Edit tour

Windows Analysis Report
2ktrFR0W3v.exe

Overview

General Information

Sample name:	2ktrFR0W3v.exe renamed because original name is a hash value
Original sample name:	2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5.exe
Analysis ID:	1531023
MD5:	387b657fab27ddabb59998479ce069db
SHA1:	94e8062fdbeba343f328ef8d155c274a69fec39e
SHA256:	2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5
Tags:	24-152-39-227exeuser-JAMESWT_MHT
Infos:

Detection

Clipboard Hijacker, Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Clipboard Hijacker

Yara detected Powershell download and execute

Yara detected Quasar RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to disable the Task Manager (.Net Source)

Contains functionality to hide user accounts

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

2ktrFR0W3v.exe (PID: 7232 cmdline: "C:\Users\user\Desktop\2ktrFR0W3v.exe" MD5: 387B657FAB27DDABB59998479CE069DB)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
2ktrFR0W3v.exe	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
2ktrFR0W3v.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
2ktrFR0W3v.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2ktrFR0W3v.exe	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
2ktrFR0W3v.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2ktrFR0W3v.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xec258:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
2ktrFR0W3v.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x377a0:$s1: \Classes\mscfile\Shell\Open\command 0x37812:$s2: eventvwr.exe
2ktrFR0W3v.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xefbcb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xf15aa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
2ktrFR0W3v.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0xefb05:$s1: c:\windows\system32\cmstp.exe 0xef8a9:$s2: taskkill /IM cmstp.exe /F 0xf0208:$s2: taskkill /IM cmstp.exe /F 0xb6156:$s4: CommandToExecute 0xef765:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0xf00db:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0xef99b:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" 0xf0332:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
2ktrFR0W3v.exe	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x37ad2:$r1: Classes\Folder\shell\open\command 0x3790e:$k1: DelegateExecute 0x85010:$k1: DelegateExecute 0xec6cc:$k1: DelegateExecute
2ktrFR0W3v.exe	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0xedab9:$s3: />Log created on 0x1015d5:$s6: grabber_ 0x1015f1:$s6: grabber_ 0xb37e5:$s8: <RunHidden>k__BackingField 0xb1fc5:$s9: <keyboardHookStruct> 0xb3f42:$s10: add_OnHotKeysDown 0xb4299:$s10: add_OnHotKeysDown 0xf3f94:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0xfeece:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
2ktrFR0W3v.exe	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0xfd508:$h1: //:ptth 0xb6839:$s1: DownloadString 0xb5ad0:$s2: StrReverse 0x3720b:$s3: FromBase64String 0xb6819:$s3: FromBase64String 0xf0e24:$s3: FromBase64String 0xfc381:$s3: FromBase64String 0xbba0a:$s4: WebClient 0xf36d3:$s4: WebClient 0xf52a2:$s4: WebClient 0xfc13a:$s4: WebClient
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xef9cb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xf13aa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: 2ktrFR0W3v.exe PID: 7232	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: 2ktrFR0W3v.exe PID: 7232	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: 2ktrFR0W3v.exe PID: 7232	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 2ktrFR0W3v.exe PID: 7232	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 2ktrFR0W3v.exe PID: 7232	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: 2ktrFR0W3v.exe PID: 7232	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x542ce:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x54f66:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb04cb:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb3e3e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xb581d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0xb3d78:$s1: c:\windows\system32\cmstp.exe 0xb3b1c:$s2: taskkill /IM cmstp.exe /F 0xb447b:$s2: taskkill /IM cmstp.exe /F 0x7a3c9:$s4: CommandToExecute 0xb39d8:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0xb434e:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0xb3c0e:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" 0xb45a5:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0xb1d2c:$s3: />Log created on 0xc5848:$s6: grabber_ 0xc5864:$s6: grabber_ 0x77a58:$s8: <RunHidden>k__BackingField 0x76238:$s9: <keyboardHookStruct> 0x781b5:$s10: add_OnHotKeysDown 0x7850c:$s10: add_OnHotKeysDown 0xb8207:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0xc3141:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0xc177b:$h1: //:ptth 0x7aaac:$s1: DownloadString 0x79d43:$s2: StrReverse 0x7aa8c:$s3: FromBase64String 0xb5097:$s3: FromBase64String 0xc05f4:$s3: FromBase64String 0x7fc7d:$s4: WebClient 0xb7946:$s4: WebClient 0xb9515:$s4: WebClient 0xc03ad:$s4: WebClient
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb41e6:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb7b59:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xb9538:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0xb7a93:$s1: c:\windows\system32\cmstp.exe 0xb7837:$s2: taskkill /IM cmstp.exe /F 0xb8196:$s2: taskkill /IM cmstp.exe /F 0x7e0e4:$s4: CommandToExecute 0xb76f3:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0xb8069:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0xb7929:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" 0xb82c0:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0xb5a47:$s3: />Log created on 0xc9563:$s6: grabber_ 0xc957f:$s6: grabber_ 0x7b773:$s8: <RunHidden>k__BackingField 0x79f53:$s9: <keyboardHookStruct> 0x7bed0:$s10: add_OnHotKeysDown 0x7c227:$s10: add_OnHotKeysDown 0xbbf22:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0xc6e5c:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0xc5496:$h1: //:ptth 0x7e7c7:$s1: DownloadString 0x7da5e:$s2: StrReverse 0x7e7a7:$s3: FromBase64String 0xb8db2:$s3: FromBase64String 0xc430f:$s3: FromBase64String 0x83998:$s4: WebClient 0xbb661:$s4: WebClient 0xbd230:$s4: WebClient 0xc40c8:$s4: WebClient
0.0.2ktrFR0W3v.exe.d90000.0.unpack	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
0.0.2ktrFR0W3v.exe.d90000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.2ktrFR0W3v.exe.d90000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.2ktrFR0W3v.exe.d90000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.0.2ktrFR0W3v.exe.d90000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.0.2ktrFR0W3v.exe.d90000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xec258:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.2ktrFR0W3v.exe.d90000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x377a0:$s1: \Classes\mscfile\Shell\Open\command 0x37812:$s2: eventvwr.exe
0.0.2ktrFR0W3v.exe.d90000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xefbcb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xf15aa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.0.2ktrFR0W3v.exe.d90000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0xefb05:$s1: c:\windows\system32\cmstp.exe 0xef8a9:$s2: taskkill /IM cmstp.exe /F 0xf0208:$s2: taskkill /IM cmstp.exe /F 0xb6156:$s4: CommandToExecute 0xef765:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0xf00db:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0xef99b:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" 0xf0332:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
0.0.2ktrFR0W3v.exe.d90000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x37ad2:$r1: Classes\Folder\shell\open\command 0x3790e:$k1: DelegateExecute 0x85010:$k1: DelegateExecute 0xec6cc:$k1: DelegateExecute
0.0.2ktrFR0W3v.exe.d90000.0.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0xedab9:$s3: />Log created on 0x1015d5:$s6: grabber_ 0x1015f1:$s6: grabber_ 0xb37e5:$s8: <RunHidden>k__BackingField 0xb1fc5:$s9: <keyboardHookStruct> 0xb3f42:$s10: add_OnHotKeysDown 0xb4299:$s10: add_OnHotKeysDown 0xf3f94:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0xfeece:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
0.0.2ktrFR0W3v.exe.d90000.0.unpack	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0xfd508:$h1: //:ptth 0xb6839:$s1: DownloadString 0xb5ad0:$s2: StrReverse 0x3720b:$s3: FromBase64String 0xb6819:$s3: FromBase64String 0xf0e24:$s3: FromBase64String 0xfc381:$s3: FromBase64String 0xbba0a:$s4: WebClient 0xf36d3:$s4: WebClient 0xf52a2:$s4: WebClient 0xfc13a:$s4: WebClient
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb62d0:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x1818:$s1: \Classes\mscfile\Shell\Open\command 0x188a:$s2: eventvwr.exe
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb9c43:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xbb622:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD	Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF	ditekSHen	0xb9b7d:$s1: c:\windows\system32\cmstp.exe 0xb9921:$s2: taskkill /IM cmstp.exe /F 0xba280:$s2: taskkill /IM cmstp.exe /F 0x801ce:$s4: CommandToExecute 0xb97dd:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0xba153:$s5: RunPreSetupCommands=RunPreSetupCommandsSection 0xb9a13:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" 0xba3aa:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x1b4a:$r1: Classes\Folder\shell\open\command 0x1986:$k1: DelegateExecute 0x4f088:$k1: DelegateExecute 0xb6744:$k1: DelegateExecute
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0xb7b31:$s3: />Log created on 0xcb64d:$s6: grabber_ 0xcb669:$s6: grabber_ 0x7d85d:$s8: <RunHidden>k__BackingField 0x7c03d:$s9: <keyboardHookStruct> 0x7dfba:$s10: add_OnHotKeysDown 0x7e311:$s10: add_OnHotKeysDown 0xbe00c:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0xc8f46:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0xc7580:$h1: //:ptth 0x808b1:$s1: DownloadString 0x7fb48:$s2: StrReverse 0x1283:$s3: FromBase64String 0x80891:$s3: FromBase64String 0xbae9c:$s3: FromBase64String 0xc63f9:$s3: FromBase64String 0x85a82:$s4: WebClient 0xbd74b:$s4: WebClient 0xbf31a:$s4: WebClient 0xc61b2:$s4: WebClient
Click to see the 39 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE Common RAT Connectivity Check Observed

