Edit tour

Windows Analysis Report
Uhy4TvdjRw.exe

Overview

General Information

Sample Name:	Uhy4TvdjRw.exe
Analysis ID:	679246
MD5:	10135b39a4a6d8717ba8ceec380ef060
SHA1:	3669c101670b0b373dea1c7729718340196da4bc
SHA256:	45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe
Tags:	AsyncRATexeRAT
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Schedule system process

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Yara detected AsyncRAT

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Yara detected Generic Downloader

Machine Learning detection for dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Drops PE files with benign system names

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Uhy4TvdjRw.exe (PID: 2508 cmdline: "C:\Users\user\Desktop\Uhy4TvdjRw.exe" MD5: 10135B39A4A6D8717BA8CEEC380EF060)

cmd.exe (PID: 5232 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MpCmdRun.exe (PID: 3572 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4756 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 5992 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5132 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

svchost.exe (PID: 4152 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 10135B39A4A6D8717BA8CEEC380EF060)

svchost.exe (PID: 5208 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 10135B39A4A6D8717BA8CEEC380EF060)

cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "127.0.0.1,61.14.233.88", "Ports": "6606,7707,8808", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "%AppData%"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Uhy4TvdjRw.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Uhy4TvdjRw.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Uhy4TvdjRw.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa355:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x104bfb:$x1: AsyncRAT 0x104c39:$x1: AsyncRAT

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\svchost.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\svchost.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\svchost.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa355:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x623f:$x1: AsyncRAT 0x627d:$x1: AsyncRAT
0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9363:$x1: AsyncRAT 0x93a1:$x1: AsyncRAT
00000000.00000002.280682459.0000000004F88000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x741b:$x1: AsyncRAT 0x7459:$x1: AsyncRAT
00000000.00000003.269514411.0000000004F88000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x741b:$x1: AsyncRAT 0x7459:$x1: AsyncRAT
00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa669:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa155:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000B.00000002.526007263.0000000000A3A000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x141fb:$x1: AsyncRAT 0x14239:$x1: AsyncRAT
00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1684a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x14283:$x1: AsyncRAT 0x142c1:$x1: AsyncRAT
0000000B.00000003.304383142.00000000051DA000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6f93:$x1: AsyncRAT 0x6fd1:$x1: AsyncRAT
0000000A.00000002.304518771.0000000001439000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1412b:$x1: AsyncRAT 0x14169:$x1: AsyncRAT
0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb7aa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x27d97:$x1: AsyncRAT 0x27dd5:$x1: AsyncRAT
0000000A.00000002.305975314.0000000003341000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x142a3:$x1: AsyncRAT 0x142e1:$x1: AsyncRAT
Process Memory Space: Uhy4TvdjRw.exe PID: 2508	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Uhy4TvdjRw.exe PID: 2508	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x60dc:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xff7e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x19f34:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: Uhy4TvdjRw.exe PID: 2508	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x95bf:$x1: AsyncRAT 0x95f1:$x1: AsyncRAT 0xfb82:$x1: AsyncRAT 0xfbb4:$x1: AsyncRAT 0x11236:$x1: AsyncRAT 0x11268:$x1: AsyncRAT 0x61a2:$s6: VirtualBox 0x19ffa:$s6: VirtualBox 0x6155:$s8: Win32_ComputerSystem 0x19fad:$s8: Win32_ComputerSystem
Process Memory Space: svchost.exe PID: 5208	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x14014:$x1: AsyncRAT 0x14046:$x1: AsyncRAT 0x24ff8:$x1: AsyncRAT 0x2502a:$x1: AsyncRAT
Process Memory Space: svchost.exe PID: 4152	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: svchost.exe PID: 4152	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x39e8:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: svchost.exe PID: 4152	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaab3:$x1: AsyncRAT 0xaae5:$x1: AsyncRAT 0xaaff:$x1: AsyncRAT 0xc05e:$x1: AsyncRAT 0xc090:$x1: AsyncRAT 0x1e657:$x1: AsyncRAT 0x1e689:$x1: AsyncRAT 0x2a1eb:$x1: AsyncRAT 0x2a21d:$x1: AsyncRAT
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Uhy4TvdjRw.exe.6d0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.Uhy4TvdjRw.exe.6d0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Uhy4TvdjRw.exe.6d0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa355:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Uhy4TvdjRw.exe.2b00314.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Uhy4TvdjRw.exe.2b00314.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8555:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa355:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 3 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Uhy4TvdjRw.exe" , ParentImage: C:\Users\user\Desktop\Uhy4TvdjRw.exe, ParentProcessId: 2508, ParentProcessName: Uhy4TvdjRw.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 5232, ProcessName: cmd.exe

Snort Signatures

ET TROJAN Generic AsyncRAT Style SSL Cert - Source IP: 61.14.233.88 - Destination IP: 192.168.2.3

Timestamp:	61.14.233.88192.168.2.37707497392035595 08/05/22-13:07:46.244143
SID:	2035595
Source Port:	7707
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) - Source IP: 61.14.233.88 - Destination IP: 192.168.2.3

Timestamp:	61.14.233.88192.168.2.37707497392030673 08/05/22-13:07:46.244143
SID:	2030673
Source Port:	7707
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Uhy4TvdjRw.exe	Virustotal: Detection: 67%	Perma Link
Source: Uhy4TvdjRw.exe	Metadefender: Detection: 57%	Perma Link
Source: Uhy4TvdjRw.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: Uhy4TvdjRw.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe

Avira: detection malicious, Label: HEUR/AGEN.1202836

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\Users\user\AppData\Roaming\svchost.exe	Metadefender: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Roaming\svchost.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Source: Uhy4TvdjRw.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe

Joe Sandbox ML: detected

Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1,61.14.233.88", "Ports": "6606,7707,8808", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "%AppData%"}

Source: Uhy4TvdjRw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Uhy4TvdjRw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\svchost.exe

Network Connect: 61.14.233.88 7707

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 61.14.233.88:7707 -> 192.168.2.3:49739
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 61.14.233.88:7707 -> 192.168.2.3:49739

Yara detected Generic Downloader

Source: Yara match	File source: Uhy4TvdjRw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 61.14.233.88:7707

Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88

Source: svchost.exe, 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000B.00000002.534132653.0000000005115000.00000004.00000800.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Uhy4TvdjRw.exe, 00000000.00000002.278002213.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: Uhy4TvdjRw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Uhy4TvdjRw.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.280682459.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000003.269514411.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000002.526007263.0000000000A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.304383142.00000000051DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.304518771.0000000001439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.305975314.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 5208, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: Uhy4TvdjRw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Uhy4TvdjRw.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.280682459.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000003.269514411.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000002.526007263.0000000000A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.304383142.00000000051DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.304518771.0000000001439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.305975314.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: svchost.exe PID: 5208, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_04EC91C8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_04EC9EA0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_04ECDB40
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_04ECF7F8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_04EC8E80
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_057D32D8

Source: Uhy4TvdjRw.exe, 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamej% vs Uhy4TvdjRw.exe
Source: Uhy4TvdjRw.exe, 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamej% vs Uhy4TvdjRw.exe
Source: Uhy4TvdjRw.exe	Binary or memory string: OriginalFilenamej% vs Uhy4TvdjRw.exe

Source: Uhy4TvdjRw.exe	Virustotal: Detection: 67%
Source: Uhy4TvdjRw.exe	Metadefender: Detection: 57%
Source: Uhy4TvdjRw.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File read: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Jump to behavior

Source: Uhy4TvdjRw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Uhy4TvdjRw.exe "C:\Users\user\Desktop\Uhy4TvdjRw.exe"
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to behavior

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File created: C:\Users\user\AppData\Local\Temp\tmp93E6.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/8@0/1

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Uhy4TvdjRw.exe, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Uhy4TvdjRw.exe, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: svchost.exe.0.dr, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: Uhy4TvdjRw.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: Uhy4TvdjRw.exe, cIBYexWXymf/VsHHNmuqOlgyY.cs	Base64 encoded string: 'rINKTV8RNDhUVTQ2UlmQxNLvun3m/IVV/oeeLlbJFNbMX3WsIpxtQwHfvqHSrqxB0pirqarn/CtEf7oWrPV+JA==', 'tKCcjiQJt2Hd++hlhtx+0yi/lZ1GNT0yK9NILXOeTmJ/r1zbNRgFr91mQbTrUbi8UZha2aMp3cP4sWtVOYvDXA==', 'ViSnkJU2TyD7eTm/mPt9N4FPgi66v7JKBBr2g1qHTGEcPnZ5xADq/6ZhMEtLRI1PceQ4kjE/pA5gWCJ2jIiiEQdMWzbE1b/ISE/DWiKMCMjnArPPaoVraLXpnepDakhVhJgaARm+GpIyBXMtpa57tm25QK1TUsycNK5fIETLwf8SDgA+OYdOU0mjjG+6D3Arflde41Heo5UAsPQXkl/68MJQciiWnCxA7GHgTK7EP02BGL/MGlPQWrqT6DO3Tp7wtQMaCHiII/L5UgbBENWkWk5+SvQTPleRGIP+IKheletffkYgkITvLKxytss1a7pGNOBAZR6gHxkr4g9G6Nr++95MAUYDctUvdvL8aMdNvDZF3UQf4OC8DAqscBqp0dbdmsfQUFVlST2dffHBIzDkwjlcXSbyLsP6351qtsy/djbnh8bcIjYLardsZFrbFaLVvZDMhqVxuvr240KxGGmqf9e17tgN5Yjhz6BDaoDFkv1vXpzFYAgdtnCcQCv7sTsWsIGJ4M+a0SLH0i9bdlA5E1w7S0AlWW96tQvL995EvEesmEHeCMtM4zeLshao24ugPhz6W7kRPiwVoUx2BTH6Qo/Bgs0GiFIBY6I1vbN4AL5LWE479S0b+ha+mTKVMMN3K7TJFS6xo30fs+WJ0SnHzBQo18AgSk9+jPqVNaSFr3G8OHb83jYq+D3r7edCCBesmgAuy2z/TNMEfhUOhnjZIAkLcy1uZoHxvoqUqL1dW3WMHCr/Lm0Y9D20u8r5keKrHmsOsXDfNdyrkDEcqJheNb2WStWclZExJNGYRgSjWSl7H9Q2DM1EBq0Z87kca6C1Y+EAf0lShvJhZYHWdk4fJYKiwnuZuOUoC32/uLzLpY6tN+LMVp231tEyjSsocb96q4D5MavacLXCqhVx3gAW3fv3l8eHE8AiPhR0js5OLKDgsoWva2qNFVF863ASInaFuBFz31UxSIHWFAcsElK/U+4frLy8HlTzP1VXU3dSfAO08uxqqdPeguvNmmPGDv3uQzeoY3+mzUx+Iu6KKEJVUe8diz9rYhPB28xPHU7sVS64bh5LX+R3ZOSpNZn/nJXUuuxvZoBOSmjMuMi67bE16mGQoX3SS2sZaNlSsTpcazv/Z6xdOVheVNPHwGDan4JfZbcS5soIgtMVUIKsmfUXjevbgoQFFlUWkUgOcFamoL/d+DBWVs2xrqiaHo6kyX4kt/rMq5Hu+XP0w0BX3XompFUVAtgyBPnkI5CGGmkiRAn4VWXMQ3e5+yg4XF05RdHp2z0Vh20Upyfu36jUpAN4qac+EUwa4j6pjz1Fqghk2lqHArzj9G14PprhVP7nW2YPG1gZ1jsTOjBVEgwtqWHAAMdWEQwvHMy5HykpeG21upiCUgDT86vZ1s1B8Vmr1R/cFsWcs+EzQAUfolK7ak0KaQv7xd2aAxuKjR5qS+0Uo152XJPLfJwDqqQyzn8vGF7dV3nmEwI82mwjD1QOJtKxX+J14SlT0MlNmCYhz2SEdb8e2I9Xv7Ea2qlvkIpvwT75OP/oJOsQxZKxb+huajW3tVpbnG6NybEC5SMXrCGxDbp1tJ1AZzjRcKfrbQ/pn3UvsZpy497nOiaYRJdugzARrGOI2+28Jw7O6KeDhdyFsLOeA4QKkhvRGt2U3ENVVOTfb3E0ewUgOKj69hJNJkaxL3h5oE+NdiuGQQ/IouUwmiaa30wjf+q2IcHkRZLfi9BNJERvRUaRCOYKktbt3+LfH0QnjxjtSDZjTPpovrBHMv1vmRy4Z0vOQ5RvNh7OzP6hipWoYCigQJVt4ciuKe/tjRpqPRBgr3w48FUlHdFvf3Uu8o/0JAz5jih5MZiCqCf2WJW7ThmhJ/XTD+JQfwCJJEQHmkR414M/ZjVhjBmSG97q5OaDB5QdAH3OzVqH7Z1j7LUC6c/xzkVf0b2m7zBckucWCMdx+ZRSdoyeKUvrKs3ShDt+LANsqi+4acNKlhZItqyFI+e2hizrnu/bLLIgmJXQb1EnmGYHcuawTDQK93sml4Ldc6uKOObo/kuX8tOHpjlNdKH/e9UHrvJJel5JjdXBS8eCAtzo0q/vF9TKX4JAf1OpC1b30hKe6T7gGVHYKUeJJXYbTcGXcDklxVUOumtZ03KJBOMcMXG++GTXj3KJvr3pUoZ3FkLe0x79Gkje8ShJWb+3OEnLS35sB/jZ8iIL5aIdQkoNNO1e16RcKmnW97Da7T8ud97UYgLW6gcjcjAPdJgJlt2X/+ANu7ohgrYAc7WsDQouQrMj/1+YVeYuo8U+CQ+TmCFK1bleNxPdsPP833f3klmIuuO9wA2J3hlVQjs2twFmaJsBaPy6414=', 'THP6gdgqES/ztFSmZNfuuRdaK9OeIa2tFJoxVdMD59uwoLhbiaBcM6BllBjS9lEiw2zMutxeOy1NImtebl7/Wl5tA2U6JjDKHsYN4gUI4qcmB3VJTHZp3A2uoQiwNflyIGzXiNpYW4U3QUsQfHtkP63bDG9GW40EB52CyAZVt8xd9nT4Svjjc9gfIlshrjJPkAYHTjg11RUi0bK8KzN37J7iZzKQNxM3luM3el0PnT6gq4nuHb7elUCFN3s/38aTeL/YEyx7b1PZlxIpKmxZiceXlCBeK16BeLe78NuqFjDqwMF8mlmJ1Ni4DpbcON/LL5CwCsmjxYxlQPYWWl8vC0BdjFfQ6/5xY6RC/UZdBhm/7RrovfU9y23+TQAzIaUafoRiZRMLQv25D6+dV7skJcEKVisSlMsHwCLN0iCzaw++ftJvPwwItCDneHWjx3iR5NeQdYHVXg/aFBe
Source: svchost.exe.0.dr, cIBYexWXymf/VsHHNmuqOlgyY.cs	Base64 encoded string: 'rINKTV8RNDhUVTQ2UlmQxNLvun3m/IVV/oeeLlbJFNbMX3WsIpxtQwHfvqHSrqxB0pirqarn/CtEf7oWrPV+JA==', 'tKCcjiQJt2Hd++hlhtx+0yi/lZ1GNT0yK9NILXOeTmJ/r1zbNRgFr91mQbTrUbi8UZha2aMp3cP4sWtVOYvDXA==', 'ViSnkJU2TyD7eTm/mPt9N4FPgi66v7JKBBr2g1qHTGEcPnZ5xADq/6ZhMEtLRI1PceQ4kjE/pA5gWCJ2jIiiEQdMWzbE1b/ISE/DWiKMCMjnArPPaoVraLXpnepDakhVhJgaARm+GpIyBXMtpa57tm25QK1TUsycNK5fIETLwf8SDgA+OYdOU0mjjG+6D3Arflde41Heo5UAsPQXkl/68MJQciiWnCxA7GHgTK7EP02BGL/MGlPQWrqT6DO3Tp7wtQMaCHiII/L5UgbBENWkWk5+SvQTPleRGIP+IKheletffkYgkITvLKxytss1a7pGNOBAZR6gHxkr4g9G6Nr++95MAUYDctUvdvL8aMdNvDZF3UQf4OC8DAqscBqp0dbdmsfQUFVlST2dffHBIzDkwjlcXSbyLsP6351qtsy/djbnh8bcIjYLardsZFrbFaLVvZDMhqVxuvr240KxGGmqf9e17tgN5Yjhz6BDaoDFkv1vXpzFYAgdtnCcQCv7sTsWsIGJ4M+a0SLH0i9bdlA5E1w7S0AlWW96tQvL995EvEesmEHeCMtM4zeLshao24ugPhz6W7kRPiwVoUx2BTH6Qo/Bgs0GiFIBY6I1vbN4AL5LWE479S0b+ha+mTKVMMN3K7TJFS6xo30fs+WJ0SnHzBQo18AgSk9+jPqVNaSFr3G8OHb83jYq+D3r7edCCBesmgAuy2z/TNMEfhUOhnjZIAkLcy1uZoHxvoqUqL1dW3WMHCr/Lm0Y9D20u8r5keKrHmsOsXDfNdyrkDEcqJheNb2WStWclZExJNGYRgSjWSl7H9Q2DM1EBq0Z87kca6C1Y+EAf0lShvJhZYHWdk4fJYKiwnuZuOUoC32/uLzLpY6tN+LMVp231tEyjSsocb96q4D5MavacLXCqhVx3gAW3fv3l8eHE8AiPhR0js5OLKDgsoWva2qNFVF863ASInaFuBFz31UxSIHWFAcsElK/U+4frLy8HlTzP1VXU3dSfAO08uxqqdPeguvNmmPGDv3uQzeoY3+mzUx+Iu6KKEJVUe8diz9rYhPB28xPHU7sVS64bh5LX+R3ZOSpNZn/nJXUuuxvZoBOSmjMuMi67bE16mGQoX3SS2sZaNlSsTpcazv/Z6xdOVheVNPHwGDan4JfZbcS5soIgtMVUIKsmfUXjevbgoQFFlUWkUgOcFamoL/d+DBWVs2xrqiaHo6kyX4kt/rMq5Hu+XP0w0BX3XompFUVAtgyBPnkI5CGGmkiRAn4VWXMQ3e5+yg4XF05RdHp2z0Vh20Upyfu36jUpAN4qac+EUwa4j6pjz1Fqghk2lqHArzj9G14PprhVP7nW2YPG1gZ1jsTOjBVEgwtqWHAAMdWEQwvHMy5HykpeG21upiCUgDT86vZ1s1B8Vmr1R/cFsWcs+EzQAUfolK7ak0KaQv7xd2aAxuKjR5qS+0Uo152XJPLfJwDqqQyzn8vGF7dV3nmEwI82mwjD1QOJtKxX+J14SlT0MlNmCYhz2SEdb8e2I9Xv7Ea2qlvkIpvwT75OP/oJOsQxZKxb+huajW3tVpbnG6NybEC5SMXrCGxDbp1tJ1AZzjRcKfrbQ/pn3UvsZpy497nOiaYRJdugzARrGOI2+28Jw7O6KeDhdyFsLOeA4QKkhvRGt2U3ENVVOTfb3E0ewUgOKj69hJNJkaxL3h5oE+NdiuGQQ/IouUwmiaa30wjf+q2IcHkRZLfi9BNJERvRUaRCOYKktbt3+LfH0QnjxjtSDZjTPpovrBHMv1vmRy4Z0vOQ5RvNh7OzP6hipWoYCigQJVt4ciuKe/tjRpqPRBgr3w48FUlHdFvf3Uu8o/0JAz5jih5MZiCqCf2WJW7ThmhJ/XTD+JQfwCJJEQHmkR414M/ZjVhjBmSG97q5OaDB5QdAH3OzVqH7Z1j7LUC6c/xzkVf0b2m7zBckucWCMdx+ZRSdoyeKUvrKs3ShDt+LANsqi+4acNKlhZItqyFI+e2hizrnu/bLLIgmJXQb1EnmGYHcuawTDQK93sml4Ldc6uKOObo/kuX8tOHpjlNdKH/e9UHrvJJel5JjdXBS8eCAtzo0q/vF9TKX4JAf1OpC1b30hKe6T7gGVHYKUeJJXYbTcGXcDklxVUOumtZ03KJBOMcMXG++GTXj3KJvr3pUoZ3FkLe0x79Gkje8ShJWb+3OEnLS35sB/jZ8iIL5aIdQkoNNO1e16RcKmnW97Da7T8ud97UYgLW6gcjcjAPdJgJlt2X/+ANu7ohgrYAc7WsDQouQrMj/1+YVeYuo8U+CQ+TmCFK1bleNxPdsPP833f3klmIuuO9wA2J3hlVQjs2twFmaJsBaPy6414=', 'THP6gdgqES/ztFSmZNfuuRdaK9OeIa2tFJoxVdMD59uwoLhbiaBcM6BllBjS9lEiw2zMutxeOy1NImtebl7/Wl5tA2U6JjDKHsYN4gUI4qcmB3VJTHZp3A2uoQiwNflyIGzXiNpYW4U3QUsQfHtkP63bDG9GW40EB52CyAZVt8xd9nT4Svjjc9gfIlshrjJPkAYHTjg11RUi0bK8KzN37J7iZzKQNxM3luM3el0PnT6gq4nuHb7elUCFN3s/38aTeL/YEyx7b1PZlxIpKmxZiceXlCBeK16BeLe78NuqFjDqwMF8mlmJ1Ni4DpbcON/LL5CwCsmjxYxlQPYWWl8vC0BdjFfQ6/5xY6RC/UZdBhm/7RrovfU9y23+TQAzIaUafoRiZRMLQv25D6+dV7skJcEKVisSlMsHwCLN0iCzaw++ftJvPwwItCDneHWjx3iR5NeQdYHVXg/aFBe
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, cIBYexWXymf/VsHHNmuqOlgyY.cs	Base64 encoded string: 'rINKTV8RNDhUVTQ2UlmQxNLvun3m/IVV/oeeLlbJFNbMX3WsIpxtQwHfvqHSrqxB0pirqarn/CtEf7oWrPV+JA==', 'tKCcjiQJt2Hd++hlhtx+0yi/lZ1GNT0yK9NILXOeTmJ/r1zbNRgFr91mQbTrUbi8UZha2aMp3cP4sWtVOYvDXA==', 'ViSnkJU2TyD7eTm/mPt9N4FPgi66v7JKBBr2g1qHTGEcPnZ5xADq/6ZhMEtLRI1PceQ4kjE/pA5gWCJ2jIiiEQdMWzbE1b/ISE/DWiKMCMjnArPPaoVraLXpnepDakhVhJgaARm+GpIyBXMtpa57tm25QK1TUsycNK5fIETLwf8SDgA+OYdOU0mjjG+6D3Arflde41Heo5UAsPQXkl/68MJQciiWnCxA7GHgTK7EP02BGL/MGlPQWrqT6DO3Tp7wtQMaCHiII/L5UgbBENWkWk5+SvQTPleRGIP+IKheletffkYgkITvLKxytss1a7pGNOBAZR6gHxkr4g9G6Nr++95MAUYDctUvdvL8aMdNvDZF3UQf4OC8DAqscBqp0dbdmsfQUFVlST2dffHBIzDkwjlcXSbyLsP6351qtsy/djbnh8bcIjYLardsZFrbFaLVvZDMhqVxuvr240KxGGmqf9e17tgN5Yjhz6BDaoDFkv1vXpzFYAgdtnCcQCv7sTsWsIGJ4M+a0SLH0i9bdlA5E1w7S0AlWW96tQvL995EvEesmEHeCMtM4zeLshao24ugPhz6W7kRPiwVoUx2BTH6Qo/Bgs0GiFIBY6I1vbN4AL5LWE479S0b+ha+mTKVMMN3K7TJFS6xo30fs+WJ0SnHzBQo18AgSk9+jPqVNaSFr3G8OHb83jYq+D3r7edCCBesmgAuy2z/TNMEfhUOhnjZIAkLcy1uZoHxvoqUqL1dW3WMHCr/Lm0Y9D20u8r5keKrHmsOsXDfNdyrkDEcqJheNb2WStWclZExJNGYRgSjWSl7H9Q2DM1EBq0Z87kca6C1Y+EAf0lShvJhZYHWdk4fJYKiwnuZuOUoC32/uLzLpY6tN+LMVp231tEyjSsocb96q4D5MavacLXCqhVx3gAW3fv3l8eHE8AiPhR0js5OLKDgsoWva2qNFVF863ASInaFuBFz31UxSIHWFAcsElK/U+4frLy8HlTzP1VXU3dSfAO08uxqqdPeguvNmmPGDv3uQzeoY3+mzUx+Iu6KKEJVUe8diz9rYhPB28xPHU7sVS64bh5LX+R3ZOSpNZn/nJXUuuxvZoBOSmjMuMi67bE16mGQoX3SS2sZaNlSsTpcazv/Z6xdOVheVNPHwGDan4JfZbcS5soIgtMVUIKsmfUXjevbgoQFFlUWkUgOcFamoL/d+DBWVs2xrqiaHo6kyX4kt/rMq5Hu+XP0w0BX3XompFUVAtgyBPnkI5CGGmkiRAn4VWXMQ3e5+yg4XF05RdHp2z0Vh20Upyfu36jUpAN4qac+EUwa4j6pjz1Fqghk2lqHArzj9G14PprhVP7nW2YPG1gZ1jsTOjBVEgwtqWHAAMdWEQwvHMy5HykpeG21upiCUgDT86vZ1s1B8Vmr1R/cFsWcs+EzQAUfolK7ak0KaQv7xd2aAxuKjR5qS+0Uo152XJPLfJwDqqQyzn8vGF7dV3nmEwI82mwjD1QOJtKxX+J14SlT0MlNmCYhz2SEdb8e2I9Xv7Ea2qlvkIpvwT75OP/oJOsQxZKxb+huajW3tVpbnG6NybEC5SMXrCGxDbp1tJ1AZzjRcKfrbQ/pn3UvsZpy497nOiaYRJdugzARrGOI2+28Jw7O6KeDhdyFsLOeA4QKkhvRGt2U3ENVVOTfb3E0ewUgOKj69hJNJkaxL3h5oE+NdiuGQQ/IouUwmiaa30wjf+q2IcHkRZLfi9BNJERvRUaRCOYKktbt3+LfH0QnjxjtSDZjTPpovrBHMv1vmRy4Z0vOQ5RvNh7OzP6hipWoYCigQJVt4ciuKe/tjRpqPRBgr3w48FUlHdFvf3Uu8o/0JAz5jih5MZiCqCf2WJW7ThmhJ/XTD+JQfwCJJEQHmkR414M/ZjVhjBmSG97q5OaDB5QdAH3OzVqH7Z1j7LUC6c/xzkVf0b2m7zBckucWCMdx+ZRSdoyeKUvrKs3ShDt+LANsqi+4acNKlhZItqyFI+e2hizrnu/bLLIgmJXQb1EnmGYHcuawTDQK93sml4Ldc6uKOObo/kuX8tOHpjlNdKH/e9UHrvJJel5JjdXBS8eCAtzo0q/vF9TKX4JAf1OpC1b30hKe6T7gGVHYKUeJJXYbTcGXcDklxVUOumtZ03KJBOMcMXG++GTXj3KJvr3pUoZ3FkLe0x79Gkje8ShJWb+3OEnLS35sB/jZ8iIL5aIdQkoNNO1e16RcKmnW97Da7T8ud97UYgLW6gcjcjAPdJgJlt2X/+ANu7ohgrYAc7WsDQouQrMj/1+YVeYuo8U+CQ+TmCFK1bleNxPdsPP833f3klmIuuO9wA2J3hlVQjs2twFmaJsBaPy6414=', 'THP6gdgqES/ztFSmZNfuuRdaK9OeIa2tFJoxVdMD59uwoLhbiaBcM6BllBjS9lEiw2zMutxeOy1NImtebl7/Wl5tA2U6JjDKHsYN4gUI4qcmB3VJTHZp3A2uoQiwNflyIGzXiNpYW4U3QUsQfHtkP63bDG9GW40EB52CyAZVt8xd9nT4Svjjc9gfIlshrjJPkAYHTjg11RUi0bK8KzN37J7iZzKQNxM3luM3el0PnT6gq4nuHb7elUCFN3s/38aTeL/YEyx7b1PZlxIpKmxZiceXlCBeK16BeLe78NuqFjDqwMF8mlmJ1Ni4DpbcON/LL5CwCsmjxYxlQPYWWl8vC0BdjFfQ6/5xY6RC/UZdBhm/7RrovfU9y23+TQAzIaUafoRiZRMLQv25D6+dV7skJcEKVisSlMsHwCLN0iCzaw++ftJvPwwItCDneHWjx3iR5NeQdYHVXg/aFBe

Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2936:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4412:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_01

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat""

Source: C:\Users\user\AppData\Roaming\svchost.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: Uhy4TvdjRw.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Uhy4TvdjRw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Uhy4TvdjRw.exe, IbbhSxkMmBWFzaYru/gxvoCtTjVDav.cs	.Net Code: FRvoUOlAqvBX System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: svchost.exe.0.dr, IbbhSxkMmBWFzaYru/gxvoCtTjVDav.cs	.Net Code: FRvoUOlAqvBX System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, IbbhSxkMmBWFzaYru/gxvoCtTjVDav.cs	.Net Code: FRvoUOlAqvBX System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: Uhy4TvdjRw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'

Source: C:\Users\user\AppData\Roaming\svchost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: Uhy4TvdjRw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Uhy4TvdjRw.exe, svchost.exe.0.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe TID: 1112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5216	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 4780	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 6064	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 6064	Thread sleep count: 95 > 30
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2244	Thread sleep count: 9799 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\svchost.exe

Window / User API: threadDelayed 9799

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation

Source: svchost.exe.0.dr	Binary or memory string: vmware
Source: svchost.exe, 0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\svchost.exe

Network Connect: 61.14.233.88 7707

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"

Source: svchost.exe, 0000000B.00000002.528588986.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.306525634.0000000005801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.528776831.0000000002A38000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Queries volume information: C:\Users\user\Desktop\Uhy4TvdjRw.exe VolumeInformation
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: Uhy4TvdjRw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: svchost.exe, 0000000B.00000002.534132653.0000000005115000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	112 Process Injection	11 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scripting	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Scripting	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Uhy4TvdjRw.exe	68%	Virustotal		Browse
Uhy4TvdjRw.exe	57%	Metadefender		Browse
Uhy4TvdjRw.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
Uhy4TvdjRw.exe	100%	Avira	HEUR/AGEN.1202836
Uhy4TvdjRw.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\svchost.exe	100%	Avira	HEUR/AGEN.1202836
C:\Users\user\AppData\Roaming\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\svchost.exe	68%	Virustotal		Browse
C:\Users\user\AppData\Roaming\svchost.exe	57%	Metadefender		Browse
C:\Users\user\AppData\Roaming\svchost.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.Uhy4TvdjRw.exe.6d0000.0.unpack	100%	Avira	HEUR/AGEN.1202836		Download File

Domains

Source	Detection	Scanner	Label	Link
windowsupdatebg.s.llnwi.net	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	95.140.230.192	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Uhy4TvdjRw.exe, 00000000.00000002.278002213.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
61.14.233.88	unknown	Viet Nam		45899	VNPT-AS-VNVNPTCorpVN	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679246
Start date and time: 05/08/202213:06:17	2022-08-05 13:06:17 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 18s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Uhy4TvdjRw.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/8@0/1
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 23.211.6.115, 95.140.230.192, 8.238.189.126, 8.238.190.126, 8.248.141.254, 8.248.117.254, 67.26.139.254
Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, client-office365-tas.msedge.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, arc.msn.com, wu-bg-shim.trafficmanager.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com
Execution Graph export aborted for target Uhy4TvdjRw.exe, PID 2508 because it is empty
Execution Graph export aborted for target svchost.exe, PID 5208 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:07:36	Task Scheduler	Run new task: svchost path: "C:\Users\user\AppData\Roaming\svchost.exe"
13:07:47	API Interceptor	1x Sleep call for process: svchost.exe modified
13:08:49	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	Microsoft Cabinet archive data, 61712 bytes, 1 file
Category:	dropped
Size (bytes):	61712
Entropy (8bit):	7.995044632446497
Encrypted:	true
SSDEEP:	1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
MD5:	589C442FC7A0C70DCA927115A700D41E
SHA1:	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
SHA-256:	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
SHA-512:	1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&\|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y\|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..\|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	290
Entropy (8bit):	2.947388251222562
Encrypted:	false
SSDEEP:	6:kKf11+N+SkQlPlEGYRMY9z+4KlDA3RUe/:311NkPlE99SNxAhUe/
MD5:	AA449CC3E819D614B28CB03C1D01D8BF
SHA1:	782EF6F88E4BF68E6D5B823AE7DCFA73B3DB4DA5
SHA-256:	1477C8430F191DAD859F18B5B1511440B7E331BEED1A1BB18B7506A964D8FB76
SHA-512:	1DC5EC42331021DC9C8F27EE6DE63B1CF83485EDA11F5E46CBC1E64811579E89C518FFBFC05FC6C0CB56497AAD9505962C048A977A67C1D60BBC734E0A6F85AF
Malicious:	false
Preview:	p...... ...............(....................................................... .........L.........................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Uhy4TvdjRw.exe.log

Download File

Process:	C:\Users\user\Desktop\Uhy4TvdjRw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.348034597186669
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat92n4M6:ML9E4Ks2wKDE4KhK3VZ9pKhg84j
MD5:	07FC10473CB7F0DEC42EE8079EB0DF28
SHA1:	90FA6D0B604991B3E5E8F6DB041651B10FD4284A
SHA-256:	A42B61DFB4AF366D05CE1815C88E2392C7C4AA9B6B17604234BEB7A7DADA7E4C
SHA-512:	D7240EE88D207E631990907AFA96C8384FB51729A16247BD4BDB96CBA3C4CDB9A68ADCD07819B2242A0F395690AD831B1B547EC91E988CBE39398F472055D56F
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat

Download File

Process:	C:\Users\user\Desktop\Uhy4TvdjRw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	151
Entropy (8bit):	5.102625473568323
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oWXp5cViEaKC5ZACSmqRDWXp5cViE2J5xAInTRI2WjVZPy:hWKqTtT6WXp+NaZ5Omq1WXp+N23fTXWq
MD5:	6D013B1CAFE4160FDC1F7B36C3145E1A
SHA1:	C80E8E5E33E867683564C8E649DB78ED5ED6A1D2
SHA-256:	254D27DCF87576D5221575F043F5BB32F4A2E508B4B7A98244AF933C678D7226
SHA-512:	301C4B0635C31D563B6286239A0711B753A453B02BC4623E21FF6A896186602F147E74956CD7B879EA0ECE8593F6A391C5C0FD87F66DCF98C6CF1988DE2631B4
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp93E6.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\svchost.exe

Download File

Process:	C:\Users\user\Desktop\Uhy4TvdjRw.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	5.575530706715254
Encrypted:	false
SSDEEP:	768:wuK49TH4EjZWUR+ejmo2qrw8sJrKKIixPIAoqVcg0b1G24HftYUpG5ilsga8yBDu:wuK49THf52HtuAo9rbMNYUpnfMdh+
MD5:	10135B39A4A6D8717BA8CEEC380EF060
SHA1:	3669C101670B0B373DEA1C7729718340196DA4BC
SHA-256:	45E87EE0B025A7E4A783A6786564982E7735C8C50D0B3D84A3D5DD90CE735CFE
SHA-512:	71CC73FBB213529A14FB94C56F1A056AE5DB940A7AAC22079AE9A238A9633DDD64B7D8FF9B3A023051C9D6CFBBED48E90F14F2E17A2F6893AE9B3B6F46DD31EE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 68%, Browse Antivirus: Metadefender, Detection: 57%, Browse Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@.................................\...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y..`v.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...Vr.%.p~....(o....#....s...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.1650995689703207
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zq+F:j+s+v+b+P+m+0+Q+q+5+F
MD5:	78B72556A96E740F02ADAB636DC17FB1
SHA1:	5382CFD5A6C1DE0541DE9CC4EE515CC2F63654F4
SHA-256:	915A96B1B706C95F06CF841A202296F34942DD69E7C7C83EDA9B2A79F93BF435
SHA-512:	1217A1B06E44EEF2BCC63BDC27C130932FEC307277722FD4E3DCDBA0A225918953BE239BCF19E0C2C35C5CD5B4E004893ACABB96F15A893B4D089DB2E0C5CE77
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.575530706715254
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Uhy4TvdjRw.exe
File size:	49152
MD5:	10135b39a4a6d8717ba8ceec380ef060
SHA1:	3669c101670b0b373dea1c7729718340196da4bc
SHA256:	45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe
SHA512:	71cc73fbb213529a14fb94c56f1a056ae5db940a7aac22079ae9a238a9633ddd64b7d8ff9b3a023051c9d6cfbbed48e90f14f2e17a2f6893ae9b3b6f46dd31ee
SSDEEP:	768:wuK49TH4EjZWUR+ejmo2qrw8sJrKKIixPIAoqVcg0b1G24HftYUpG5ilsga8yBDu:wuK49THf52HtuAo9rbMNYUpnfMdh+
TLSH:	61233B003BE9822BF2BE4F789DF22145467AB1673607D64E6CC441D75A13FC19A42AFE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40d0ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5EB79023 [Sun May 10 05:24:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd05c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x8c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb0b4	0xb200	False	0.5427273525280899	data	5.624119295582564	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x8c8	0xa00	False	0.3765625	data	5.0748901103993935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe0a0	0x394	data
RT_MANIFEST	0xe434	0x493	exported SGML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
61.14.233.88192.168.2.37707497392035595 08/05/22-13:07:46.244143	TCP	2035595	ET TROJAN Generic AsyncRAT Style SSL Cert	7707	49739	61.14.233.88	192.168.2.3
61.14.233.88192.168.2.37707497392030673 08/05/22-13:07:46.244143	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	7707	49739	61.14.233.88	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 13:07:45.648207903 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:45.930344105 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:07:45.930579901 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:45.962605953 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:46.244143009 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:07:46.244194984 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:07:46.244291067 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:46.248120070 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:46.566440105 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:07:46.643579960 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:49.418629885 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:49.902847052 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:07:49.903542042 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:50.386825085 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:01.679904938 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:02.169430017 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:02.169563055 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:02.451380968 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:02.535649061 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:02.816046000 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:02.921156883 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:03.402391911 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:03.402510881 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:03.887619019 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:14.365777969 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:14.855849981 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:14.855950117 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:15.136513948 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:15.177320004 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:15.457210064 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:15.521085024 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:15.538252115 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:15.800976992 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:15.801150084 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:16.029189110 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:16.293257952 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:26.633465052 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:27.121565104 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:27.125171900 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:27.408021927 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:27.506469011 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:27.786192894 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:27.793873072 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:28.277340889 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:28.277441978 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:28.777179003 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:38.933715105 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:39.417967081 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:39.418081045 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:39.699002028 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:39.741934061 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:40.021214962 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:40.026793003 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:40.512087107 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:40.512187958 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:40.998488903 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:45.606575012 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:45.851788044 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:46.131325006 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:46.242445946 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:51.230092049 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:51.714715004 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:51.714873075 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:51.996316910 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:52.055486917 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:52.335429907 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:52.348324060 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:52.839986086 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:52.840198040 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:53.324326038 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:03.528692961 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:04.011859894 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:04.011940002 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:04.293437958 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:04.337769985 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:04.617676020 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:04.665924072 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:04.842731953 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:05.324264050 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:05.324431896 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:05.808985949 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:15.584073067 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:15.635601044 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:15.831409931 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:15.914891958 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:15.915205956 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:16.194834948 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:16.195557117 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:16.245033026 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:16.524821997 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:16.529345989 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:17.011609077 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:17.011742115 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:17.496249914 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:28.139405012 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:28.636779070 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:28.636989117 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:28.917084932 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:28.964931011 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:29.244489908 CEST	7707	49739	61.14.233.88	192.168.2.3

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 5, 2022 13:07:47.267018080 CEST	8.8.8.8	192.168.2.3	0xd471	No error (0)	windowsupdatebg.s.llnwi.net		95.140.230.192	A (IP address)	IN (0x0001)
Aug 5, 2022 13:07:47.267018080 CEST	8.8.8.8	192.168.2.3	0xd471	No error (0)	windowsupdatebg.s.llnwi.net		178.79.225.0	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	13:07:25
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\Uhy4TvdjRw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Uhy4TvdjRw.exe"
Imagebase:	0x6d0000
File size:	49152 bytes
MD5 hash:	10135B39A4A6D8717BA8CEEC380EF060
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.280682459.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000003.269514411.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Analysis Process: cmd.exePID: 5232, Parent PID: 2508

General

Target ID:	4
Start time:	13:07:33
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 2936, Parent PID: 5232

General

Target ID:	5
Start time:	13:07:33
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 5992, Parent PID: 2508

General

Target ID:	6
Start time:	13:07:34
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat""
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 4756, Parent PID: 5232

General

Target ID:	7
Start time:	13:07:34
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Imagebase:	0x9e0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 6052, Parent PID: 5992

General

Target ID:	8
Start time:	13:07:35
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exePID: 5132, Parent PID: 5992

General

Target ID:	9
Start time:	13:07:35
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x80000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exePID: 5208, Parent PID: 848

General

Target ID:	10
Start time:	13:07:36
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svchost.exe
Imagebase:	0xc00000
File size:	49152 bytes
MD5 hash:	10135B39A4A6D8717BA8CEEC380EF060
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.304518771.0000000001439000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.305975314.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, Virustotal, Browse Detection: 57%, Metadefender, Browse Detection: 96%, ReversingLabs
Reputation:	low

Analysis Process: svchost.exePID: 4152, Parent PID: 5992

General

Target ID:	11
Start time:	13:07:38
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x260000
File size:	49152 bytes
MD5 hash:	10135B39A4A6D8717BA8CEEC380EF060
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.526007263.0000000000A3A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.304383142.00000000051DA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Analysis Process: MpCmdRun.exePID: 3572, Parent PID: 2936

General

Target ID:	29
Start time:	13:08:48
Start date:	05/08/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7b0320000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 4412, Parent PID: 3572

General

Target ID:	30
Start time:	13:08:49
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Uhy4TvdjRw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Uhy4TvdjRw.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat

C:\Users\user\AppData\Roaming\svchost.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
Uhy4TvdjRw.exe