Edit tour

Windows Analysis Report
g5tO58gHku.exe

Overview

General Information

Sample name:	g5tO58gHku.exe renamed because original name is a hash value
Original sample name:	0fc1be13a029ec3ce80bbe25da7a4362.exe
Analysis ID:	1546533
MD5:	0fc1be13a029ec3ce80bbe25da7a4362
SHA1:	8538fda0583e0502e2b56129f7a52fdffbe7b041
SHA256:	96c411467b43f8c459e77c0f9bc8566b92cefa8f7d2e9e44c8f64950b4bc59c3
Tags:	32exe
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

g5tO58gHku.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\g5tO58gHku.exe" MD5: 0FC1BE13A029EC3CE80BBE25DA7A4362)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "hicham157484.ddns.net", "Ports": "1994", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "jJ4thDBK9Sumwie02zZJNABmSbGp1YqA", "Mutex": "DETDSVSEFF555_6SSDFSDF", "Certificate": "MIIE8jCCAtqgAwIBAgIQALBkRuNCTqKtgapRE9OFfzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwOTA4MTcxOTA2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIUy6LUKGJiU+zs5YT6bYIiVfLqLpcI+LU0E4VJAwp9P6glbx/vcYicyK5/XI6drbESmiYtKXn2Sh0Qwbl0h1dPP86ERt3Oayv5s3Dtf7XPFEUCY9we26TXl47RYC9G5lYcYdgt2fmkUHC+rPAgRu4lfvbTyxNapCF8CJdJEP2cfwjpoP1/N78cAJ6PBIJ6ZcP1cUspWc+FgDtgcVYsB4rnIt7dePE12akzXJcWqlSf8tjNy0ES/9yx1s3tY6wStFcUP6ryDqQ27yccvByOm0i7SkvFfGsLibJOBY2akPF3Um8lBiHQz8qEYWXGT6m2KwFu5LeBx1/X2cuhXydVo9ZGUUZnISy/s1MX1KJeoqQqf9r167cEmbfakQ/3hbCgqbGt9MV/g89QDSiEHcyA0KPmwRs+VL9BJTw/wEOPLKsDJ4/prE81E8uYN6AFywO5dsxDucwCxGacrpG06yXjfR1/Iujp3NIEEKcOszIwq9Bi4qhdKOeou9KAJA96CqFvbYuVWNKE6m8T9bJsn6821WfDpD4gsZNnDkYau4ItntnuOs+xwkKKpfEDQKPKYrKq0Mz+/jOkdAyiS2vctNJFEDYrgte4C/tlQkzBsuwxYI46XGuO1ikkHvEFGqmEMcK/qJTKDlgUsEdifqhzKPKXWFi3FhhS7dacNUfJwV9yJD2XHAgMBAAGjMjAwMB0GA1UdDgQWBBSFEWXeyCCkXd6OtMBwLZX6CcP1DzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBqRKAN8/YvlUBBLoaeygiKyrZ9wu4OJ1v31PPDtTKLtmj8IxL+IaCf0+3ZogM3y/UvMh5ikVZlkvOEI7UzzIhOGrsZ2Q6Y4mhh5MJh9nWSvZaPIxhz4a/tkPBTvlUElJ56qi+QKEgBVMDj3cN/diRzvvVky0budt9MNCmjKR5rctO1cdK5nXdiDRP+/Znkmnwqg4ljb/68TXeqg822z8N83PStp4PwgOXV0YTfvqsrzfKmg1JB+VkCwZr8Kt8xRvroVc0gqLgPwO19FcL+R978QmmHa50PYiPUbCUAfC5uW/X/ZoyPaJ3T/tRRm4J8hF3F7FO+SgKbhCz2gM1atS61O8ASUo93+k0r+q2tuFiqZHXcPNfZ3yQ9N9wUQecvQh+zVqt6C4AlUQKs8HsPHYJ6CtX3Ch7aPy5s2qpIQWrbekxugMHqhMvoPveOI7NavHjJycSRc1/bQDmD/Q34nJ5xxaL1U2tPhKFYyjJoi0AMql2J3jwdywvaSy0cztxBvi7wQzL8bzxEQV7PmdmRQgXGwN6V0aH1EqwNpeRmpMVt4LkdI8hwlRrc8sTqUOYErECospldCssXHJHefxJcz6mjOvYfN0qMl2k/yVvM2HslSLi+gsqgk0WdN3AmibthRSY8D+VIW0AKz6DsXs/2Viz7xi6W+pFvuseOttr3U4lCAA==", "ServerSignature": "Zs5sWlK/R8AIYVLG/bLdF6Ag9JjXlA4sLXRYj25FWb2ivC7g7EMtlpNrFvjaQFBeHNvvqpelss+k05ZN62Hj/zH8xIOiXkMLSmwzrTWo0i+JAxDFS9oAO3Y3zX93IZ5uHtwdAxjqayaq2kumIb4sCjV+kGXkRt++Hj45PyKSVf9JmmBpGoGV8ptmMUj95f1gBiI9wxY9G9bFecNxzeury+qVBW9pkEFAjhmmdR4CwLgiwgJGmI/ayxYeHgy5RgEJ3XdA9GprFiyDm2VvkT1GdaRQKlva7uJYe6aPlYQu20Y9reWAcZsbmv2snMfIVO703722h1EOcbrKbzK8e8SCy7ojcsL6NVjfdOkzmzf/XzNfVzNhDOQm0Sh/z+9oHZSqOcuBqVNI31i6aNyyhAyy4lTL35pBk1H6U9xp5dfGTjGCBN+3b+RTeqLoykvy7bwrJoQGdaxjyHTd4la7z3Alpt1o+a7KUcY7tl9dpYNBkDkKkrLWmcYjTUin+IatqAwnl+XoXX4YVe77jiLysIzG3JqDK4cIfmNrBGLxgL+wYa65bEZKiryyy4j5rfwSPQup6s/JSgzbveJ6WtHfm/h56El47zHFRP0AUg1Mq8ltjDHvbYi5Xi6z18Km4kfIsDEd/ENoc/vlPUjrgSJs4/jOnCzBo9tLfBCEvZuVhl7ZGHo=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
g5tO58gHku.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
g5tO58gHku.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
g5tO58gHku.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2c7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6f4c:$a3: get_ActivatePong 0xa4df:$a4: vmware 0xa357:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7d0c:$a6: get_SslClient
g5tO58gHku.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa359:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa0c7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xc238:$a2: Stub.exe 0xc2c8:$a2: Stub.exe 0x6d4c:$a3: get_ActivatePong 0xa2df:$a4: vmware 0xa157:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7b0c:$a6: get_SslClient
00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa159:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.2913332670.000000000155D000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbcb3:$x1: AsyncRAT 0xbcf1:$x1: AsyncRAT
00000000.00000002.2914216223.0000000003291000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1d9d7:$x1: AsyncRAT 0x1da15:$x1: AsyncRAT
Process Memory Space: g5tO58gHku.exe PID: 7408	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: g5tO58gHku.exe PID: 7408	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc4ae:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: g5tO58gHku.exe PID: 7408	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x320a:$x1: AsyncRAT 0x323c:$x1: AsyncRAT 0x36b9d:$x1: AsyncRAT 0x36bcf:$x1: AsyncRAT 0xc574:$s6: VirtualBox 0xc527:$s8: Win32_ComputerSystem
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.g5tO58gHku.exe.f60000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.g5tO58gHku.exe.f60000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.g5tO58gHku.exe.f60000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2c7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6f4c:$a3: get_ActivatePong 0xa4df:$a4: vmware 0xa357:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7d0c:$a6: get_SslClient
0.0.g5tO58gHku.exe.f60000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa359:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T04:44:16.777439+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.4	49731	TCP
2024-11-01T04:44:56.699460+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	51321	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: g5tO58gHku.exe