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-10T19:18:54.374248+0200	2036383	1	A Network Trojan was detected	192.168.2.10	49701	208.95.112.1	80	TCP

Joe Sandbox Signatures

• AV Detection
• Exploits
• Compliance
• Spreading
• Networking
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2ktrFR0W3v.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 2ktrFR0W3v.exe

ReversingLabs: Detection: 78%

Yara detected Quasar RAT

Source: Yara match	File source: 2ktrFR0W3v.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 2ktrFR0W3v.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 2ktrFR0W3v.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR

Source: 2ktrFR0W3v.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2ktrFR0W3v.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\addexclusion\obj\Release\addexclusion.pdb source: 2ktrFR0W3v.exe
Source:	Binary string: D:\MEMORYU\MEMORYU\obj\Debug\MEMORYU.pdb source: 2ktrFR0W3v.exe
Source:	Binary string: D:\CreateVenomUser\obj\Release\Create.pdb source: 2ktrFR0W3v.exe
Source:	Binary string: D:\CreateVenomUser\Uac-Executor\obj\Release\CU.pdb source: 2ktrFR0W3v.exe
Source:	Binary string: D:\Ransomware-Builder-v0.2d-master\Decryptor\Decryptor\obj\Debug\Decryptor.pdb source: 2ktrFR0W3v.exe
Source:	Binary string: D:\Ransomware-Builder-v0.2d-master\Decryptor\Decryptor\obj\Debug\Decryptor.pdbLd source: 2ktrFR0W3v.exe

Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: 2ktrFR0W3v.exe	Binary or memory string: autorun.inf
Source: 2ktrFR0W3v.exe	Binary or memory string: [autorun]

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036383 - Severity 1 - ET MALWARE Common RAT Connectivity Check Observed : 192.168.2.10:49701 -> 208.95.112.1:80

Yara detected Generic Downloader

Source: Yara match	File source: 2ktrFR0W3v.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.10:49707 -> 24.152.39.227:4782

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	TCP traffic detected without corresponding DNS query: 24.152.39.227
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: 2ktrFR0W3v.exe	String found in binary or memory: http://127.0.0.1:4040/api
Source: 2ktrFR0W3v.exe	String found in binary or memory: http://127.0.0.1:4040/api/tunnels
Source: 2ktrFR0W3v.exe	String found in binary or memory: http://91.134.207.16/update/ngrok.exe
Source: 2ktrFR0W3v.exe	String found in binary or memory: http://91.134.207.16/update/ngrok.exe9set
Source: 2ktrFR0W3v.exe	String found in binary or memory: http://api.ipify.org/
Source: 2ktrFR0W3v.exe	String found in binary or memory: http://freegeoip.net/xml/
Source: 2ktrFR0W3v.exe	String found in binary or memory: http://geocoder.ca/?locate=
Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp, 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 2ktrFR0W3v.exe	String found in binary or memory: http://ip-api.com/json/
Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com0
Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.comd
Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/d
Source: 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2ktrFR0W3v.exe	String found in binary or memory: https://geocoder.ca/?locate=
Source: 2ktrFR0W3v.exe	String found in binary or memory: https://google.com
Source: 2ktrFR0W3v.exe	String found in binary or memory: https://whatismyipaddress.com/update-location9internetexplorer.application

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 2ktrFR0W3v.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Code function: 0_2_017CA0A0	0_2_017CA0A0
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Code function: 0_2_017CA970	0_2_017CA970
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Code function: 0_2_06AC9498	0_2_06AC9498
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Code function: 0_2_06AC2B98	0_2_06AC2B98
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Code function: 0_2_06AC0360	0_2_06AC0360

Source: 2ktrFR0W3v.exe, 00000000.00000002.2563248535.00000000012F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCreate.exe@ vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCU.exe& vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDecryptor.exeV vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMEMORYU.exe0 vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameaddexclusion.exe: vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe, 00000000.00000000.1301045873.0000000000E9C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVenombin.exe2 vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe	Binary or memory string: OriginalFilenameCreate.exe@ vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe	Binary or memory string: OriginalFilenameCU.exe& vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe	Binary or memory string: OriginalFilenameDecryptor.exeV vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe	Binary or memory string: OriginalFilenameMEMORYU.exe0 vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe	Binary or memory string: OriginalFilenameaddexclusion.exe: vs 2ktrFR0W3v.exe
Source: 2ktrFR0W3v.exe	Binary or memory string: OriginalFilenameVenombin.exe2 vs 2ktrFR0W3v.exe

