sihost.exe.54d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01364138
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01361F10
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01362D10
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01363230
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01367C38
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01362840
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_0136804F
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01360448
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_013622B0
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01365BA8
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01360390
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01365B99
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_013641F9
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_013641D1
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366231
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366638
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01364227
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366428
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366628
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01367C28
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366419
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_0136420C
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01367464
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01365068
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01367468
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01361268
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01361E58
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01365058
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01366240
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01364040
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_013642F3
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_00DF1BDD
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_00DF1F98
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_00DF0E88
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_00DF0E78
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_0293322B
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02937A50
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02932840
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02930448
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_0293804F
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02931F10
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02932D10
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02934138
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_029342F3
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936419
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_0293420C
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936231
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02931237
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02937A3A
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936638
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02934227
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936428
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936628
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02931E58
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02935058
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02937442
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02936240
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02934040
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02935068
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02937468
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02935B99
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02935BA8
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_029341D1
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_029341F9
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_04B39458
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_04B3DDF0
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_04B38330
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_04B38320
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_04B32BD0

Source: DCwTjs2dTP.exe	Binary or memory string: OriginalFilename vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.540773912.00000000047DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.541024622.000000000482A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000000.250219025.0000000000B36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.540124638.0000000004791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe	Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe

Source: DCwTjs2dTP.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sihost.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DCwTjs2dTP.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

File read: C:\Users\user\Desktop\DCwTjs2dTP.exe:Zone.Identifier

Jump to behavior

Source: DCwTjs2dTP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\DCwTjs2dTP.exe "C:\Users\user\Desktop\DCwTjs2dTP.exe"
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe"
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe"

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

File created: C:\Users\user\AppData\Roaming\sihost.exe

Jump to behavior

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

File created: C:\Users\user\AppData\Local\Temp\tmp53F0.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.winEXE@14/6@1/1

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: DCwTjs2dTP.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\sihost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3404:120:WilError_01
Source: C:\Users\user\AppData\Roaming\sihost.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""

Source: C:\Users\user\AppData\Roaming\sihost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: DCwTjs2dTP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DCwTjs2dTP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_0ABB0EAE push 0000003Eh; retn 0000h
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_0ABB2FD4 push eax; ret
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_0ABB13C9 push eax; ret
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Code function: 0_2_01367240 pushfd ; ret
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_02937240 pushfd ; ret
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_0523C7F0 push eax; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Roaming\sihost.exe	Code function: 10_2_0523E190 push eax; mov dword ptr [esp], edx

Source: DCwTjs2dTP.exe

Static PE information: 0xF60FB06B [Tue Oct 26 08:42:19 2100 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.625943654905051
Source: initial sample	Static PE information: section name: .text entropy: 7.625943654905051

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

File created: C:\Users\user\AppData\Roaming\sihost.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'

Source: C:\Users\user\AppData\Roaming\sihost.exe

Key value created or modified: HKEY_CURRENT_USER\Software\C4D93783EC1A25CC28F9 94E168CABBEA0702E60265D1291BE8FE7C37724D89001E7AE9A73817F84114EF

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sihost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe TID: 5180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe TID: 5660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 5164	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 5192	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 5192	Thread sleep count: 90 > 30
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 1892	Thread sleep count: 9743 > 30

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sihost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\sihost.exe

Window / User API: threadDelayed 9743

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sihost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	File Volume queried: C:\ FullSizeInformation

Source: sihost.exe, 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r\
Source: sihost.exe, 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\sihost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Code function: 0_2_02EC9028 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe"

Source: sihost.exe, 0000000A.00000002.532020880.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.531872890.0000000002D49000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Queries volume information: C:\Users\user\Desktop\DCwTjs2dTP.exe VolumeInformation
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Users\user\AppData\Roaming\sihost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation

Source: C:\Users\user\Desktop\DCwTjs2dTP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\sihost.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: DCwTjs2dTP.exe, DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: DCwTjs2dTP.exe, DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: procexp.exe
Source: DCwTjs2dTP.exe, DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	12 Process Injection	1 Masquerading	1 Input Capture	1 Query Registry	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Scheduled Task/Job	1 Modify Registry	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scripting	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	21 Virtualization/Sandbox Evasion	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Scripting	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Obfuscated Files or Information	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	3 Software Packing	Proc Filesystem	13 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
DCwTjs2dTP.exe	50%	ReversingLabs	ByteCode-MSIL.Backdoor.Crysan
DCwTjs2dTP.exe	100%	Avira	TR/Dropper.MSIL.Gen
DCwTjs2dTP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\sihost.exe	100%	Avira	TR/Dropper.MSIL.Gen
C:\Users\user\AppData\Roaming\sihost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\sihost.exe	50%	ReversingLabs	ByteCode-MSIL.Backdoor.Crysan