Avira: detected

Found malware configuration

Source: g5tO58gHku.exe

Malware Configuration Extractor: AsyncRAT {"Server": "hicham157484.ddns.net", "Ports": "1994", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "jJ4thDBK9Sumwie02zZJNABmSbGp1YqA", "Mutex": "DETDSVSEFF555_6SSDFSDF", "Certificate": "MIIE8jCCAtqgAwIBAgIQALBkRuNCTqKtgapRE9OFfzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwOTA4MTcxOTA2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIUy6LUKGJiU+zs5YT6bYIiVfLqLpcI+LU0E4VJAwp9P6glbx/vcYicyK5/XI6drbESmiYtKXn2Sh0Qwbl0h1dPP86ERt3Oayv5s3Dtf7XPFEUCY9we26TXl47RYC9G5lYcYdgt2fmkUHC+rPAgRu4lfvbTyxNapCF8CJdJEP2cfwjpoP1/N78cAJ6PBIJ6ZcP1cUspWc+FgDtgcVYsB4rnIt7dePE12akzXJcWqlSf8tjNy0ES/9yx1s3tY6wStFcUP6ryDqQ27yccvByOm0i7SkvFfGsLibJOBY2akPF3Um8lBiHQz8qEYWXGT6m2KwFu5LeBx1/X2cuhXydVo9ZGUUZnISy/s1MX1KJeoqQqf9r167cEmbfakQ/3hbCgqbGt9MV/g89QDSiEHcyA0KPmwRs+VL9BJTw/wEOPLKsDJ4/prE81E8uYN6AFywO5dsxDucwCxGacrpG06yXjfR1/Iujp3NIEEKcOszIwq9Bi4qhdKOeou9KAJA96CqFvbYuVWNKE6m8T9bJsn6821WfDpD4gsZNnDkYau4ItntnuOs+xwkKKpfEDQKPKYrKq0Mz+/jOkdAyiS2vctNJFEDYrgte4C/tlQkzBsuwxYI46XGuO1ikkHvEFGqmEMcK/qJTKDlgUsEdifqhzKPKXWFi3FhhS7dacNUfJwV9yJD2XHAgMBAAGjMjAwMB0GA1UdDgQWBBSFEWXeyCCkXd6OtMBwLZX6CcP1DzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBqRKAN8/YvlUBBLoaeygiKyrZ9wu4OJ1v31PPDtTKLtmj8IxL+IaCf0+3ZogM3y/UvMh5ikVZlkvOEI7UzzIhOGrsZ2Q6Y4mhh5MJh9nWSvZaPIxhz4a/tkPBTvlUElJ56qi+QKEgBVMDj3cN/diRzvvVky0budt9MNCmjKR5rctO1cdK5nXdiDRP+/Znkmnwqg4ljb/68TXeqg822z8N83PStp4PwgOXV0YTfvqsrzfKmg1JB+VkCwZr8Kt8xRvroVc0gqLgPwO19FcL+R978QmmHa50PYiPUbCUAfC5uW/X/ZoyPaJ3T/tRRm4J8hF3F7FO+SgKbhCz2gM1atS61O8ASUo93+k0r+q2tuFiqZHXcPNfZ3yQ9N9wUQecvQh+zVqt6C4AlUQKs8HsPHYJ6CtX3Ch7aPy5s2qpIQWrbekxugMHqhMvoPveOI7NavHjJycSRc1/bQDmD/Q34nJ5xxaL1U2tPhKFYyjJoi0AMql2J3jwdywvaSy0cztxBvi7wQzL8bzxEQV7PmdmRQgXGwN6V0aH1EqwNpeRmpMVt4LkdI8hwlRrc8sTqUOYErECospldCssXHJHefxJcz6mjOvYfN0qMl2k/yVvM2HslSLi+gsqgk0WdN3AmibthRSY8D+VIW0AKz6DsXs/2Viz7xi6W+pFvuseOttr3U4lCAA==", "ServerSignature": "Zs5sWlK/R8AIYVLG/bLdF6Ag9JjXlA4sLXRYj25FWb2ivC7g7EMtlpNrFvjaQFBeHNvvqpelss+k05ZN62Hj/zH8xIOiXkMLSmwzrTWo0i+JAxDFS9oAO3Y3zX93IZ5uHtwdAxjqayaq2kumIb4sCjV+kGXkRt++Hj45PyKSVf9JmmBpGoGV8ptmMUj95f1gBiI9wxY9G9bFecNxzeury+qVBW9pkEFAjhmmdR4CwLgiwgJGmI/ayxYeHgy5RgEJ3XdA9GprFiyDm2VvkT1GdaRQKlva7uJYe6aPlYQu20Y9reWAcZsbmv2snMfIVO703722h1EOcbrKbzK8e8SCy7ojcsL6NVjfdOkzmzf/XzNfVzNhDOQm0Sh/z+9oHZSqOcuBqVNI31i6aNyyhAyy4lTL35pBk1H6U9xp5dfGTjGCBN+3b+RTeqLoykvy7bwrJoQGdaxjyHTd4la7z3Alpt1o+a7KUcY7tl9dpYNBkDkKkrLWmcYjTUin+IatqAwnl+XoXX4YVe77jiLysIzG3JqDK4cIfmNrBGLxgL+wYa65bEZKiryyy4j5rfwSPQup6s/JSgzbveJ6WtHfm/h56El47zHFRP0AUg1Mq8ltjDHvbYi5Xi6z18Km4kfIsDEd/ENoc/vlPUjrgSJs4/jOnCzBo9tLfBCEvZuVhl7ZGHo=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Multi AV Scanner detection for domain / URL

Source: hicham157484.ddns.net	Virustotal: Detection: 8%			Perma Link
Source: hicham157484.ddns.net	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for submitted file

Source: g5tO58gHku.exe	ReversingLabs: Detection: 86%
Source: g5tO58gHku.exe	Virustotal: Detection: 80%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: g5tO58gHku.exe

Joe Sandbox ML: detected

Source: g5tO58gHku.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: g5tO58gHku.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: hicham157484.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: hicham157484.ddns.net

Yara detected Generic Downloader

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 45.74.34.32:1994

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:51321

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: hicham157484.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.2913332670.000000000155D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2914216223.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: g5tO58gHku.exe, 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs g5tO58gHku.exe
Source: g5tO58gHku.exe	Binary or memory string: OriginalFilenameStub.exe" vs g5tO58gHku.exe

Source: g5tO58gHku.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: g5tO58gHku.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.2913332670.000000000155D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2914216223.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: g5tO58gHku.exe, uuJguqNBkt.cs

Base64 encoded string: 'wXVQoCsf5HlA5KLSC6svPqkNYRDV04j3/uat00BMJiHdQp9fZH00DEj9TOroLx62PV7pTyMotl+yHeMqQbn5MA==', 'SLahgxO4mgId/WSbcqGlmObu2jUUMED2GnbhsPSV2GsCTDPBPhFwuH8JeezbULhaMlaerNi5WcAUo/MZJpwkXA==', 'MRjF9uKhMKOGTQW9eS4xwEiQ5Z3pg8Di1weKZlHiNBowWCZYiVWj/4eAcIM0gutNtDbelyA+zeYRfUr4qvOxhQeGulP8zWcc0YRE2Pmlz8s=', 'Thz3V2WUhdTsoIYCsEy+KDjYlFT3mQwWArVEN4EJAQgoeke7gnWYNobaiMb4ifmcVfDbcAN7FDSZIXV2V4CuFY7bKAJXQNy/RaUzKdGpHxfsJLz/PhcvegAmJU5+xUY638Uredi12FZEgqt8EFBBdJ+xxMMhbCdzDVtiG2G/cXEF6OORJnlIZKCZIJRlFrXpK846ljwv9q9GAbRH0eRWdxkxEkxcT1trmf1eTyJGOJZ3xxIpTN+aPWKZpJga7Gom1ildKTgxTeQWkao5przsNV1Yi5mRBwl/8sEfkgNeUIOPu/pP4z8PTr69iJsBbMmGpXuJsZdvFwTnbrJgroOtmfgSZq6IM7Bx8B3Qe9UU4TD8oHiUu1WjzaqmwWkGIu4Tr4Cq0/lkLmcJ9ojA4l/DmNe5qIvhe2//Y8hKVSQ4ZKOADp0jtGvrUFvSFjD1hzAuOS+feAO2dE1ix+EAIygVP0hzcmdLuqe3jPdL1/+8f/y6GdhXThqxSdm7fAXrV8jaFUzYwHGtwKSrVhm2M1xuxivTc6RdJ7B81YQBinW3GLXABWdO6CmuNj/ddTfkqxoecdHYDibOC2aU/8s6eFiLIepV9LhRhfpfWKFIwsZn7fBmtlfdf+hQ73Z0ZG7dRvTyBG3S8Nl3Lqcr6LeqAwFhwnHCVwzNMds4wSlwZnsKVLLqt8HfAp9kV0z6WrcLOFve5kRge83kN6JVYqLzxFNcVcGX8ys6P1yZA7yeK3huXbni7n1sn8+fmc7cyHtfQqQxrO1UQ/uONN502Zfkqm5PQAKtADz4rz6T/Hv1uNYLEJ7NZbrBVan1tXSrwJ/crmt6/+cXfBdgtdN+6qM1YCm+szWJADPouFDX08i4DwufGrlVXNMK91dB5emBf7ErzcWo6UNTW25KxTQO0zRy9917fSafQJinHRBGBmphYeDkZGkciY06BwOFo8ufQ3fP5GNLrPc1nikV3cGe7v+cECuVs1MTA3MolYfC35Oxtk8mv/7bV9F8Mi9G9Z5rHRPDr5bBBHa4/Jamwg300JWd42I1lysmxSwGrZ01skvew24SSA4PELzLIDoyNqM4xxdA7ExNfZq+DDG78j9RIU5zsx02tBoxHJIZGrqMh6SlQ/IqEp35VwlUWo+ce7CM9AesTqMzyLS0KSLT3VWf8ZT/kfeFLkgUHiHqil/1CJU2+KyVilzol+bMay9aK6Oq+MMqzwPCLiZvtfJG2XUbDGo9n0vxckdnTM6FCWqnwznpNQmDCYVh1gfyqsSBhY7/M64crW5QAUYsYuNIIBsVMOM9kldGjTer0QOn4ttJxEKgwh+jmBWB/DTcS4ZS0UhsjPweE96Gd56yWtvSdWSyrLo8SzmfBXlaHvaxRZjXq2AB/6aPS5u8na4Fdq6tLjtCdR6uRzJqfRbrcKI/huQIPM1XfPBHarysLt6uF5pcnd8RHNJbDy9m65voweDCGF17SDhziDKsuoo4rAwCHvq6IWzrDtgFP0fcIkDWhLYO19Yy4o2j4XkdrhU2FOi2YnwP/HyDYfJ//rXmC8dA/Irm/ODbH4EOdbg6vRHgaq8vhOdMOEybz4YCdTPA/3F0Lg44zML9QUZxc9wicREAkTgQV0Ep+nmktHXTowdGjemZF3ar18EwsB1BITIhrijXVUIP6YpliNa3zgIE8ECP3wrbDx1qZh6vsNHZ21ZqBAaXRS3HFVzOZCtgRVuBpOdKSG2lhCDXCZlZf9MW+90M+ChKcO3L57auVOg5ANnuMgp8d8v7d4lqI/aGh6tTj1/x1J5pVW3N4aV+tExq5seM7E0pbSCmpng87WnHfSyqOr0K2tTABsIUXUUswrKhLWxU7pa2Wphcq4QqQPpt/u9su7rhYFrwNXDw0Jpy3nw7R7zyg8ZP/S0K8kd20UA0sOZEwXcKAiv2uLyII6oktmqu4rgerUifL8GtuZvt/T3btVjERtiRODCCLGn+3aeNWoxLTGV7xq127S+PAlDaWWr8nQfBAg2599TiiiyNOkRv/E0HOT5Xw5xKiLGaJrfnn7G8sIu6uweT/aTl7U6WQh1w3l0ZmEn2c3s/BOTOJh+M+cGJ67aZwho519L158V+3vZ4hVShDU/rpB50ZdKGZb64NPPrTqPSb1KRcTDhCsKx3J4zNYsBnFr81zsfDFXA+FeAyq+gFm2F1+sBwyeBKvmuABlYVTZ7R2aqYxr3eJyPXF3DMo8+HgH6BkwNDOWrqgl0MKAXMLDoiDBmK68iCVM6roWPKZqFnMwvx+cX+V2jJ3r9cfclL/oj5hNp8iMEHuVz+TPqcYuqGFIdHQIWptEtwJtqophf6nLx3Mic7gwXTVsrMgM7dZBe7uk=', 'QXF7oKzB62+F/rC6O2myfOH5PTRR3qRk2JDogjRXT6UP/ewOoVAnKxDRiX19Ft1fKoTFr9oNiV0rshkDC0u/x3ri/5X7JwzzQ1NOcNimoj82dadd6OVd5uohNihz8jG9N0//SEqWtfX4so034gu85kOUsQ4jmv1qFr5RCmqC0+z2CKXeLjQsRMYUcMnL+NC6CL0qDgpDAJtn39qa0nEla1GI6EEMt8j6ou37IbJqXg8+0W+blBCTwtkzqHaGTUh+XaEx9yOUzWDzIU3LrTYU5CPImPTmYk9Gva8mxey5r/e299FkJY1JsxZsrebKXihkLwtKJsbqBizq+3lt/gvwVU5Hxo+y9X5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Mutant created: \Sessions\1\BaseNamedObjects\DETDSVSEFF555_6SSDFSDF

Source: g5tO58gHku.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: g5tO58gHku.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: g5tO58gHku.exe	ReversingLabs: Detection: 86%
Source: g5tO58gHku.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Section loaded: schannel.dll	Jump to behavior

Source: g5tO58gHku.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: g5tO58gHku.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: g5tO58gHku.exe, UEEQjljDnMAmdU.cs

High entropy of concatenated method names: 'zxVMFHwJRCAkE', 'rAQAwYjrswzkw', 'PHjybnldWPF', 'oYnTfUHZxktNL', 'cmRIaMNQYTR', 'ZklGLMATLyywZ', 'IdZcStpZYJmagK', 'bynGmBXYGfMe', 'vdGKaQZyFOgOOeC', 'ZldBPExDCQYvgtX'

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: g5tO58gHku.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\g5tO58gHku.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Memory allocated: 3290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\g5tO58gHku.exe	Memory allocated: 5290000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\g5tO58gHku.exe TID: 7412

Thread sleep time: -35000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\g5tO58gHku.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: g5tO58gHku.exe	Binary or memory string: vmware
Source: g5tO58gHku.exe, 00000000.00000002.2913332670.0000000001574000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Queries volume information: C:\Users\user\Desktop\g5tO58gHku.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\g5tO58gHku.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: g5tO58gHku.exe, type: SAMPLE
Source: Yara match	File source: 0.0.g5tO58gHku.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: g5tO58gHku.exe PID: 7408, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	21 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
g5tO58gHku.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
g5tO58gHku.exe	81%	Virustotal		Browse
g5tO58gHku.exe	100%	Avira	TR/Dropper.Gen
g5tO58gHku.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
hicham157484.ddns.net	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
hicham157484.ddns.net	8%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hicham157484.ddns.net	45.74.34.32	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
hicham157484.ddns.net	true	8%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.74.34.32	hicham157484.ddns.net	United States		9009	M247GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546533
Start date and time:	2024-11-01 04:43:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	g5tO58gHku.exe renamed because original name is a hash value
Original Sample Name:	0fc1be13a029ec3ce80bbe25da7a4362.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@2/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 18 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target g5tO58gHku.exe, PID 7408 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.74.34.32	bxUX6ztvg2.exe	Get hash	malicious	AsyncRAT, DcRat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
hicham157484.ddns.net	bxUX6ztvg2.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	45.74.34.32
	rain.bat	Get hash	malicious	AsyncRAT	Browse	41.214.187.35
	crack.bat	Get hash	malicious	Unknown	Browse	41.214.187.35
	klbisQNtgP.exe	Get hash	malicious	AsyncRAT, PhoenixRAT	Browse	172.111.149.2

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	harm5.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	harm4.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	mips.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	arm4.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	bxUX6ztvg2.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	45.74.34.32
	nOrden_de_Compra___0001245.vbs	Get hash	malicious	Remcos, GuLoader	Browse	185.236.203.101
	wZU2edEGL3.elf	Get hash	malicious	Unknown	Browse	38.203.241.135
	8v2IShmMos.elf	Get hash	malicious	Unknown	Browse	154.17.76.69
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	38.202.225.97
	Bjl3geiFEK.exe	Get hash	malicious	Phorpiex	Browse	91.202.233.141

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.572248898230603
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	g5tO58gHku.exe
File size:	48'640 bytes
MD5:	0fc1be13a029ec3ce80bbe25da7a4362
SHA1:	8538fda0583e0502e2b56129f7a52fdffbe7b041
SHA256:	96c411467b43f8c459e77c0f9bc8566b92cefa8f7d2e9e44c8f64950b4bc59c3
SHA512:	60a61f58cd1cb5f72b482e72469643288fe412b1e3e804bae2bee7d4584bd3cbdbf9aa9c53650109e82799188c41b7bfceaad3eefd3fa4018625cb40aab42178
SSDEEP:	768:uu/6ZTgoiziWUUM9rmo2qreq3itKvyEPIKTEb7GdY0bPoW9/Jf152O5wjYBDZwx:uu/6ZTgle2SUDKpdTbPoOxf15PwKdwx
TLSH:	20232A002BE9C126F2BE4F78A9F362058576F2673603D54E2CC851DB5B13FC69A025FA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40d0ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5EB79023 [Sun May 10 05:24:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd060	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb0b4	0xb200	497a883590dc0d6ea466ea4621f0e4ff	False	0.5427931882022472	data	5.630092870972295	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x7ff	0x800	0f68ce4dd77ed0bb9c1e6b31f6995d94	False	0.41748046875	data	4.88506844918463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	e58fd12d1b53873afe54bb7ef6c1a465	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0xe36c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T04:44:16.777439+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.4	49731	TCP
2024-11-01T04:44:56.699460+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	51321	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 04:44:01.578514099 CET	49730	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:01.584250927 CET	1994	49730	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:01.584326982 CET	49730	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:01.596244097 CET	49730	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:01.601123095 CET	1994	49730	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:10.058857918 CET	1994	49730	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:10.058954954 CET	49730	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:15.080399036 CET	49730	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:15.081415892 CET	49732	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:15.085278034 CET	1994	49730	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:15.086265087 CET	1994	49732	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:15.086345911 CET	49732	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:15.086632967 CET	49732	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:15.091438055 CET	1994	49732	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:23.562299967 CET	1994	49732	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:23.562386990 CET	49732	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:28.600229979 CET	49732	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:28.601001024 CET	51318	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:28.605133057 CET	1994	49732	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:28.605916977 CET	1994	51318	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:28.606098890 CET	51318	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:28.606446981 CET	51318	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:28.611563921 CET	1994	51318	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:37.094018936 CET	1994	51318	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:37.094233990 CET	51318	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:42.109937906 CET	51318	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:42.110994101 CET	51319	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:42.312037945 CET	1994	51318	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:42.312055111 CET	1994	51319	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:42.312144041 CET	51319	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:42.312941074 CET	51319	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:42.317658901 CET	1994	51319	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:50.796600103 CET	1994	51319	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:50.796722889 CET	51319	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:55.797619104 CET	51319	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:55.799412966 CET	51322	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:55.802464008 CET	1994	51319	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:55.804222107 CET	1994	51322	45.74.34.32	192.168.2.4
Nov 1, 2024 04:44:55.804337025 CET	51322	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:55.805027008 CET	51322	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:44:55.809822083 CET	1994	51322	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:04.277018070 CET	1994	51322	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:04.277076006 CET	51322	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:09.281804085 CET	51322	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:09.286618948 CET	1994	51322	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:09.291425943 CET	51396	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:09.296207905 CET	1994	51396	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:09.296293020 CET	51396	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:09.296566010 CET	51396	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:09.301450014 CET	1994	51396	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:17.777497053 CET	1994	51396	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:17.777578115 CET	51396	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:22.781820059 CET	51396	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:22.782779932 CET	51471	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:22.786607981 CET	1994	51396	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:22.787516117 CET	1994	51471	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:22.787579060 CET	51471	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:22.787892103 CET	51471	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:22.792743921 CET	1994	51471	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:31.272602081 CET	1994	51471	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:31.273180962 CET	51471	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:36.281862974 CET	51471	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:36.282766104 CET	51547	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:36.286667109 CET	1994	51471	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:36.287616968 CET	1994	51547	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:36.287693024 CET	51547	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:36.287918091 CET	51547	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:36.292659998 CET	1994	51547	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:44.767616987 CET	1994	51547	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:44.767682076 CET	51547	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:49.781897068 CET	51547	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:49.782741070 CET	51590	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:49.786864042 CET	1994	51547	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:49.787686110 CET	1994	51590	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:49.787755966 CET	51590	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:49.788006067 CET	51590	1994	192.168.2.4	45.74.34.32
Nov 1, 2024 04:45:49.793652058 CET	1994	51590	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:58.270529985 CET	1994	51590	45.74.34.32	192.168.2.4
Nov 1, 2024 04:45:58.270617962 CET	51590	1994	192.168.2.4	45.74.34.32

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 04:44:01.567389965 CET	62085	53	192.168.2.4	1.1.1.1
Nov 1, 2024 04:44:01.576601982 CET	53	62085	1.1.1.1	192.168.2.4
Nov 1, 2024 04:44:18.867836952 CET	53	52262	1.1.1.1	192.168.2.4
Nov 1, 2024 04:45:09.282433033 CET	62166	53	192.168.2.4	1.1.1.1
Nov 1, 2024 04:45:09.290901899 CET	53	62166	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 04:44:01.567389965 CET	192.168.2.4	1.1.1.1	0xa03a	Standard query (0)	hicham157484.ddns.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:45:09.282433033 CET	192.168.2.4	1.1.1.1	0xb67a	Standard query (0)	hicham157484.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 04:44:01.576601982 CET	1.1.1.1	192.168.2.4	0xa03a	No error (0)	hicham157484.ddns.net		45.74.34.32	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:45:09.290901899 CET	1.1.1.1	192.168.2.4	0xb67a	No error (0)	hicham157484.ddns.net		45.74.34.32	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	23:43:56
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\g5tO58gHku.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\g5tO58gHku.exe"
Imagebase:	0xf60000
File size:	48'640 bytes
MD5 hash:	0FC1BE13A029EC3CE80BBE25DA7A4362
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1666285450.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2913332670.000000000155D000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2914216223.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 01691727 Relevance: 5.4, Strings: 4, Instructions: 444COMMON

Download Yara Rule

Strings

a^q, xrefs: 01691D3C
,, xrefs: 01691870
a^q, xrefs: 01691CDF
xbq, xrefs: 01691D76

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID: a^q$ a^q$,$xbq
API String ID: 0-2180861429
Opcode ID: b21e1b6bf3b730c5d601cd6aec4f38affd432a633858ca4a3fa838e48d94a541
Instruction ID: 0172dee6c1cc0da45998350d1ef069e264106f8d261a8fe432ec3d43ddb449f9
Opcode Fuzzy Hash: b21e1b6bf3b730c5d601cd6aec4f38affd432a633858ca4a3fa838e48d94a541
Instruction Fuzzy Hash: 12029C707002019FDB15DF28D984B2EBBE6FB89314F248969E4069B3A9DF74DC85CB81

Function 01691962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

a^q, xrefs: 01691D3C
a^q, xrefs: 01691CDF
xbq, xrefs: 01691D76

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID: a^q$ a^q$xbq
API String ID: 0-2081302502
Opcode ID: 77875b3796014fc2c6da8bdd927003f0be61a7fb913ee783ff6f8b7281eeeb37
Instruction ID: 1ffbdddbfd5fea6fa916711be83982e8dfb0d328d4c3f6b399f1b5f319b47d34
Opcode Fuzzy Hash: 77875b3796014fc2c6da8bdd927003f0be61a7fb913ee783ff6f8b7281eeeb37
Instruction Fuzzy Hash: 28619C707402008FD714DF28D944B2E7BE6FB99718F248929E5059F3A8DFB5ED898B81

Function 01690EBA Relevance: 2.7, Strings: 2, Instructions: 161COMMON

Download Yara Rule

Strings

(bq, xrefs: 01691192
Te^q, xrefs: 01690EED

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID: (bq$Te^q
API String ID: 0-2856382362
Opcode ID: 107cc839b27c0bfc370f86f821b05f1b526c81d5f15870a55804653710ed76ab
Instruction ID: 14d6a351cdd8243e3c631dd4e2f35c7edffad6f093969c67967356aae5e8e9d9
Opcode Fuzzy Hash: 107cc839b27c0bfc370f86f821b05f1b526c81d5f15870a55804653710ed76ab
Instruction Fuzzy Hash: E8516970B101159FCB54DF6DC458AADBBF6FF89710F2581AAE806DB3A5CA71DC018B80

Function 01690D20 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01690E40
dLdq, xrefs: 01690D5B

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID: Hbq$dLdq
API String ID: 0-411705877
Opcode ID: 7e93f0f609bcdf3178a22c1b8bd12cf0fa69a4761345d7b57f4c9b04b5bfd4a0
Instruction ID: 7720a7c6695845ec54f8d16f1218ead2c44ec2ed888567bb3ab9139e0801c91b
Opcode Fuzzy Hash: 7e93f0f609bcdf3178a22c1b8bd12cf0fa69a4761345d7b57f4c9b04b5bfd4a0
Instruction Fuzzy Hash: A151CE31B002048FCB14CF6DD854AAEBBFABF88304F1445AAE405EB3A6CB759C45CB90

Function 01691339 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0169138B

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: fd0c62ba85c7d87b2c89966c1345cdf11891f868b47c575f527ed0f8009dfbee
Instruction ID: 552846233ed7d43caa3e59cee1f2a0c1dbe0a0a3206d9d46a304cc74edda85ad
Opcode Fuzzy Hash: fd0c62ba85c7d87b2c89966c1345cdf11891f868b47c575f527ed0f8009dfbee
Instruction Fuzzy Hash: 76312674F002168FCB04AB7C985456EBBFAFFC5224B14456ED54ADB3A4DE30CC028792

Function 01690D10 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

dLdq, xrefs: 01690D5B

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: fc778f030399fde22899d1278ef44d1fc4901159fc7dfa174882ceb22d055257
Instruction ID: 1ccf37a8cb4db33783e2d73dd0b1e785158c998fc4cb6689bddfd9cc55ad0d31
Opcode Fuzzy Hash: fc778f030399fde22899d1278ef44d1fc4901159fc7dfa174882ceb22d055257
Instruction Fuzzy Hash: 03319075A002058FDB14CF69C448BAEBBF6FF88300F148569E405AB361CB74ED45CB90

Function 01690E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01690E40

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 5cbd96133f18c1a0e016ae663bcdf9cc5187d64aa539978199060f4e40c6e6f2
Instruction ID: 857e340334084d208a540a8fd3caf5544e09ba6499077397f00f212003a8f1ef
Opcode Fuzzy Hash: 5cbd96133f18c1a0e016ae663bcdf9cc5187d64aa539978199060f4e40c6e6f2
Instruction Fuzzy Hash: CC01F4307042904FC3959B3D94144AE3BE7BFCA22032504FAD049CB3A6CE388C068351

Function 01690AA0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501f2328cf75febb917f92ad334266d81d763c153da90234472136eb92db7632
Instruction ID: f44fea0a871480237f7a89b8cf59b47f40fbf3f29cefa7cab3d83eb26dee7d0a
Opcode Fuzzy Hash: 501f2328cf75febb917f92ad334266d81d763c153da90234472136eb92db7632
Instruction Fuzzy Hash: 8151C374600205CFC795EF28F58895AB776FB8C3857508669D806CB368DF39AD8ACF80

Function 016911D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825b262df7721f2bd0c9e53bb21f944f1d38643502d6086f50fed680a794cad6
Instruction ID: ee21e91ce76ce2e29265c35637dd589d50b024854460bad08b79bb08c0760a24
Opcode Fuzzy Hash: 825b262df7721f2bd0c9e53bb21f944f1d38643502d6086f50fed680a794cad6
Instruction Fuzzy Hash: 5F41B2B0F00209AFCB44EFB9C94466EBBFAFF89310F24856AD449D7355DA319D428B91

Function 01691030 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356d810e16bbd9f196e800cf057335995867c4be236ab07804d24f6c0d441585
Instruction ID: cfe2e202fd45212ad216948af84dc1b4408a71228a53ab839a15f79eb71ce5c0
Opcode Fuzzy Hash: 356d810e16bbd9f196e800cf057335995867c4be236ab07804d24f6c0d441585
Instruction Fuzzy Hash: 45213734B001059FEB14DF69C994BAE7BE6BF89724F248059E906EB3A5CB719C00CB80

Function 01690998 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e0650986a6b1c7821de1bfe3fe79648afc931544f29271d797f2306e238515
Instruction ID: f5136d2d15f53c99db4492beae1930e4e923d519b7783b2e6b54f4967302594d
Opcode Fuzzy Hash: 58e0650986a6b1c7821de1bfe3fe79648afc931544f29271d797f2306e238515
Instruction Fuzzy Hash: 48213170B002429FDFB59B7CAD1867E3BACBF48245714562DBC07C5266EB288941CB95

Function 016909A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369083147dcdc2d6f878da8fcb8bff387b0d4fcb51ed7cca4553e9a4b8a713eb
Instruction ID: 21a554980dc01e8a2abadb0ad0823d99447f42fc01cf80ad16769ffc7d4018be
Opcode Fuzzy Hash: 369083147dcdc2d6f878da8fcb8bff387b0d4fcb51ed7cca4553e9a4b8a713eb
Instruction Fuzzy Hash: 582145707102028FDF75AB7DAD1862E3AACAF08245700452DBD07CA256EF288901C7D5

Function 01691431 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd864a0eca5ecdf438bba8edd01268650408b66b051ae535404a21aa9e4237a
Instruction ID: 2f6932f5a76a7a2ee3423bbc431c80cb77d58c0003b6f7cf73b2ed2b111e6bf6
Opcode Fuzzy Hash: 6bd864a0eca5ecdf438bba8edd01268650408b66b051ae535404a21aa9e4237a
Instruction Fuzzy Hash: E4117C70B01205DFCB94DBBCD90866A77FAEF8D65571104BAD506CB361EB348C52CB90

Function 01691440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f15bebffd5de23142482ba8b32668e901b26f7d965b79c50f01496bace2811
Instruction ID: 5da69389a8049d312ba2e53bad50b33f4a1292f6a70042cc605bf4495598cf02
Opcode Fuzzy Hash: 20f15bebffd5de23142482ba8b32668e901b26f7d965b79c50f01496bace2811
Instruction Fuzzy Hash: A9116170B01205DFCB54DBBDD908A6A7BEAEF8D65572004B9D409DB354EE35DC41CB90

Function 016916A0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5888f97dd0225a42034de1ae8e9d9f3a662489c0829cce01c63bdedd9ef5b7
Instruction ID: b4fc317178e9e6d5b3f6171b76673a361eddf6829bb0aa88bfbfcb24722d14f7
Opcode Fuzzy Hash: 1a5888f97dd0225a42034de1ae8e9d9f3a662489c0829cce01c63bdedd9ef5b7
Instruction Fuzzy Hash: 4D019A70B41222CFDFA4DFA8E8957BE37B8EF49614B18406DD9059B300EB304C02CB96

Function 01690E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b054344d48c40c54c4076e9049000806b4f18027c51369267663014db85e567
Instruction ID: 2d51c96f65caab604371bc59926af169eb2b8ef395828a6c2a17d13e38bf97ff
Opcode Fuzzy Hash: 6b054344d48c40c54c4076e9049000806b4f18027c51369267663014db85e567
Instruction Fuzzy Hash: 67E0C2323002045F8344963EF88885BB7DBEFC853432408B9F10DCB325DD60CC014390

Function 01690A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e2fc287bc65d8e014e7a8c4a08ab9548f337c421795a4e71aeae6cb96b2a7e
Instruction ID: 28d350a3f16e84a6826563f395fa6701059e0435656499ca5ad0850de2158d34
Opcode Fuzzy Hash: c3e2fc287bc65d8e014e7a8c4a08ab9548f337c421795a4e71aeae6cb96b2a7e
Instruction Fuzzy Hash: 26C08C2054514ACFDF3027B4D90CA2C3A1CAB80301F04021AB5030C47B8E7C08428B9A

Function 01690A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2913844588.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1690000_g5tO58gHku.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428abf17ead904d48f784a3e2665cbfcfdbf49b3725d7c65b8c2a3edcbd75c39
Instruction ID: f4ed7bd9bbeea02183727253312da2a3075efbffbba1c94531116b721a8f8744
Opcode Fuzzy Hash: 428abf17ead904d48f784a3e2665cbfcfdbf49b3725d7c65b8c2a3edcbd75c39
Instruction Fuzzy Hash: F3C08C20545107CFDB3027B4D90CA2C3A1CAF80301F040215B9030C47B8E7C08024B9A

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report g5tO58gHku.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
g5tO58gHku.exe