Windows
Analysis Report
Client.exe
Overview
General Information
Detection
AsyncRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AsyncRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
Client.exe (PID: 6936 cmdline:
"C:\Users\ user\Deskt op\Client. exe" MD5: 83E3936CEFF5BB0E3666A998E4100F51) conhost.exe (PID: 6700 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
{"Server": "torenta2.vpndns.net", "Port": "115", "Version": "| Edit 3LOSH RAT", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "false"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
|
⊘No Sigma rule has matched
Timestamp: | 05/23/24-15:14:47.921294 |
SID: | 2030673 |
Source Port: | 115 |
Destination Port: | 49699 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-15:14:47.921294 |
SID: | 2035595 |
Source Port: | 115 |
Destination Port: | 49699 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_02E9257D | |
Source: | Code function: | 0_2_02E9257D | |
Source: | Code function: | 0_2_02E9EB78 | |
Source: | Code function: | 0_2_02E90988 | |
Source: | Code function: | 0_2_02E90988 | |
Source: | Code function: | 0_2_02E90988 | |
Source: | Code function: | 0_2_02E92358 | |
Source: | Code function: | 0_2_02E9E6A0 | |
Source: | Code function: | 0_2_02E9E68F | |
Source: | Code function: | 0_2_02E90979 | |
Source: | Code function: | 0_2_02E90979 | |
Source: | Code function: | 0_2_02E90979 | |
Source: | Code function: | 0_2_07354498 | |
Source: | Code function: | 0_2_07354498 |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | .Net Code: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_02E9113F | |
Source: | Code function: | 0_2_02E99798 | |
Source: | Code function: | 0_2_02E9A5C8 | |
Source: | Code function: | 0_2_02E9257D | |
Source: | Code function: | 0_2_02E9EB78 | |
Source: | Code function: | 0_2_02E99248 | |
Source: | Code function: | 0_2_07350040 | |
Source: | Code function: | 0_2_073529C8 | |
Source: | Code function: | 0_2_07350006 | |
Source: | Code function: | 0_2_073529D8 |
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Base64 encoded string: |