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.DCwTjs2dTP.exe.b10000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
hsolic.duckdns.org	0%	Avira URL Cloud	safe
techandro.giize.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
techandro.giize.com	182.186.88.126	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
hsolic.duckdns.org	true	Avira URL Cloud: safe	unknown
techandro.giize.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DCwTjs2dTP.exe, 00000000.00000002.533258191.0000000003196000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.531132514.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
182.186.88.126	techandro.giize.com	Pakistan		45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679101
Start date and time: 05/08/202209:15:11	2022-08-05 09:15:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	DCwTjs2dTP.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.winEXE@14/6@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 5.7% (good quality ratio 4.1%) Quality average: 53.9% Quality standard deviation: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 23.211.6.115, 173.222.108.226, 20.189.173.21
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:16:25	Task Scheduler	Run new task: sihost path: "C:\Users\user\AppData\Roaming\sihost.exe"
09:16:44	API Interceptor	1x Sleep call for process: sihost.exe modified

Process:	C:\Users\user\AppData\Roaming\sihost.exe
File Type:	Microsoft Cabinet archive data, 61712 bytes, 1 file
Category:	dropped
Size (bytes):	61712
Entropy (8bit):	7.995044632446497
Encrypted:	true
SSDEEP:	1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
MD5:	589C442FC7A0C70DCA927115A700D41E
SHA1:	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
SHA-256:	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
SHA-512:	1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&\|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y\|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..\|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\sihost.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.1358915940078615
Encrypted:	false
SSDEEP:	6:kKku+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:rNkPlE99SNxAhUeE1
MD5:	CCCAC476B9113FEE393FAAE046C51F0B
SHA1:	C234350AFAE80DA95858F154CF4839421C1C2C62
SHA-256:	EE0601D893B6A6978040DCA0C315C7855E278DD1264DE7AF85B91CB2B4C33882
SHA-512:	81A9355BE6696ECBEAFD7ADA021F83E105AA42B61F981BCB597B6874C67847456CC7FD975348BC15E58DDDBAB64091E3DF0FE620FDCCB870FCC28C758E1CAB78
Malicious:	false
Reputation:	low
Preview:	p...... ...............(....................................................... .........L.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.f.4.c.9.6.9.8.b.d.8.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DCwTjs2dTP.exe.log

Download File

Process:	C:\Users\user\Desktop\DCwTjs2dTP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat

Download File

Process:	C:\Users\user\Desktop\DCwTjs2dTP.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	150
Entropy (8bit):	5.092134229634079
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oWXp5cViEaKC5UWvSmqRDWXp5cViE2J5xAInTRI6WcZPy:hWKqTtT6WXp+NaZ5UWKmq1WXp+N23fTg
MD5:	F02730A3503455275DA10EFB33B82C09
SHA1:	76322B42303DBB065740A423FB414CEF653671E5
SHA-256:	09BE09339F9A333B4BA5580D3F6F6E9E928A5A13A1C6448631FAFB1AB0332D6D
SHA-512:	FE402C93721D335BFD90E8D1C2760D0BE95BA95F32FF7675F3B3A465192B5F766ECE30E472D91DAB5F262A4BDB2892854CB1C01E2BC84C6E20CB34EBBFEC96F4
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\sihost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp53F0.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\sihost.exe

Download File

Process:	C:\Users\user\Desktop\DCwTjs2dTP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	144384
Entropy (8bit):	7.592025541663874
Encrypted:	false
SSDEEP:	1536:kbe1mZ5AK6G/WV+22ihLk3jb6B4LGt/XzNNu0oTj7A64MWy/ASOlvL4h59MfoZ+G:ZiLe+22iUXlGlXRN+zA6cQAp+ofoZ+G
MD5:	2ED2A1D6604AFEAA681F4C66DCD84194
SHA1:	6134D837220AFE9377CD78950C8ACA43DDE08D8C
SHA-256:	2A48FA5118BF1C97DE6A6B7B0A45BCC95BD678D54F31E2F2D003E5F3EA49C780
SHA-512:	B6DC02F1974D0D90B171432156B85044AB67B51C00C9A6F2CE98562342DD2AFB64AC36AE57E291D37DA0DB564C7191567183917971455969D9EB930C920E8979
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k............."...0.............I... ...`....@.. ....................................`..................................H..W....`............................................................................... ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H...........$l......;....................................................i,.7.=.v.":.....`.t.......>D.5./dos..D+..w..5...<Dp..=?.{....3eKn...f.Q....y......,.>\..8..R:+^H..6..l..H.W"..Y...TVf./..,.w..p.!........S.....x&.1...f.V...u..3O.....X.6xmb.....x.T..IwEY.t.%5..5....1Ca....\|1.Z1.gW..sa..E..+.w..x7=..N...8QY5.y.H....L..OJ...2.......<=..=cx.M....s..F...^....S...5........O.....?S.AU.s......:..........@..(=.Nt...q.4!..I......j.R\|..t.b...GA.{.7..i(.I.G2..z.u..y.6

