Click to jump to signature section
Source: 0.0.Stub.exe.50000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: 00000000.00000002.508243418.0000000002511000.00000004.00000800.00020000.00000000.sdmp | Malware Configuration Extractor: AsyncRAT {"Server": "egrh.linkpc.net", "Port": "5505", "Version": "| Edit 3LOSH RAT", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "true"} |
Source: Stub.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: Stub.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Traffic | Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 142.202.240.108:5505 -> 192.168.2.3:49689 |
Source: Traffic | Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 142.202.240.108:5505 -> 192.168.2.3:49689 |
Source: Yara match | File source: Stub.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.Stub.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Malware configuration extractor | URLs: egrh.linkpc.net |
Source: global traffic | TCP traffic: 192.168.2.3:49689 -> 142.202.240.108:5505 |
Source: Stub.exe, 00000000.00000002.510490105.00000000049AD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: Stub.exe, 00000000.00000003.256955733.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Stub.exe, 00000000.00000002.510364745.0000000004966000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/ |
Source: Stub.exe, 00000000.00000003.256955733.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Stub.exe, 00000000.00000003.257540314.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, Stub.exe, 00000000.00000003.257743735.00000000006A9000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/G |
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: Stub.exe, 00000000.00000003.257368805.00000000049B9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab33 |
Source: Stub.exe, 00000000.00000002.508243418.0000000002511000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: unknown | DNS traffic detected: queries for: egrh.linkpc.net |
Source: Yara match | File source: Stub.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.Stub.exe.50000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.237566508.0000000000052000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.508243418.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Stub.exe PID: 5484, type: MEMORYSTR |
Source: C:\Users\user\Desktop\Stub.exe | Window created: window name: CLIPBRDWNDCLASS |
Source: Stub.exe, type: SAMPLE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Stub.exe, type: SAMPLE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: dump.pcap, type: PCAP | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0.0.Stub.exe.50000.0.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0.0.Stub.exe.50000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 00000000.00000002.510364745.0000000004966000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000003.474031615.0000000000633000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.505594690.0000000000633000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000000.237566508.0000000000052000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000000.00000003.384798750.000000000061D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000003.432092160.0000000000631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.508243418.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: Stub.exe PID: 5484, type: MEMORYSTR | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: Stub.exe PID: 5484, type: MEMORYSTR | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Stub.