Source: 2ktrFR0W3v.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 2ktrFR0W3v.exe, type: SAMPLE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: 2ktrFR0W3v.exe, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2ktrFR0W3v.exe, ------.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2ktrFR0W3v.exe, ------.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2ktrFR0W3v.exe, -X---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2ktrFR0W3v.exe, -X---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2ktrFR0W3v.exe, -X---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2ktrFR0W3v.exe, -X---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2ktrFR0W3v.exe, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2ktrFR0W3v.exe, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 2ktrFR0W3v.exe, -.cs	Base64 encoded string: 'jQKEuhmBrDwki54AxZBI2qrUSFOJVRp5qZLwAPWv4RpzCZvtThzUxR6l5RVF97EA9Q3DycD1x/11389WbiRsTA==', 'Hc9PXkSY+teoK00Hn3TfOND14SHqES7GKjtT7fDiA7AEYnUGSgtHtw9bgL52xoeUXU7WkfVfh9Y7AK2d67bybA7+ZoONoYIaREcS6a8gvFQ=', 'Y95mgSQoWH6ARq4UWEd3jv72QV9/01xSZNRyN85Lhcr/825cfPLYou31DI7hq9JxGLOpX+ne4DBXsuTT9g4xWod85ciXp9pg3CXzthfEtV8=', 'pnmp7UAQ1YMJE9Zi+rilrNXGujsQa+fnXD0P7MWmax7bqKNp1Ij+kvqkJ+MXKUqaC0GFyvCYxravUEo5yc932A==', 'tEYQwaUwrcJDTTg5c2zkx0edhr9O7EQl1FSdTpEoB+rgX7iFoGbS+RlO6foYa40IOxTUy5kjO+QgnAs3eiuKeA=='
Source: 2ktrFR0W3v.exe, .cs	Base64 encoded string: 'hkMLwJ6kLl/wcdO3zsAo7VqfFSEWVA8A9o3MyCnu60m9Go75uaIYsNblUZzcRVIUiiEBeuP6LNaWca6d/yJq4cGdt7P7Hv71j+pr9VlxQYs=', 'hkMLwJ6kLl/wcdO3zsAo7VqfFSEWVA8A9o3MyCnu60m9Go75uaIYsNblUZzcRVIUiiEBeuP6LNaWca6d/yJq4cGdt7P7Hv71j+pr9VlxQYs=', 'hkMLwJ6kLl/wcdO3zsAo7VqfFSEWVA8A9o3MyCnu60m9Go75uaIYsNblUZzcRVIUiiEBeuP6LNaWca6d/yJq4cGdt7P7Hv71j+pr9VlxQYs=', 'hkMLwJ6kLl/wcdO3zsAo7VqfFSEWVA8A9o3MyCnu60m9Go75uaIYsNblUZzcRVIUiiEBeuP6LNaWca6d/yJq4cGdt7P7Hv71j+pr9VlxQYs='
Source: 2ktrFR0W3v.exe, ------.cs	Base64 encoded string: 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWOIBuAy8A0Wwd+/Qk37BK9+i+wk5JxbXVR1Q4uTQlCe8YIpuyZyOCxjKf80gClzOhA=='
Source: 2ktrFR0W3v.exe, -X---.cs	Base64 encoded string: 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZIngFw97hGp88lGESFOmRFuKhpfKiXJ68fR8c2qmRDFmW6gVmRTHFcQssKadf3pZEr2v8L2T+wRzxQiZ65fHHpVsRjD6R+BXea7ZKc/WE7moQ==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEK1FHtY11RA+WKgpz8WlU6Uuwd54dHpyIPwGYkuAD9Fxg==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEK1FHtY11RA+WKgpz8WlU6UjHmYfbPuly+0KRBbK1rkYw==', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZIngFw97hGp88lGESFOmRFuKhpfKiXJ68fR8c2qmRDFmZ2Ycy3e30jKppX/E7xkEib4/z67tZKoEYv83p/4+zBVVzKA5GBNJVAQeNlU2D356g==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEIYvjDZa9XYE0+7rxNT6T+fjdAnjNI0zvODtDqjZNkCtlpSP03+0Q42bABNh30ix+w=', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZLpApyDHLbEXqnGn1FyZg7Eq9i/pG9iADhVnXwVkBIvQwJiMaH4nY12/3X8x8A4ufBXH6ygZHRLMSEsYfY0zx/zb1BUKgiM1jQi0uo9uE/PzA==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEIV2sXOWTgN+Pcj462ljl3Oel4j7/mHDp79pNiFrTs78w==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEKpND3C57oKLuSoz2v0dV0bH4OpoapDChUYkbYYFnLcWg==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEIiZVQ0kG2wUYnLtVlMfGzyoXu9rYGMvy2WPGxRHvbNuw==', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZLpApyDHLbEXqnGn1FyZg7Eq9i/pG9iADhVnXwVkBIvQwJiMaH4nY12/3X8x8A4ufBRxadFEongss8PG/bC9lI1', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZLpApyDHLbEXqnGn1FyZg7Eq9i/pG9iADhVnXwVkBIvQwJiMaH4nY12/3X8x8A4ufAW7GCW9GjpuWcfklYXAs6CiBoXBbf1Lv3a+mDn1iQPmA==', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZL55WPp1zFAZn8zSVFhxCWcj8ZwVoOyAh3WyvInTOcAh1+e5NguCqUj9siUnyU8QPXCWprAFrmvVH0I47l4XKF0CU6+9UCVTN5OD1t5yFpLak6BKCf30RLXOpMaw4zZAX+5byXxPbbzmQCnuxE/Oa5N', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEKqQ+j67oBoT2z2qfHg14RFRfwf2L/5ZuZCOISZ7KrAzA==', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZLpApyDHLbEXqnGn1FyZg7Eq9i/pG9iADhVnXwVkBIvQwJiMaH4nY12/3X8x8A4ufADkY5vVIkbqyYOLhgaSgMtVkD80S5IvRbSbZvE8djdGw==', 'qiimzYPx0mUYk1Rr2FKAAqLWPVpJZfdW3vSNIZqoEAAXhFSxVMu4607KCwORqyR8d380oEo85zusjT/tI8oIWGaXObaAvVU95fBcDgAWSEIkWi3sLUNRh0Us6PpUJTJU/MlGxIz2bPjpalNjhg2ZIcexmyTaTR06cglMzpKyszA=', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZLpApyDHLbEXqnGn1FyZg7Eq9i/pG9iADhVnXwVkBIvQwJiMaH4nY12/3X8x8A4ufC1uEKwOfFncL3zY4OSoglTCShqS22/MD5ofOX6HxfFjA==', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZL55WPp1zFAZn8zSVFhxCWcj8ZwVoOyAh3WyvInTOcAh1+e5NguCqUj9siUnyU8QPXCWprAFrmvVH0I47l4XKF0CU6+9UCVTN5OD1t5yFpLak6BKCf30RLXOpMaw4zZAX+5byXxPbbzmQCnuxE/Oa5N', 'gQ8qxzxGQ6tCfnxdcTHggypxrsh84/ZPaB6zQZr32ZL55WPp1zFAZn8zSVFhxCWcj8ZwVoOyAh3WyvInTOcAh1+e5NguCqUj9siUnyU8QPXCWprAFrmvVH0I47l4XKF0CU6+9UCVTN5OD1t5yFpLak6BKCf30RLXOpMaw4zZAX+5byXxPbbzmQCnuxE/Oa5N', 'NKOPmTypVXOBw8M4exFGSq4eGiXmVqCKtyAJ1+pZppYCTgTeoOlr8xo