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.592025541663874
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DCwTjs2dTP.exe
File size:	144384
MD5:	2ed2a1d6604afeaa681f4c66dcd84194
SHA1:	6134d837220afe9377cd78950c8aca43dde08d8c
SHA256:	2a48fa5118bf1c97de6a6b7b0a45bcc95bd678d54f31e2f2d003e5f3ea49c780
SHA512:	b6dc02f1974d0d90b171432156b85044ab67b51c00c9a6f2ce98562342dd2afb64ac36ae57e291d37da0db564c7191567183917971455969d9eb930c920e8979
SSDEEP:	1536:kbe1mZ5AK6G/WV+22ihLk3jb6B4LGt/XzNNu0oTj7A64MWy/ASOlvL4h59MfoZ+G:ZiLe+22iUXlGlXRN+zA6cQAp+ofoZ+G
TLSH:	D4E36B9D366036DFC867C872CAA82CA8AA50747B471BD203A45715EEDE4D99BCF050F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k............."...0..*...........I... ...`....@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x42490e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF60FB06B [Tue Oct 26 08:42:19 2100 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x248b4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x22914	0x22a00	False	0.8304095216606499	SysEx File - Victor	7.625943654905051	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x596	0x600	False	0.412109375	data	4.024186334587364	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x260a0	0x30c	data
RT_MANIFEST	0x263ac	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
182.186.88.126192.168.2.36906497402848152 08/05/22-09:16:42.961653	TCP	2848152	ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)	6906	49740	182.186.88.126	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 09:16:42.343604088 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:42.507725000 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:42.507963896 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:42.793518066 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:42.961652994 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:42.980221033 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:43.147313118 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:43.202167988 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:46.467544079 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:46.836049080 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:46.836447001 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:47.193211079 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:58.082192898 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:58.449898958 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:58.450030088 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:58.612859011 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:58.734793901 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:58.906966925 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:58.953510046 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:59.070375919 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:59.440320969 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:16:59.441751003 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:16:59.811695099 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:05.920444012 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:05.969835997 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:06.131196976 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:06.173055887 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:10.167838097 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:10.545608044 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:10.545766115 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:10.730561972 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:10.782721996 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:10.952214003 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:11.004468918 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:11.991069078 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:12.361207008 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:12.361320972 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:12.723164082 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:21.618616104 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:21.978775024 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:21.979440928 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:22.142467022 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:22.189888000 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:22.352082014 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:22.379858017 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:22.742747068 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:22.743539095 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:23.120084047 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:33.216279030 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:33.586165905 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:33.586325884 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:33.750921965 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:33.878433943 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:34.040781975 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:34.080080032 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:34.441732883 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:34.442347050 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:34.888081074 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:35.953671932 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:36.003654957 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:36.184784889 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:36.237941027 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:44.886441946 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:45.245990038 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:45.247559071 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:45.411969900 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:45.504420042 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:45.665941000 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:45.682383060 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:46.049994946 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:46.050144911 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:46.436414957 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:56.406936884 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:56.767236948 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:56.767338991 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:56.949023008 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:57.146131992 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:57.307141066 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:57.372817039 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:57.735706091 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:17:57.735805988 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:17:58.094325066 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:05.973809958 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:06.146740913 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:06.311863899 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:06.443659067 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:08.011923075 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:08.389894009 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:08.390151978 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:08.563564062 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:08.740721941 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:08.901375055 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:08.914977074 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:09.280356884 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:09.280605078 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:09.526557922 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:09.647113085 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:09.808506966 CEST	6906	49740	182.186.88.126	192.168.2.3
Aug 5, 2022 09:18:09.869719028 CEST	49740	6906	192.168.2.3	182.186.88.126
Aug 5, 2022 09:18:10.230223894 CEST	6906	49740	182.186.88.126	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 09:16:42.094877958 CEST	49316	53	192.168.2.3	8.8.8.8
Aug 5, 2022 09:16:42.273111105 CEST	53	49316	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 5, 2022 09:16:42.094877958 CEST	192.168.2.3	8.8.8.8	0xf053	Standard query (0)	techandro.giize.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 5, 2022 09:16:42.273111105 CEST	8.8.8.8	192.168.2.3	0xf053	No error (0)	techandro.giize.com		182.186.88.126	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	09:16:16
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\DCwTjs2dTP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DCwTjs2dTP.exe"
Imagebase:	0xb10000
File size:	144384 bytes
MD5 hash:	2ED2A1D6604AFEAA681F4C66DCD84194
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: cmd.exePID: 2612, Parent PID: 5664

General

Target ID:	2
Start time:	09:16:24
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5256, Parent PID: 2612

General

Target ID:	3
Start time:	09:16:24
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 6128, Parent PID: 5664

General

Target ID:	4
Start time:	09:16:24
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 5128, Parent PID: 2612

General

Target ID:	5
Start time:	09:16:25
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'
Imagebase:	0x920000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 3404, Parent PID: 6128

General

Target ID:	7
Start time:	09:16:25
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exePID: 5344, Parent PID: 6128

General

Target ID:	8
Start time:	09:16:26
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x1360000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: sihost.exePID: 5352, Parent PID: 6128

General

Target ID:	10
Start time:	09:16:29
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\sihost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sihost.exe"
Imagebase:	0x7a0000
File size:	144384 bytes
MD5 hash:	2ED2A1D6604AFEAA681F4C66DCD84194
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: 0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DCwTjs2dTP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DCwTjs2dTP.exe.log

C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat

C:\Users\user\AppData\Roaming\sihost.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
DCwTjs2dTP.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre