Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "45.61.150.201", "beshomandotestbesnd.run.place"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672"} |
Source: 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1,45.61.150.201,beshomandotestbesnd.run.place", "Port": "6606,7707,8808", "Version": "| Edit 3LOSH RAT", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "true"} |
Source: 12.0.1235.exe.e10000.0.unpack |
String decryptor: 127.0.0.1,45.61.150.201,beshomandotestbesnd.run.place |
Source: 12.0.1235.exe.e10000.0.unpack |
String decryptor: 7000 |
Source: 12.0.1235.exe.e10000.0.unpack |
String decryptor: <123456789> |
Source: 12.0.1235.exe.e10000.0.unpack |
String decryptor: <Xwormmm> |
Source: 12.0.1235.exe.e10000.0.unpack |
String decryptor: XWorm V5.6 |
Source: 12.0.1235.exe.e10000.0.unpack |
String decryptor: USB.exe |
Source: 12.0.1235.exe.e10000.0.unpack |
String decryptor: %AppData% |
Source: 12.0.1235.exe.e10000.0.unpack |
String decryptor: XClient.exe |
Source: 12.0.1235.exe.e10000.0.unpack |
String decryptor: 2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo |
Source: 12.0.1235.exe.e10000.0.unpack |
String decryptor: 966649672 |
Source: Yara match |
File source: 12.0.1235.exe.e10000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.MSBuild.exe.2eaa5c0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.MSBuild.exe.2eb59e8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\1235.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.61.150.201 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.61.150.201 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.61.150.201 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.61.150.201 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.61.150.201 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.1.237.91 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: powershell.exe, 00000019.00000002.2884794122.000001B727ACE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.m |
Source: powershell.exe, 00000019.00000002.2884794122.000001B727ACE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3312242107.0000016D70DAF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.mic |
Source: powershell.exe, 00000019.00000002.2884794122.000001B727ACE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micft.cMicRosof |
Source: 456.exe, 0000000B.00000002.3398649290.00000000051A0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: 456.exe, 0000000B.00000002.3398649290.00000000051A0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: powershell.exe, 0000000E.00000002.2162518724.0000015B3253F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2445457495.000001B567A5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2788121554.000001B71F4BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3261780764.0000016D10066000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000001B.00000002.2943982437.0000016D00227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 0000000E.00000002.2110588680.0000015B226F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2258279552.000001B557C19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2594214487.000001B70F67A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2943982437.0000016D00227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: LFfjUMuUFU.exe, 00000000.00000002.2047181888.00000000025D8000.00000004.00000800.00020000.00000000.sdmp, AAkXVY.exe, 0000000A.00000002.2203533506.0000000003248000.00000004.00000800.00020000.00000000.sdmp, 456.exe, 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, 1235.exe, 0000000C.00000002.3349500218.0000000003121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2110588680.0000015B224D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2258279552.000001B5579F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2594214487.000001B70F451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2943982437.0000016D00001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000E.00000002.2110588680.0000015B226F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2258279552.000001B557C19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2594214487.000001B70F67A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2943982437.0000016D00227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: LFfjUMuUFU.exe, AAkXVY.exe.0.dr |
String found in binary or memory: http://tempuri.org/DataSetGen.xsd |
Source: powershell.exe, 0000001B.00000002.2943982437.0000016D00227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 0000001B.00000002.3309340008.0000016D709EF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.micrm/pki/certs/MicR_2010-06-23.crt0 |
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net/ |
Source: powershell.exe, 0000000E.00000002.2110588680.0000015B224D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2258279552.000001B5579F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2594214487.000001B70F451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2943982437.0000016D00001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: MSBuild.exe, 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 1235.exe, 0000000C.00000000.2008108195.0000000000E12000.00000002.00000001.01000000.0000000F.sdmp, MSBuild.exe, 00000012.00000002.2158028253.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, 1235.exe.9.dr |
String found in binary or memory: https://api.telegram.org/bot |
Source: powershell.exe, 0000001B.00000002.3261780764.0000016D10066000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000001B.00000002.3261780764.0000016D10066000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000001B.00000002.3261780764.0000016D10066000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000001B.00000002.2943982437.0000016D00227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 0000000E.00000002.2162518724.0000015B3253F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2445457495.000001B567A5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2788121554.000001B71F4BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3261780764.0000016D10066000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: dump.pcap, type: PCAP |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 9.2.MSBuild.exe.3047c50.1.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 12.0.1235.exe.e10000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 18.2.MSBuild.exe.2eb59e8.1.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 9.2.MSBuild.exe.3053078.2.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 18.2.MSBuild.exe.2eaa5c0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 18.2.MSBuild.exe.2eaa5c0.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 18.2.MSBuild.exe.2eb59e8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000002.3414123856.000000000679C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000C.00000000.2008108195.0000000000E12000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000000.2007187382.00000000009A2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000013.00000002.2268754749.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000002.3398649290.00000000051D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000013.00000002.2259471058.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000002.3354395323.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000002.3398649290.0000000005278000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000012.00000002.2158028253.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000002.3413113784.0000000006778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: MSBuild.exe PID: 1248, type: MEMORYSTR |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: 456.exe PID: 5560, type: MEMORYSTR |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Users\user\AppData\Roaming\1235.exe, type: DROPPED |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe |
Code function: 0_2_0078DCD4 |
0_2_0078DCD4 |
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe |
Code function: 0_2_09D333E9 |
0_2_09D333E9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 9_2_012D17B0 |
9_2_012D17B0 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_0153DCD4 |
10_2_0153DCD4 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_075244E8 |
10_2_075244E8 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_0752B590 |
10_2_0752B590 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_0752B5A0 |
10_2_0752B5A0 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_075244D8 |
10_2_075244D8 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_0752D378 |
10_2_0752D378 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_0752D367 |
10_2_0752D367 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_0752B168 |
10_2_0752B168 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_07522F90 |
10_2_07522F90 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_07522F80 |
10_2_07522F80 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_0752AD16 |
10_2_0752AD16 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_0752AD30 |
10_2_0752AD30 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_0752D870 |
10_2_0752D870 |
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe |
Code function: 10_2_0AAD2301 |
10_2_0AAD2301 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_0121E1A8 |
11_2_0121E1A8 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07336377 |
11_2_07336377 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07336388 |
11_2_07336388 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07338E62 |
11_2_07338E62 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07338EF2 |
11_2_07338EF2 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07331B10 |
11_2_07331B10 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07597318 |
11_2_07597318 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_0759A092 |
11_2_0759A092 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07599930 |
11_2_07599930 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07591170 |
11_2_07591170 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07593F80 |
11_2_07593F80 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_0759ADB0 |
11_2_0759ADB0 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07594A98 |
11_2_07594A98 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07592948 |
11_2_07592948 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07653F50 |
11_2_07653F50 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_076567D8 |
11_2_076567D8 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_0765DA80 |
11_2_0765DA80 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07656FE8 |
11_2_07656FE8 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_07656FF8 |
11_2_07656FF8 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_076DC628 |
11_2_076DC628 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_076DC3C0 |
11_2_076DC3C0 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_076D8C28 |
11_2_076D8C28 |
Source: C:\Users\user\AppData\Roaming\456.exe |
Code function: 11_2_076D8C38 |
11_2_076D8C38 |
Source: C:\Users\user\AppData\Roaming\1235.exe |
Code function: 12_2_00007FF848C412E9 |
12_2_00007FF848C412E9 |
Source: C:\Users\user\AppData\Roaming\1235.exe |
Code function: 12_2_00007FF848C41CCD |
12_2_00007FF848C41CCD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 18_2_012A17B0 |
18_2_012A17B0 |
Source: C:\Users\user\AppData\Roaming\1235.exe |
Code function: 20_2_00007FF848C512E9 |
20_2_00007FF848C512E9 |
Source: C:\Users\user\AppData\Roaming\1235.exe |
Code function: 20_2_00007FF848C51CCD |
20_2_00007FF848C51CCD |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 22_2_00007FF848D43333 |
22_2_00007FF848D43333 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 27_2_00007FF848D130E9 |
27_2_00007FF848D130E9 |
Source: LFfjUMuUFU.exe, 00000000.00000000.1968284586.0000000000062000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameOfXP.exe6 vs LFfjUMuUFU.exe |
Source: LFfjUMuUFU.exe, 00000000.00000002.2047181888.00000000025D8000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameOutput.exe@ vs LFfjUMuUFU.exe |
Source: LFfjUMuUFU.exe, 00000000.00000002.2062671888.0000000007040000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameTyrone.dll8 vs LFfjUMuUFU.exe |
Source: LFfjUMuUFU.exe, 00000000.00000002.2057556745.0000000003875000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameOutput.exe@ vs LFfjUMuUFU.exe |
Source: LFfjUMuUFU.exe, 00000000.00000002.2057556745.0000000003875000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameTyrone.dll8 vs LFfjUMuUFU.exe |
Source: LFfjUMuUFU.exe, 00000000.00000002.2047181888.0000000002551000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSimpleLogin.dllD vs LFfjUMuUFU.exe |
Source: LFfjUMuUFU.exe, 00000000.00000002.2061759454.0000000004B70000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameSimpleLogin.dllD vs LFfjUMuUFU.exe |
Source: LFfjUMuUFU.exe, 00000000.00000002.2022543031.00000000007AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs LFfjUMuUFU.exe |
Source: LFfjUMuUFU.exe |
Binary or memory string: OriginalFilenameOfXP.exe6 vs LFfjUMuUFU.exe |
Source: dump.pcap, type: PCAP |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 9.2.MSBuild.exe.3047c50.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 12.0.1235.exe.e10000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 18.2.MSBuild.exe.2eb59e8.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 9.2.MSBuild.exe.3053078.2.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 18.2.MSBuild.exe.2eaa5c0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 18.2.MSBuild.exe.2eaa5c0.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 18.2.MSBuild.exe.2eb59e8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000B.00000002.3414123856.000000000679C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000C.00000000.2008108195.0000000000E12000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000B.00000000.2007187382.00000000009A2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000013.00000002.2268754749.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000B.00000002.3398649290.00000000051D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000013.00000002.2259471058.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000B.00000002.3354395323.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000B.00000002.3398649290.0000000005278000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000012.00000002.2158028253.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000B.00000002.3413113784.0000000006778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: Process Memory Space: MSBuild.exe PID: 1248, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: Process Memory Space: 456.exe PID: 5560, type: MEMORYSTR |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: C:\Users\user\AppData\Roaming\1235.exe, type: DROPPED |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0.2.LFfjUMuUFU.exe.3875148.7.raw.unpack, Program.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.LFfjUMuUFU.exe.38a4368.8.raw.unpack, Program.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.LFfjUMuUFU.exe.25a77c8.3.raw.unpack, XG.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.LFfjUMuUFU.exe.25a77c8.3.raw.unpack, XG.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.LFfjUMuUFU.exe.67f0000.10.raw.unpack, XG.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.LFfjUMuUFU.exe.67f0000.10.raw.unpack, XG.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.LFfjUMuUFU.exe.2596b50.5.raw.unpack, XG.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.LFfjUMuUFU.exe.2596b50.5.raw.unpack, XG.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 1235.exe.9.dr, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 1235.exe.9.dr, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 1235.exe.9.dr, AlgorithmAES.cs |
Cryptographic APIs: 'TransformFinalBlock' |