Edit tour
Windows
Analysis Report
UxaZyTE7nq.exe
Overview
General Information
Detection
AsyncRAT, DcRat, VenomRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected DcRat
Yara detected VenomRAT
Yara detected AsyncRAT
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sample is not signed and drops a device driver
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Contains functionality to load drivers
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Enables driver privileges
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates driver files
Binary contains a suspicious time stamp
Spawns drivers
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates or modifies windows services
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
- UxaZyTE7nq.exe (PID: 5248 cmdline:
C:\Users\u ser\Deskto p\UxaZyTE7 nq.exe MD5: 91A442B21FB353B221EA33E767C7FE1B) - MSBuild.exe (PID: 3164 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\MS Build.exe MD5: 8B9E68304AF4B81C9AB70CB2220EBA74) - aspnet_regsql.exe (PID: 4860 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\as pnet_regsq l.exe MD5: F31014EE4DE7FE48E9B7C9BE94CFB45F) - AddInProcess.exe (PID: 1792 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess .exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452) - EdmGen.exe (PID: 4856 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ed mGen.exe MD5: 2B6A31DFD7C9ED8B413DBDAB800F10F3) - RegAsm.exe (PID: 4916 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Re gAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3) - Microsoft.Workflow.Compiler.exe (PID: 3232 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Mi crosoft.Wo rkflow.Com piler.exe MD5: D91462AE31562E241AF5595BA5E1A3C4) - SMSvcHost.exe (PID: 5564 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\SM SvcHost.ex e MD5: 7EC8B56348F9298BCCA7A745C7F70E2C) - ngen.exe (PID: 1368 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ng en.exe MD5: FBA5E8D94C9EADC279BC06B9CF041A9A) - aspnet_regbrowsers.exe (PID: 784 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\as pnet_regbr owsers.exe MD5: BF7E443F1E1FA88AD5A2A5EB44F42834) - AddInUtil.exe (PID: 4504 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInUtil.ex e MD5: 65D30D747EB31E108A36EBC966C1227D) - mscorsvw.exe (PID: 4840 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe MD5: B00E9325AC7356A3F4864EAAAD48E13F) - cvtres.exe (PID: 3440 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - ServiceModelReg.exe (PID: 5388 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Se rviceModel Reg.exe MD5: 80B018258257C2F78CBFE08198883AC1) - jsc.exe (PID: 4532 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\js c.exe MD5: 2B40A449D6034F41771A460DADD53A60)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"Server": "127.0.0.1,91.134.187.20", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.1", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "fLhIsNqVZyP3FtIfE3paid39lvLLS0GF", "Mutex": "mhtuxtjimxsu", "Certificate": "MIICLzCCAZigAwIBAgIVAMlWIVjWC1nh9ktodokpLXg1Z7jDMA0GCSqGSIb3DQEBDQUAMGAxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjEOMAwGA1UECwwFVmVub20xGjAYBgNVBAoMEVZlbm9tUkFUIEJ5IFZlbm9tMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjIwNDIzMDE0ODMzWhcNMzMwMTMwMDE0ODMzWjATMREwDwYDVQQDDAhWZW5vbVJBVDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApVFyhBoFr/9yziPYmAfupGi+6Dr9HlSEu4y7EX9UWIylw9CS4Voa/+1ncAOzogfrktnFzQ8mi0CRy5KZ/h/xY3W/RZXSOuTiBxwuYJ21ZyP0F3NE0Dk0iKJbBQvE/zmGVU3o0nSQEJ5eKQF9cj8SCsEac4tcpOeJWGRR4EOaNH8CAwEAAaMyMDAwHQYDVR0OBBYEFAXo7kHUsbMm0Un9lzKiyH3ZKuRhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAToihy3/hoIiQqRgL8LQs+1ZyJfdHwOCmbsgIXHWfuygpkNuCVgWyx00+6WG1rrFOf0JZMar0D7txlc/bnAasiYPUL5EXEL/uikR3e8zzcQOhRAszKHobjW3VxGBYxClWdkhDZNxoiXTPs53aoby1ddub4dbDXQzIo//fNN30FNc=", "ServerSignature": "kFvNmgZ/O5v1sx/qrRRjCJ65ULSYW0YUs6D8HUtcZiIPmdxxX1FnuqnG7Hqf58PvDX3GI/brbGZ53PRUq5Q2RpiVxj+vfAPMR0vYli5u3fC8P3PEfV6q8ByxVzA/JPq19BNQyRc/ggnXxDaQb3mMnaO7P9LiftEDaJle8Xfr3Kk=", "BDOS": "null", "Exter