Source: 2ktrFR0W3v.exe, -X---.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2ktrFR0W3v.exe, -X---.cs	Security API names: File.GetAccessControl
Source: 2ktrFR0W3v.exe, -X---.cs	Security API names: File.SetAccessControl
Source: 2ktrFR0W3v.exe, -X---.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2ktrFR0W3v.exe, ---.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2ktrFR0W3v.exe, ---.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2ktrFR0W3v.exe, -6---.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2ktrFR0W3v.exe, -6---.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2ktrFR0W3v.exe, ----.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2ktrFR0W3v.exe, ----.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2ktrFR0W3v.exe, ----.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2ktrFR0W3v.exe, ----.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2ktrFR0W3v.exe, ---.cs	Security API names: File.GetAccessControl
Source: 2ktrFR0W3v.exe, ---.cs	Security API names: File.SetAccessControl
Source: 2ktrFR0W3v.exe, ---.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2ktrFR0W3v.exe, u--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2ktrFR0W3v.exe, u--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2ktrFR0W3v.exe, ------.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2ktrFR0W3v.exe, ------.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2ktrFR0W3v.exe, ----.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2ktrFR0W3v.exe, ----.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2ktrFR0W3v.exe, ---2-.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2ktrFR0W3v.exe, ---2-.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Mutant created: \Sessions\1\BaseNamedObjects\JlYM51eW4iZoFyLa2X

Source: 2ktrFR0W3v.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2ktrFR0W3v.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2ktrFR0W3v.exe

ReversingLabs: Detection: 78%

Source: 2ktrFR0W3v.exe	String found in binary or memory: /add?command completed successfully.C/c net localgroup administrators sSoftware\Microsoft\Windows\CurrentVersion\Policies\System
Source: 2ktrFR0W3v.exe	String found in binary or memory: /addC/c net localgroup administrators eabcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZsSoftware\Microsoft\Windows\CurrentVersion\Policies\System

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 2ktrFR0W3v.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 2ktrFR0W3v.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 2ktrFR0W3v.exe

Static file information: File size 1085952 > 1048576

Source: 2ktrFR0W3v.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x108200

Source: 2ktrFR0W3v.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\addexclusion\obj\Release\addexclusion.pdb source: 2ktrFR0W3v.exe
Source:	Binary string: D:\MEMORYU\MEMORYU\obj\Debug\MEMORYU.pdb source: 2ktrFR0W3v.exe
Source:	Binary string: D:\CreateVenomUser\obj\Release\Create.pdb source: 2ktrFR0W3v.exe
Source:	Binary string: D:\CreateVenomUser\Uac-Executor\obj\Release\CU.pdb source: 2ktrFR0W3v.exe
Source:	Binary string: D:\Ransomware-Builder-v0.2d-master\Decryptor\Decryptor\obj\Debug\Decryptor.pdb source: 2ktrFR0W3v.exe
Source:	Binary string: D:\Ransomware-Builder-v0.2d-master\Decryptor\Decryptor\obj\Debug\Decryptor.pdbLd source: 2ktrFR0W3v.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 2ktrFR0W3v.exe, .cs	.Net Code: _29AF_F031_E881_F8D7_EE13_2559 System.AppDomain.Load(byte[])
Source: 2ktrFR0W3v.exe, .cs	.Net Code: _29AF_F031_E881_F8D7_EE13_2559
Source: 2ktrFR0W3v.exe, .cs	.Net Code: _24EB_E22B_0319_FFFD_E4D7_E30A System.Reflection.Assembly.Load(byte[])
Source: 2ktrFR0W3v.exe, .cs	.Net Code: _0C73_2495_20EB_02D2_0CDA_22FD_F00F_1374 System.AppDomain.Load(byte[])
Source: 2ktrFR0W3v.exe, .cs	.Net Code: _0C73_2495_20EB_02D2_0CDA_22FD_F00F_1374
Source: 2ktrFR0W3v.exe, .cs	.Net Code: _2715_F7FE_E551_E74D System.AppDomain.Load(byte[])
Source: 2ktrFR0W3v.exe, .cs	.Net Code: _E74A System.Reflection.Assembly.Load(byte[])
Source: 2ktrFR0W3v.exe, ------.cs	.Net Code: _28ED_294D_A705_FFFD_2FAB_FFFD_E748 System.AppDomain.Load(byte[])
Source: 2ktrFR0W3v.exe, -X---.cs	.Net Code: _FFFD System.AppDomain.Load(byte[])
Source: 2ktrFR0W3v.exe, -X---.cs	.Net Code: _FFFD
Source: 2ktrFR0W3v.exe, -X---.cs	.Net Code: _E96B_058F_2D6E System.Reflection.Assembly.Load(byte[])
Source: 2ktrFR0W3v.exe, -X---.cs	.Net Code: _FFFD_F092_F71F_A7D5_0B78_A499 System.AppDomain.Load(byte[])
Source: 2ktrFR0W3v.exe, -X---.cs	.Net Code: _FFFD_F092_F71F_A7D5_0B78_A499
Source: 2ktrFR0W3v.exe, -X---.cs	.Net Code: _E999_F687_FFFD_209D System.AppDomain.Load(byte[])
Source: 2ktrFR0W3v.exe, -X---.cs	.Net Code: _F22C_25F1_F26F_2A13_ED2F_E2C6_1B35 System.Reflection.Assembly.Load(byte[])
Source: 2ktrFR0W3v.exe, ---.cs	.Net Code: _1071_0983_EE16_0AD9 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Code function: 0_2_017CA094 pushad ; retf	0_2_017CA095
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Code function: 0_2_017C6DF0 pushfd ; ret	0_2_017C6DF1
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Code function: 0_2_06AC7193 push es; ret	0_2_06AC71A0

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 7New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Durios -PropertyType DWord -Value 0 -Force
Source: 2ktrFR0W3v.exe, 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 5New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Venom -PropertyType DWord -Value 0 -Force
Source: 2ktrFR0W3v.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: 2ktrFR0W3v.exe	String found in binary or memory: 7New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Durios -PropertyType DWord -Value 0 -Force
Source: 2ktrFR0W3v.exe	String found in binary or memory: 5New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Venom -PropertyType DWord -Value 0 -Force

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe

File opened: C:\Users\user\Desktop\2ktrFR0W3v.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 2ktrFR0W3v.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 2ktrFR0W3v.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Memory allocated: 1820000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe TID: 7252

Thread sleep time: -42500s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe

Last function: Thread delayed

Source: 2ktrFR0W3v.exe	Binary or memory string: vmware
Source: 2ktrFR0W3v.exe, 00000000.00000002.2563511197.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 2ktrFR0W3v.exe, ----.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation._2F84_0C7D_FFFD_270E, num3 + 4 + 4, ref buffer, 4, ref bytesRead)
Source: 2ktrFR0W3v.exe, ----.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation._2F84_0C7D_FFFD_270E, num2, length, 12288, 64)
Source: 2ktrFR0W3v.exe, ----.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation._2F84_0C7D_FFFD_270E, num4, data, bufferSize, ref bytesRead)

Source: 2ktrFR0W3v.exe	Binary or memory string: Shell_TrayWnd
Source: 2ktrFR0W3v.exe	Binary or memory string: Progman
Source: 2ktrFR0W3v.exe	Binary or memory string: Shell_traywnd

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Queries volume information: C:\Users\user\Desktop\2ktrFR0W3v.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2ktrFR0W3v.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2ktrFR0W3v.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: 2ktrFR0W3v.exe, -X---.cs

.Net Code: _F705_2689_EC88_FFFD_211E_ED67

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 2ktrFR0W3v.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR

Yara detected Quasar RAT

Source: Yara match	File source: 2ktrFR0W3v.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 2ktrFR0W3v.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dcdb8d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc9e72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.2ktrFR0W3v.exe.dc7d88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2ktrFR0W3v.exe PID: 7232, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Hidden Users	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
2ktrFR0W3v.exe	79%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
2ktrFR0W3v.exe	100%	Avira	TR/Dropper.MSIL.Gen
2ktrFR0W3v.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://ip-api.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.datacontract.org/2004/07/d	2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://freegeoip.net/xml/	2ktrFR0W3v.exe	false		unknown
http://91.134.207.16/update/ngrok.exe9set	2ktrFR0W3v.exe	false		unknown
http://schemas.datacontract.org/2004/07/	2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:4040/api/tunnels	2ktrFR0W3v.exe	false		unknown
http://ip-api.com	2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp, 2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.comd	2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://geocoder.ca/?locate=	2ktrFR0W3v.exe	false		unknown
http://api.ipify.org/	2ktrFR0W3v.exe	false		unknown
http://ip-api.com0	2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://geocoder.ca/?locate=	2ktrFR0W3v.exe	false		unknown
https://google.com	2ktrFR0W3v.exe	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	2ktrFR0W3v.exe, 00000000.00000002.2564022496.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:4040/api	2ktrFR0W3v.exe	false		unknown
http://91.134.207.16/update/ngrok.exe	2ktrFR0W3v.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
24.152.39.227	unknown	unknown		270564	MasterDaWebBR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1531023
Start date and time:	2024-10-10 19:17:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2ktrFR0W3v.exe renamed because original name is a hash value
Original Sample Name:	2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 19 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 2ktrFR0W3v.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Vessel_Doc_OCN2613132.bat.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	YyhAkj09dy.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	dHp58IIEYz.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	ZfzNdscQNj.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	OC8657434657864534233647586865432214253465.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Lr87y2w72r.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	7LwVrYH7sy.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	p61Wb0tocl.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	432mtXKD3l.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	sUdsWh0FL4.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
24.152.39.227	DZNtmwlTFY.exe	Get hash	malicious	Njrat	Browse
24.152.39.227	j84mNh4z90.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	Vessel_Doc_OCN2613132.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	FMAudit.Installer_9652_1238001249.exe	Get hash	malicious	Unknown	Browse	51.77.64.70
	YyhAkj09dy.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	dHp58IIEYz.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	ZfzNdscQNj.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	OC8657434657864534233647586865432214253465.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Lr87y2w72r.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	7LwVrYH7sy.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	p61Wb0tocl.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	432mtXKD3l.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	Vessel_Doc_OCN2613132.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	YyhAkj09dy.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	dHp58IIEYz.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	ZfzNdscQNj.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	OC8657434657864534233647586865432214253465.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Lr87y2w72r.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	7LwVrYH7sy.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	p61Wb0tocl.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	432mtXKD3l.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	sUdsWh0FL4.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
MasterDaWebBR	DZNtmwlTFY.exe	Get hash	malicious	Njrat	Browse	24.152.39.227
	j84mNh4z90.exe	Get hash	malicious	Njrat	Browse	24.152.39.227
	xtuHcaTJtwiA.exe	Get hash	malicious	Remcos	Browse	24.152.37.147
	zfT2dBXgtH.elf	Get hash	malicious	Mirai, Okiru	Browse	24.152.39.205
	SYYMW2Y7m2.elf	Get hash	malicious	Mirai, Okiru	Browse	24.152.39.205
	982Zv8zorr.elf	Get hash	malicious	Mirai, Okiru	Browse	24.152.39.205
	UNNMigWUIb.elf	Get hash	malicious	Mirai, Okiru	Browse	24.152.39.205
	LkU2WboNWf.elf	Get hash	malicious	Mirai, Okiru	Browse	24.152.39.205
	pcOvs6rp0L.elf	Get hash	malicious	Mirai, Okiru	Browse	24.152.39.205
	SJ2n4ybn.exe	Get hash	malicious	XWorm	Browse	24.152.38.50

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.475653306737083
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	2ktrFR0W3v.exe
File size:	1'085'952 bytes
MD5:	387b657fab27ddabb59998479ce069db
SHA1:	94e8062fdbeba343f328ef8d155c274a69fec39e
SHA256:	2a8c219afd3d9e171dc1515b32185bad9172bbcdaf15a6a7502458b6e7553ff5
SHA512:	4764b13353784cc02171abc07a0c3eac7a0cea961f72a94cf40e8ab8445a7d358bbde5cdd6b34939cd2c29062a07136c1f1443efa27e4ff79ff3e9ec1a3b3ba6
SSDEEP:	12288:1snj1ynkc1ZzBvtrZHFjMKY2aVTYTTu2NQ1fOHGeelg367PAt69Ubp:1aynkc1ZzBvtrZHFjMKY2j0eelOt6Mp
TLSH:	69352914EBF855A5F06E7F36747198050B38BE03653DD74B2B96A1980E2A390CCB2F67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D`..............0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x50a0be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6044CEC3 [Sun Mar 7 13:01:55 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10a06c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10c000	0xa93	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1080c4	0x108200	b7150de50819339d8b14fe9e007d28e8	False	0.45610044220302887	data	6.480201798743704	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10c000	0xa93	0xc00	9735d0e95b3beccb615bd49d09414dd6	False	0.3587239583333333	data	4.659291469160852	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10e000	0xc	0x200	2fe6efad514b32bb64aa10e4fc5a1b90	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x10c0a0	0x31c	data			0.4334170854271357
RT_MANIFEST	0x10c3bc	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-10T19:18:54.374248+0200	2036383	ET MALWARE Common RAT Connectivity Check Observed	1	192.168.2.10	49701	208.95.112.1	80	TCP

Network Port Distribution

Total Packets: 26
• 4782 undefined
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 19:18:53.844782114 CEST	49701	80	192.168.2.10	208.95.112.1
Oct 10, 2024 19:18:53.849638939 CEST	80	49701	208.95.112.1	192.168.2.10
Oct 10, 2024 19:18:53.849734068 CEST	49701	80	192.168.2.10	208.95.112.1
Oct 10, 2024 19:18:53.850563049 CEST	49701	80	192.168.2.10	208.95.112.1
Oct 10, 2024 19:18:53.855355978 CEST	80	49701	208.95.112.1	192.168.2.10
Oct 10, 2024 19:18:54.329224110 CEST	80	49701	208.95.112.1	192.168.2.10
Oct 10, 2024 19:18:54.374248028 CEST	49701	80	192.168.2.10	208.95.112.1
Oct 10, 2024 19:18:54.784275055 CEST	49707	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:18:54.789366007 CEST	4782	49707	24.152.39.227	192.168.2.10
Oct 10, 2024 19:18:54.789436102 CEST	49707	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:19:16.146114111 CEST	4782	49707	24.152.39.227	192.168.2.10
Oct 10, 2024 19:19:16.146212101 CEST	49707	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:19:16.147996902 CEST	49707	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:19:16.152942896 CEST	4782	49707	24.152.39.227	192.168.2.10
Oct 10, 2024 19:19:21.515331030 CEST	49865	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:19:21.520777941 CEST	4782	49865	24.152.39.227	192.168.2.10
Oct 10, 2024 19:19:21.520895958 CEST	49865	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:19:27.266098022 CEST	80	49701	208.95.112.1	192.168.2.10
Oct 10, 2024 19:19:27.266175985 CEST	49701	80	192.168.2.10	208.95.112.1
Oct 10, 2024 19:19:27.266606092 CEST	80	49701	208.95.112.1	192.168.2.10
Oct 10, 2024 19:19:27.266648054 CEST	49701	80	192.168.2.10	208.95.112.1
Oct 10, 2024 19:19:42.898406982 CEST	4782	49865	24.152.39.227	192.168.2.10
Oct 10, 2024 19:19:42.898514032 CEST	49865	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:19:42.899435043 CEST	49865	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:19:42.904236078 CEST	4782	49865	24.152.39.227	192.168.2.10
Oct 10, 2024 19:19:48.218672991 CEST	49973	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:19:48.225497007 CEST	4782	49973	24.152.39.227	192.168.2.10
Oct 10, 2024 19:19:48.225577116 CEST	49973	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:20:09.603828907 CEST	4782	49973	24.152.39.227	192.168.2.10
Oct 10, 2024 19:20:09.603980064 CEST	49973	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:20:09.604811907 CEST	49973	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:20:09.609771013 CEST	4782	49973	24.152.39.227	192.168.2.10
Oct 10, 2024 19:20:14.890794039 CEST	49974	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:20:14.895812035 CEST	4782	49974	24.152.39.227	192.168.2.10
Oct 10, 2024 19:20:14.895909071 CEST	49974	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:20:34.359788895 CEST	49701	80	192.168.2.10	208.95.112.1
Oct 10, 2024 19:20:34.367058039 CEST	80	49701	208.95.112.1	192.168.2.10
Oct 10, 2024 19:20:36.274414062 CEST	4782	49974	24.152.39.227	192.168.2.10
Oct 10, 2024 19:20:36.274522066 CEST	49974	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:20:36.275655031 CEST	49974	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:20:36.280441046 CEST	4782	49974	24.152.39.227	192.168.2.10
Oct 10, 2024 19:20:41.437082052 CEST	49975	4782	192.168.2.10	24.152.39.227
Oct 10, 2024 19:20:41.543972015 CEST	4782	49975	24.152.39.227	192.168.2.10
Oct 10, 2024 19:20:41.544096947 CEST	49975	4782	192.168.2.10	24.152.39.227

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 19:18:53.830842972 CEST	60011	53	192.168.2.10	1.1.1.1
Oct 10, 2024 19:18:53.838212013 CEST	53	60011	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 10, 2024 19:18:53.830842972 CEST	192.168.2.10	1.1.1.1	0xfaa8	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 10, 2024 19:18:53.838212013 CEST	1.1.1.1	192.168.2.10	0xfaa8	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49701	208.95.112.1	80	7232	C:\Users\user\Desktop\2ktrFR0W3v.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 19:18:53.850563049 CEST	144	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Oct 10, 2024 19:18:54.329224110 CEST	482	IN	HTTP/1.1 200 OK Date: Thu, 10 Oct 2024 17:18:53 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}

Statistics

CPU Usage

• 2ktrFR0W3v.exe

Click to jump to process

Memory Usage

• 2ktrFR0W3v.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	13:18:51
Start date:	10/10/2024
Path:	C:\Users\user\Desktop\2ktrFR0W3v.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2ktrFR0W3v.exe"
Imagebase:	0xd90000
File size:	1'085'952 bytes
MD5 hash:	387B657FAB27DDABB59998479CE069DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_3, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1300858634.0000000000D92000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	96.7%
Signature Coverage:	0%
Total number of Nodes:	92
Total number of Limit Nodes:	6

Executed Functions

Function 017CA0A0 Relevance: 4.0, Strings: 3, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7~, xrefs: 017CA0DF
\Vdm, xrefs: 017CA357
7~, xrefs: 017CA0BF

Memory Dump Source

Source File: 00000000.00000002.2563681689.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID: 7~$7~$\Vdm
API String ID: 0-1733167323
Opcode ID: d5d93b7035782608adf1cef466875ad486c63279bdc674ef7dca2d472b688f7f
Instruction ID: 5c72ed65366f78d5e3a5c2d6e3b28132668dd9838e703b574574dafe491add43
Opcode Fuzzy Hash: d5d93b7035782608adf1cef466875ad486c63279bdc674ef7dca2d472b688f7f
Instruction Fuzzy Hash: 99B15A70E0021D8FDB10CFA9D8957AEFBF2BF88B15F14812DD815A7294EB749842CB81

Function 017CA970 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7~, xrefs: 017CA9AF
7~, xrefs: 017CA98F

Memory Dump Source

Source File: 00000000.00000002.2563681689.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID: 7~$7~
API String ID: 0-2178700345
Opcode ID: 3636dbe2fef845d05e52bdf81505b8f119b3e676380d3023465e7d6301f4ce68
Instruction ID: 5d41cf9c803164c49109e6e3d2a561d10a7740cc959757fb631036ed05358d75
Opcode Fuzzy Hash: 3636dbe2fef845d05e52bdf81505b8f119b3e676380d3023465e7d6301f4ce68
Instruction Fuzzy Hash: 61B13A70E0020D8FDB24CFA9D9817AEFBF2BB48B15F14852DD815AB294EB749945CB81

Function 06AC4685 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AC47A2

Strings

7~, xrefs: 06AC46DE
7~, xrefs: 06AC46BE

Memory Dump Source

Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd

Similarity

API ID: CreateWindow
String ID: 7~$7~
API String ID: 716092398-2178700345
Opcode ID: e52632ce4985d87c80afd494c80cc3cff4527a9d5c3ec245934110cded381440
Instruction ID: 81f5ca88f4767b62c961f0c32ea9087d54b9099b3023587ebdabb9a7fd1d5f61
Opcode Fuzzy Hash: e52632ce4985d87c80afd494c80cc3cff4527a9d5c3ec245934110cded381440
Instruction Fuzzy Hash: 4051BFB5D10348AFDB14CFA9C894ADEBBF5BF49314F64812AE818AB210D7719845CF94

Function 06AC4690 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AC47A2

Strings

7~, xrefs: 06AC46DE
7~, xrefs: 06AC46BE

Memory Dump Source

Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd

Similarity

API ID: CreateWindow
String ID: 7~$7~
API String ID: 716092398-2178700345
Opcode ID: 1f44b6c93a65b3637679abb37cfe26a6957e39275e48a545cfc76f4b25969ce6
Instruction ID: 81eb73b2a4bd3a0c2560edc7fc7b8996f55a7af1584fa181d9ace5f49cb49b3d
Opcode Fuzzy Hash: 1f44b6c93a65b3637679abb37cfe26a6957e39275e48a545cfc76f4b25969ce6
Instruction Fuzzy Hash: D541CFB5D103489FDB14CF9AC894ADEBBF5FF48310F64812AE818AB250D771A845CF94

Function 06AC24B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06AC2716

Strings

7~, xrefs: 06AC26CF

Memory Dump Source

Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd

Similarity

API ID: HandleModule
String ID: 7~
API String ID: 4139908857-3133233787
Opcode ID: caec9d76d4e04dd2f5e5ea30d20536ca9fef6b9c912b637fa511c4199ebb8c67
Instruction ID: 2890a25d79ea7dfe11ab665c5aa691a832cbc573d197dfe7912253095433249c
Opcode Fuzzy Hash: caec9d76d4e04dd2f5e5ea30d20536ca9fef6b9c912b637fa511c4199ebb8c67
Instruction Fuzzy Hash: 2A818870A00B458FD764EF29D55079BBBF1FF88210F008A2ED48ADBA54D774E945CB91

Function 017C3334 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017C33F1

Strings

7~, xrefs: 017C3374

Memory Dump Source

Source File: 00000000.00000002.2563681689.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_2ktrFR0W3v.jbxd

Similarity

API ID: Create
String ID: 7~
API String ID: 2289755597-3133233787
Opcode ID: 9d80ceffbcc676d2ef84421da2d0bf7d5baa513790a80b8f72c8a83f7af30e6f
Instruction ID: e5e076584684637433ed330a4019c2675debfc165a511f4f3e265d284e7837e2
Opcode Fuzzy Hash: 9d80ceffbcc676d2ef84421da2d0bf7d5baa513790a80b8f72c8a83f7af30e6f
Instruction Fuzzy Hash: 4C41CDB5C007188FEB25CFA9C844BDDBBB5BF49304F20816AD508AB251DB756946CF90

Function 06AC1C44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06AC6D11

Strings

7~, xrefs: 06AC6C67

Memory Dump Source

Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd

Similarity

API ID: CallProcWindow
String ID: 7~
API String ID: 2714655100-3133233787
Opcode ID: a4527360122200b55066109ac0e63c647f083e4b62de3a3d7da8e1a1e63171ca
Instruction ID: 37c2bca7b3df4521ef2dd1decb93432159efeca4b7bbea0ee4b284abd1d953fa
Opcode Fuzzy Hash: a4527360122200b55066109ac0e63c647f083e4b62de3a3d7da8e1a1e63171ca
Instruction Fuzzy Hash: 964128B4A003098FDB54DF99C848BAABBF5FB89324F24845DD519AB321D375A841CFA0

Function 017C1984 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017C33F1

Strings

7~, xrefs: 017C3374

Memory Dump Source

Source File: 00000000.00000002.2563681689.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_2ktrFR0W3v.jbxd

Similarity

API ID: Create
String ID: 7~
API String ID: 2289755597-3133233787
Opcode ID: ea3393d91ba459a5f72cfe618b9631cfa2cf83689d114e4b60ec849ede0f50e2
Instruction ID: 8ead83de3a20910af28e1cb9ebc184cb8984d68c3377534f64250b908a554148
Opcode Fuzzy Hash: ea3393d91ba459a5f72cfe618b9631cfa2cf83689d114e4b60ec849ede0f50e2
Instruction Fuzzy Hash: 4941BFB0C04718CBEB24CFA9C844B9DFBF5BF49704F20806AD508AB251DBB56986CF90

Function 06AC9278 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06AC92D5

Strings

7~, xrefs: 06AC929A

Memory Dump Source

Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd

Similarity

API ID: Initialize
String ID: 7~
API String ID: 2538663250-3133233787
Opcode ID: 9c214e767a1aefc27b2427f4af3b14304b3a2c25a684d5230adaf4a6a39bb84c
Instruction ID: e27bb4c59d1b71d1d84671245cfc664edc04a3a457eb10a1f928f423c6f17f38
Opcode Fuzzy Hash: 9c214e767a1aefc27b2427f4af3b14304b3a2c25a684d5230adaf4a6a39bb84c
Instruction Fuzzy Hash: 7B1145B5D003488FDB20DFAAC845BCFBBF8EB48324F248459E558A7640C375A540CFA9

Function 06AC26B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06AC2716

Strings

7~, xrefs: 06AC26CF

Memory Dump Source

Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd

Similarity

API ID: HandleModule
String ID: 7~
API String ID: 4139908857-3133233787
Opcode ID: 78ec4d7691cee2083dbbc4a90828e5c4d80cecab82e33a403e7be11cd3890b1f
Instruction ID: f0326ae1b866117951265361750cf5314f9eec80d1d415b8dd305acd2b8201e8
Opcode Fuzzy Hash: 78ec4d7691cee2083dbbc4a90828e5c4d80cecab82e33a403e7be11cd3890b1f
Instruction Fuzzy Hash: C61113B5C003498FDB10DF9AC844BDEFBF4EF88224F10841AD828A7650D375A645CFA5

Function 06AC83A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06AC92D5

Strings

7~, xrefs: 06AC929A

Memory Dump Source

Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd

Similarity

API ID: Initialize
String ID: 7~
API String ID: 2538663250-3133233787
Opcode ID: ea9706387eb5a9ea88457720fa38af4ac4bd4b65d34da70f8c3b4d7dc45b6310
Instruction ID: 5639d771e4ce8b99f74eaa0c25c308e70b1c5bd94e6dd24c638894c34990f190
Opcode Fuzzy Hash: ea9706387eb5a9ea88457720fa38af4ac4bd4b65d34da70f8c3b4d7dc45b6310
Instruction Fuzzy Hash: 981145B18003488FDB20DF9AC444BDFFBF8EB48324F20845AE558A7640C374A944CFA9

Function 06AD0048 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

?, xrefs: 06AD00AF

Memory Dump Source

Source File: 00000000.00000002.2565740361.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 486ef6be344a278909758d38f876349f4ec59e1fd122b2434ad26776505cbcb0
Instruction ID: 4ef4e1ee15dc062d501dfc17536d5cd096c2d9bac97963d7662e43292e245057
Opcode Fuzzy Hash: 486ef6be344a278909758d38f876349f4ec59e1fd122b2434ad26776505cbcb0
Instruction Fuzzy Hash: 6BF17D34B002099FEB58EF65C944BAEBBB2FF85710F148059E4069B3A1DB75DD82CB91

Function 06AD002C Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

?, xrefs: 06AD00AF

Memory Dump Source

Source File: 00000000.00000002.2565740361.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ad0000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: b6919b515b9c2c4828313808c9682d0bb8869c3c91361bc4aa33a0aff029949b
Instruction ID: dc2cb1a3f9a9f59445b1bc88d48e279996aae20c6ada31ac86e2265798291917
Opcode Fuzzy Hash: b6919b515b9c2c4828313808c9682d0bb8869c3c91361bc4aa33a0aff029949b
Instruction Fuzzy Hash: 8281DE30B007069FEB199F69C850BAEBBB2AF85304F148566D102EB3A2DBB59D41C791

Function 0146D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2563365852.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f434208047f17d47464e1e1b92d94dbdc80783ed657fdab04d923391bd4f3526
Instruction ID: d72ece0e9fe6dfef63050c1b5b9d7ad3c7559141d27deb2dcd31d5ff241f8d7c
Opcode Fuzzy Hash: f434208047f17d47464e1e1b92d94dbdc80783ed657fdab04d923391bd4f3526
Instruction Fuzzy Hash: 41213371A00340DFDB05DF94D9C0B17BBA9FB8831CF20816AE8490B666C336D846CAA3

Function 0146D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2563365852.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07835138975ff65d663530579272a2a29a8a4b1f4a6e0aa4ab5cffd2a7644fb
Instruction ID: 4f4c22ebf1535092fb0db2559084c3e5e544882316c4220839e1471463c58edd
Opcode Fuzzy Hash: c07835138975ff65d663530579272a2a29a8a4b1f4a6e0aa4ab5cffd2a7644fb
Instruction Fuzzy Hash: 30212B71A04240DFDB05DF54D9C0B67BB69FB84318F24C57AE9490B367C336E856C6A2

Function 0147D128 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2563395394.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4079488cbc26cb540b2c90fc17ca0ed9498e855701ebc7cbf24d76fd6a12b579
Instruction ID: b53c03b158661d8d6077b082bdc4c019db9079e51fd8b703e26dd58d95f8ea46
Opcode Fuzzy Hash: 4079488cbc26cb540b2c90fc17ca0ed9498e855701ebc7cbf24d76fd6a12b579
Instruction Fuzzy Hash: 8F213771A04240DFEB05DF94E9C0B56BBA5FF84314F20C5AEE80A4B366C336D846CA61

Function 0146D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2563365852.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b27598fccdcf64bb4696049134559f293c64bbc5afbc827985db7de6eb0de01
Instruction ID: 5872d40f2c19ec6c6d4769d705dc649bd804fdb14a27ddafacd0633f30ffeab9
Opcode Fuzzy Hash: 6b27598fccdcf64bb4696049134559f293c64bbc5afbc827985db7de6eb0de01
Instruction Fuzzy Hash: 5211B176904280CFCB16CF54D5C4B16BF71FB88318F2486AAD9494B767C33AD456CBA2

Function 0146D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2563365852.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b27598fccdcf64bb4696049134559f293c64bbc5afbc827985db7de6eb0de01
Instruction ID: 5ac52160819dd1b7b8c00b9d0274450324ab146bfaeb1ace6603f153f9d9f1f3
Opcode Fuzzy Hash: 6b27598fccdcf64bb4696049134559f293c64bbc5afbc827985db7de6eb0de01
Instruction Fuzzy Hash: 0711D276904240CFCB06CF44D5C4B56BF62FB84314F24C5AAD8490B666C336D856CBA2

Function 0147D123 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2563395394.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1f3823a6d5e9a0021df617afa545df39c4bee3d684dcbd2680691be67a36db
Instruction ID: a314f9548967f2324b149d4a435bb3d33f2a15d7a661aeba38685bc43273f1f2
Opcode Fuzzy Hash: 1b1f3823a6d5e9a0021df617afa545df39c4bee3d684dcbd2680691be67a36db
Instruction Fuzzy Hash: 5A11BE75904280CFDB06CF58D5C4B16BBA1FB84314F24C6AADC094B766C33AD40ACB61

Non-executed Functions

Function 06AC9498 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

7~, xrefs: 06AC94C2

Memory Dump Source

Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID: 7~
API String ID: 0-3133233787
Opcode ID: f7a9c42b9b69940519bdf4a0f09fa56a1201cfd92c7f9b7cd7e6a4080582f456
Instruction ID: 932b27aecf7c5f864e0aad6a130c50eda101bf89c44c59316c7de2d7a488b3cf
Opcode Fuzzy Hash: f7a9c42b9b69940519bdf4a0f09fa56a1201cfd92c7f9b7cd7e6a4080582f456
Instruction Fuzzy Hash: 68F13C30E00209CFEB54EFA9C944B9EBBF1FF48724F158159E409AF2A5DB74A945CB81

Function 06AC2B98 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c5572e4e07ee729f16bff8730a29fce7d3e48b634bb1c111a3b3499d64ebab
Instruction ID: b98e47b379c593481d6b3e15287421f3d5be360877736b3dcc425cf9f8684d60
Opcode Fuzzy Hash: 69c5572e4e07ee729f16bff8730a29fce7d3e48b634bb1c111a3b3499d64ebab
Instruction Fuzzy Hash: 8A5219B0500B09CFD710EF18F88C2A97BB1FB46328FA4C619D5695F2A8D7B4658ACF44

Function 06AC0360 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2565717994.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ac0000_2ktrFR0W3v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdcf399c44fa40f7fec2077a9d306b1594af69f33afa2033cfa3de88599e27a
Instruction ID: 7d0535d4a0d43fc3f161fbeb75ebd990a0cdf46052d3a4476a0211b64a54ccde
Opcode Fuzzy Hash: 3cdcf399c44fa40f7fec2077a9d306b1594af69f33afa2033cfa3de88599e27a
Instruction Fuzzy Hash: 6EA14B32F10209CFCF45EFA4C9849AEB7B2FF85310B15856AE915AB211DB71D956CB80

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2ktrFR0W3v.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
2ktrFR0W3v.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre