Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UxaZyTE7nq.exe

Overview

General Information

Sample Name:UxaZyTE7nq.exe
Original Sample Name:91a442b21fb353b221ea33e767c7fe1b.exe
Analysis ID:816262
MD5:91a442b21fb353b221ea33e767c7fe1b
SHA1:e58e0d08ebdc5e91f43631b339c573a732c07056
SHA256:35330f1bbbc0f361845b9b987e2f4ac70cdb96ab3f9e80161c2b8971c7df0df4
Tags:exe
Infos:

Detection

AsyncRAT, DcRat, VenomRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected DcRat
Yara detected VenomRAT
Yara detected AsyncRAT
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sample is not signed and drops a device driver
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Contains functionality to load drivers
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Enables driver privileges
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates driver files
Binary contains a suspicious time stamp
Spawns drivers
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates or modifies windows services
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

  • System is w10x64
  • UxaZyTE7nq.exe (PID: 5248 cmdline: C:\Users\user\Desktop\UxaZyTE7nq.exe MD5: 91A442B21FB353B221EA33E767C7FE1B)
    • MSBuild.exe (PID: 3164 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe MD5: 8B9E68304AF4B81C9AB70CB2220EBA74)
    • aspnet_regsql.exe (PID: 4860 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe MD5: F31014EE4DE7FE48E9B7C9BE94CFB45F)
    • AddInProcess.exe (PID: 1792 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452)
    • EdmGen.exe (PID: 4856 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe MD5: 2B6A31DFD7C9ED8B413DBDAB800F10F3)
    • RegAsm.exe (PID: 4916 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
    • Microsoft.Workflow.Compiler.exe (PID: 3232 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe MD5: D91462AE31562E241AF5595BA5E1A3C4)
    • SMSvcHost.exe (PID: 5564 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe MD5: 7EC8B56348F9298BCCA7A745C7F70E2C)
    • ngen.exe (PID: 1368 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe MD5: FBA5E8D94C9EADC279BC06B9CF041A9A)
    • aspnet_regbrowsers.exe (PID: 784 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe MD5: BF7E443F1E1FA88AD5A2A5EB44F42834)
    • AddInUtil.exe (PID: 4504 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe MD5: 65D30D747EB31E108A36EBC966C1227D)
    • mscorsvw.exe (PID: 4840 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe MD5: B00E9325AC7356A3F4864EAAAD48E13F)
    • cvtres.exe (PID: 3440 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
    • ServiceModelReg.exe (PID: 5388 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe MD5: 80B018258257C2F78CBFE08198883AC1)
    • jsc.exe (PID: 4532 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe MD5: 2B40A449D6034F41771A460DADD53A60)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
{"Server": "127.0.0.1,91.134.187.20", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.1", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "fLhIsNqVZyP3FtIfE3paid39lvLLS0GF", "Mutex": "mhtuxtjimxsu", "Certificate": "MIICLzCCAZigAwIBAgIVAMlWIVjWC1nh9ktodokpLXg1Z7jDMA0GCSqGSIb3DQEBDQUAMGAxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjEOMAwGA1UECwwFVmVub20xGjAYBgNVBAoMEVZlbm9tUkFUIEJ5IFZlbm9tMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjIwNDIzMDE0ODMzWhcNMzMwMTMwMDE0ODMzWjATMREwDwYDVQQDDAhWZW5vbVJBVDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApVFyhBoFr/9yziPYmAfupGi+6Dr9HlSEu4y7EX9UWIylw9CS4Voa/+1ncAOzogfrktnFzQ8mi0CRy5KZ/h/xY3W/RZXSOuTiBxwuYJ21ZyP0F3NE0Dk0iKJbBQvE/zmGVU3o0nSQEJ5eKQF9cj8SCsEac4tcpOeJWGRR4EOaNH8CAwEAAaMyMDAwHQYDVR0OBBYEFAXo7kHUsbMm0Un9lzKiyH3ZKuRhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAToihy3/hoIiQqRgL8LQs+1ZyJfdHwOCmbsgIXHWfuygpkNuCVgWyx00+6WG1rrFOf0JZMar0D7txlc/bnAasiYPUL5EXEL/uikR3e8zzcQOhRAszKHobjW3VxGBYxClWdkhDZNxoiXTPs53aoby1ddub4dbDXQzIo//fNN30FNc=", "ServerSignature": "kFvNmgZ/O5v1sx/qrRRjCJ65ULSYW0YUs6D8HUtcZiIPmdxxX1FnuqnG7Hqf58PvDX3GI/brbGZ53PRUq5Q2RpiVxj+vfAPMR0vYli5u3fC8P3PEfV6q8ByxVzA/JPq19BNQyRc/ggnXxDaQb3mMnaO7P9LiftEDaJle8Xfr3Kk=", "BDOS": "null", "Exter