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: Stub.exe, type: SAMPLE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Stub.exe, type: SAMPLE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: dump.pcap, type: PCAP | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.0.Stub.exe.50000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0.0.Stub.exe.50000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 00000000.00000002.510364745.0000000004966000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000003.474031615.0000000000633000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.505594690.0000000000633000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000000.237566508.0000000000052000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000000.00000003.384798750.000000000061D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000003.432092160.0000000000631000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.508243418.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: Process Memory Space: Stub.exe PID: 5484, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: Stub.exe PID: 5484, type: MEMORYSTR | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: Stub.exe, 00000000.00000002.510626345.0000000004BE9000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Stub.exe |
Source: C:\Users\user\Desktop\Stub.exe | Code function: 0_2_0098C51C |
Source: Stub.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Stub.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: Stub.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% |
Source: C:\Users\user\Desktop\Stub.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll |
Source: C:\Users\user\Desktop\Stub.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
Source: Stub.exe, eGlSQbxmQMrQhm/plUQqHPHKqQ.cs | Base64 encoded string: 'laukwBCTjYRoqHFCmAt9kjzyfCkFf18LOnFD55PbbIYaigees0liP+EQECnHEGgsV/dSMIxuUxZJha8SsnKbpA==', 'QjmCtoSjL+VicO4LPwx8UrRL/7Hl5VkqSNOHpjk/8ZEi1GdI0P25EhNPoO+bvbOcj/g6WMfmNt/vXLOYRvX97f2rdKwvPOyv6SDGpHObvivDylj5xJxiP56BPUvPLrCn0685T6Qy5sOuES7cBgaLTgeazBZU2j0sY8Hoe7x8sXNzqiqS0Ft8HN6jodNtKPmVFuUmn9Ju8GnJ06vDjlZcO75ee27wp/85L42bQI4Q8fjZa8g7gxQ6f8mqQopuf5vSAnhi1ew8HeAI4P9OEgWzGq3byV+sblaBpV3ED6NtIe4x43OLMtHiXCvcKWdbszp6b/nUg/CAFShdBwIv/3E6DApoNgF5AJ3wxF7f9CpEqrXM7El/6iVa1vIayJys46oshTrjssATjAuiLEazaXn8j8WcW9VDjWh0TInqEAJwHW6CVOrS7eqLmDN6KUuLiyN9vUQfcpfMAgKB/RrywZtTXIgE8R57SUjEw9SIg0CWBRkjT20XXicgNzsdBH49QukyCx0VHc5vTqY5JKqPHZmm7HL2BHIjIYUSKynLzX6TopFKwgOtNQj67kGy8g1qRVvUI8v2vx7mreeNKuUQLkWngoRKfmKDEvCWNDJj4CdW0NdorNwmw+2WEfUcgTVXVvQ3Y3MIgxjsTHcBse+0vszEP9tJLVUGNfUcGP9tlNh5f39sI5O9tjhnIjgrb9bmdCF+ZsRncZym1opWqqjn9kZoIfd9rQZVaYZWhxoYfyDotNf0Bpnz7GK98XikEDQe9JGZj55IJbaIFXhOB4gBnizQX6nmTYWnyGo3ZyPypVKTwCrk9hz7HcBqvlr2OmdUHcXESMcnEj6wCQvs1UQ1HD8sa9LjHCwfm3D8eLIf0Kb9ClDTIJw+t1rXj1CBxVCObHMkMzar1j1/GW950FezQGtGyrhoUKnC06wpBKWTCK4b3MXKC69uv1ut9wSBjb4yaO+0ontHp+pyQlYSrJaihHQAr9Cuc8Ta/igpzT7KpgSMPQ6bWdr9FcDzlreA0vDBvjJNoTH5o7J7rsoSMe1JD7ILGIIy9+mAegAiumKdylUGWOQalj5c1sly6pbbmeSoob7vVV29NqDGLJrSQiQWubTeqigPlevZRHrmJTvtCy7T2iVlplKbXx2YiqUsLLfdkQ5Dj+IJqlKEj3fe3wSNwYT8bbXSfjbt4D8Q5YUzCmbXvAHLKqluz9ZswsGFkZE/TOeMH8QfMJyo7biEe/ZBwo31LJ94q0zmD0Cie+/qPuW8VwCgllACQ3X2miZXaL29qie8ox6exmo1ZZPSP8mRZ/YzCavdMYZ3wSMaCQcfhQ09Oq6m6JaHILVV86pDckmiz9vNb7fjxqauaRa9nq8tROoQdWhR1Q7jmZNeOYCfXm9xeEJJJHpsNED9mJQXHyGP3vMozcFywc7wpjwXZs/crOk6D3WipQN9h94YP4cp3p9uaUq1pFjqvQovQv7zjvLheNthoXaIZaAsEETvcZeTn8u7ptdAvvjt7aJ0dMchmc27f/N+jZ1E3uTsmjZuXdKZlaS8+girQhhewysYjwm4Voz2OZVwGhJI1IxMwnO8rU4LDr49lLMCZ6wzyBWlDC+TZ+Z4jtXRP6GhiSOd6n1j6XzEkRT3/FCbF1yznRCo29JEUmpQ3AfLrog/zjjYep8b7b8CUBMRbdDmexKIfBmuTETWciUrFg2Eu3FdPH3QCTJtR+yyfJUIKaJe2Tldgm1A9aLgoRW9A8sSsK01RzcqgoCiIJQoHpBvYxLSniU6B3kI5Qi/qikPDOlQljhhQS3eop4vht/3zbktsGIRoD0VJZy12ijc20WVTq9oaeC3Zo3UmxC/KQlnleKNSpFzMjFVhnLV8mHqYpx06rlEgHqgpyo3f7vDgLqLf/qLhyZ9iWtMS/YVneDqjkIwVtYVhbimBUdv5l5aQDv5+WUl2cFXNtR0BOxl1F/czDgau1+KNjaNsgIyuW4unxpEkMgUMAJtKPlYl6nIlgHDB9cG7NCeUedYFDR/QipZ2shCM4q6aIJ19RAZ/x4qb0bOLBTJILtbsAb6rjd28NZzoeU0Z0oYZjlX+fE5EBhZl1CNZsTvuVEWZlz59kCTsroCWr6xi/QFgmf6ALNIMNIzcigcdBCovEeMN/01aj4KUP7E/ioX+H/rPByY87IWkMHpkCkIFIIKAbCa2pyqG7cD4W8HdxapV1UqbBSAPMJL9r1NjOHvAM1eT+VMX5W40vgeOjfhlTYqnaqYwDw+oHNJcuGQgWLg5bShG8Ma1N0Vm8GaLiPp6aZbfoY+csF5mW1Zb0D+u9NmaZwrcBqxEpqpOIbTc/n+EmgRLQ1dKWCVLTTuU8EJNUWiZ9g=', 'p42Rw9P9+Tk8A5wcgXvTTvLmy |