Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
af5Cop6pCN.exe

Overview

General Information

Sample Name:af5Cop6pCN.exe
Analysis ID:708255
MD5:32a56b4e67436bdd3d39809a9be949b8
SHA1:dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc
SHA256:5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df
Tags:AsyncRATexeRAT
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Yara detected DcRat
Yara detected AsyncRAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
.NET source code references suspicious native API functions
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • af5Cop6pCN.exe (PID: 4856 cmdline: "C:\Users\user\Desktop\af5Cop6pCN.exe" MD5: 32A56B4E67436BDD3D39809A9BE949B8)
    • cmd.exe (PID: 1236 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1592 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
    • cmd.exe (PID: 1256 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 3228 cmdline: timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18)
      • svchost.exe (PID: 1016 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 32A56B4E67436BDD3D39809A9BE949B8)
  • svchost.exe (PID: 1120 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 32A56B4E67436BDD3D39809A9BE949B8)
  • cleanup
{"Server": "<!Cv", "Ports": "1", "Telegram C2": "https://api.telegram.org/bot{\"GI/sendMessage?chat_id=8ByH|?~", "Version": "'j%av_@4t#STz0 Gk@=FUPshK6IBYUZdY}n Is8k(3qgO@UJR?LLHr5HXCRE+ N}z^MR#RxeMW", "AES_key": "WPC4*(7Gweu7\\z>W{A|`", "Mutex": "TN-BG", "Certificate": "NjlPUmtsM1RoZjF0bWVMaUNuUm5Jd2JxS05FSXo2aFo=", "ServerSignature": "svchost.exe", "Group": "%AppData%"}
SourceRuleDescriptionAuthorStrings
af5Cop6pCN.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    af5Cop6pCN.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x15e86:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x15dcb:$s2: L2Mgc2NodGFza3MgL2
    • 0x15d46:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x15d94:$s4: VmlydHVhbFByb3RlY3Q
    af5Cop6pCN.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x160fe:$q1: Select * from Win32_CacheMemory
    • 0x161da:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x1613e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x1618c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    af5Cop6pCN.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0x16576:$s1: DcRatBy
    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x1973d:$b2: DcRat By qwqdanchun1
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
      • 0x15e86:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
      • 0x15dcb:$s2: L2Mgc2NodGFza3MgL2
      • 0x15d46:$s3: QW1zaVNjYW5CdWZmZXI
      • 0x15d94:$s4: VmlydHVhbFByb3RlY3Q
      C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x160fe:$q1: Select * from Win32_CacheMemory
      • 0x161da:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x1613e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x1618c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
      C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
      • 0x16576:$s1: DcRatBy
      SourceRuleDescriptionAuthorStrings
      00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0xc6c8:$b2: DcRat By qwqdanchun1
      00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x1da1c:$b2: DcRat By qwqdanchun1
      00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
        00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x468c:$b2: DcRat By qwqdanchun1
        00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
          Click to see the 14 entries
          SourceRuleDescriptionAuthorStrings
          0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
            • 0x15e86:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
            • 0x15dcb:$s2: L2Mgc2NodGFza3MgL2
            • 0x15d46:$s3: QW1zaVNjYW5CdWZmZXI
            • 0x15d94:$s4: VmlydHVhbFByb3RlY3Q
            0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
            • 0x160fe:$q1: Select * from Win32_CacheMemory
            • 0x161da:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
            • 0x1613e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
            • 0x1618c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
            0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
            • 0x16576:$s1: DcRatBy
            0.2.af5Cop6pCN.exe.12fb80c8.1.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
            • 0x14086:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
            • 0x13fcb:$s2: L2Mgc2NodGFza3MgL2
            • 0x13f46:$s3: QW1zaVNjYW5CdWZmZXI
            • 0x13f94:$s4: VmlydHVhbFByb3RlY3Q
            Click to see the 5 entries

            Persistence and Installation Behavior

            barindex
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\af5Cop6pCN.exe" , ParentImage: C:\Users\user\Desktop\af5Cop6pCN.exe, ParentProcessId: 4856, ParentProcessName: af5Cop6pCN.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 1236, ProcessName: cmd.exe
            Timestamp:3.72.110.63192.168.2.49087497082848152 09/23/22-08:16:16.887686
            SID:2848152
            Source Port:9087
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:3.72.110.63192.168.2.49087497082034847 09/23/22-08:16:16.887686
            SID:2034847
            Source Port:9087
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: af5Cop6pCN.exeReversingLabs: Detection: 92%
            Source: af5Cop6pCN.exeMetadefender: Detection: 45%Perma Link
            Source: af5Cop6pCN.exeAvira: detected
            Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1235730
            Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 92%
            Source: C:\Users\user\AppData\Roaming\svchost.exeMetadefender: Detection: 45%Perma Link
            Source: af5Cop6pCN.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
            Source: 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "<!Cv", "Ports": "1", "Telegram C2": "https://api.telegram.org/bot{\"GI/sendMessage?chat_id=8ByH|?~", "Version": "'j%av_@4t#STz0 Gk@=FUPshK6IBYUZdY}n Is8k(3qgO@UJR?LLHr5HXCRE+ N}z^MR#RxeMW", "AES_key": "WPC4*(7Gweu7\\z>W{A|`", "Mutex": "TN-BG", "Certificate": "NjlPUmtsM1RoZjF0bWVMaUNuUm5Jd2JxS05FSXo2aFo=", "ServerSignature": "svchost.exe", "Group": "%AppData%"}
            Source: af5Cop6pCN.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.20.67.143:443 -> 192.168.2.4:49707 version: TLS 1.0
            Source: af5Cop6pCN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking