Edit tour

Windows Analysis Report
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Overview

General Information

Sample name:	17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe
Analysis ID:	1546879
MD5:	ea189587eda182b5edcb3b4977dbe529
SHA1:	35ecab87e17c8bac42598118745c92f1bff46a43
SHA256:	bd0e792d8bccec62065711552deb0a997ff4132e4050f03e9a4adb4811e611cf
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Yara detected DcRat

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe (PID: 6320 cmdline: "C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe" MD5: EA189587EDA182B5EDCB3B4977DBE529)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "sostener2024.duckdns.org", "Ports": "2020", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "Y87JSKg9gyY3j2G4q5kD4EQDhAzJbMPX", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVALv/XcwQnmQIwA3z8xW4ctTaHXVBMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMTAyMjIxNTY1NVoXDTMzMDczMTIxNTY1NVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIHPo9UElAeRw3cSGFuu04tmut2qVTmi9Jrgi/GqS0nhXmdp7dHiHatr+O8Ky6kFbRw3Od4qorPE48u+VlPHuwGMWSDHWvsNuvisquspvO+bKwNT4Nha26lWX+GEyE6RaYJN4dO3QuL0BxT6wcd6g22ZJl/0uugFGnSbJEm0SRtNAgMBAAGjMjAwMB0GA1UdDgQWBBQbaxfiE1h/zzfdLHK2Y9C2qyy8ITAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAFcWnogvkrMkdwkiJLc7kR6ntspay88jl/0EkB+JQu9+WJx0poJDW5wTagTKIbPu19sloMAf1rJPmIZ+gn3AhRFowfy+YOT2Bxxjklv9Y+zu3rkXbWcqzH+t4A0V3mbQSgD8K5Ulgrgn35gUcCdC5kymRjwdrKfy3Qk1MIIrtqJP", "ServerSignature": "gCqxGN2XFz6m+Z9HeZmzkjMv3rqhTklv/R54m+q9IzJOC1WTeGYnTBHgEHP7RHOPDvHLdwCV0GVcEsyIPaFaTupUdTnKkBRj+0aQMfGKtySDBV7dakDsnQtcDzDhokI1I3dazs2Mc/vloCurAZcnNwgO0XThq+f26gcPFC/czS8=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65f7:$a1: havecamera 0x9ae8:$a2: timeout 3 > NUL 0x9b08:$a3: START "" " 0x9993:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a48:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a48:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9993:$s2: L2Mgc2NodGFza3MgL2 0x9912:$s3: QW1zaVNjYW5CdWZmZXI 0x9960:$s4: VmlydHVhbFByb3RlY3Q
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cca:$q1: Select * from Win32_CacheMemory 0x9d0a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d58:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9da6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa142:$s1: DcRatBy

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63f7:$a1: havecamera 0x98e8:$a2: timeout 3 > NUL 0x9908:$a3: START "" " 0x9793:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9848:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000002.3020676790.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x3ac9c:$b2: DcRat By qwqdanchun1
00000000.00000002.3021179672.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x55c0:$b1: DcRatByqwqdanchun 0x29e384:$b2: DcRat By qwqdanchun1
Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xbcfe:$a1: havecamera 0x108e4:$b1: DcRatByqwqdanchun 0x11a10:$b1: DcRatByqwqdanchun 0x77a8:$b2: DcRat By qwqdanchun1 0x19897:$b2: DcRat By qwqdanchun1
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65f7:$a1: havecamera 0x9ae8:$a2: timeout 3 > NUL 0x9b08:$a3: START "" " 0x9993:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a48:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a48:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9993:$s2: L2Mgc2NodGFza3MgL2 0x9912:$s3: QW1zaVNjYW5CdWZmZXI 0x9960:$s4: VmlydHVhbFByb3RlY3Q
0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cca:$q1: Select * from Win32_CacheMemory 0x9d0a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d58:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9da6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa142:$s1: DcRatBy

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T17:09:33.793529+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49731	TCP
2024-11-01T17:10:12.096403+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49781	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Malware Configuration Extractor: AsyncRAT {"Server": "sostener2024.duckdns.org", "Ports": "2020", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "Y87JSKg9gyY3j2G4q5kD4EQDhAzJbMPX", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVALv/XcwQnmQIwA3z8xW4ctTaHXVBMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMTAyMjIxNTY1NVoXDTMzMDczMTIxNTY1NVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIHPo9UElAeRw3cSGFuu04tmut2qVTmi9Jrgi/GqS0nhXmdp7dHiHatr+O8Ky6kFbRw3Od4qorPE48u+VlPHuwGMWSDHWvsNuvisquspvO+bKwNT4Nha26lWX+GEyE6RaYJN4dO3QuL0BxT6wcd6g22ZJl/0uugFGnSbJEm0SRtNAgMBAAGjMjAwMB0GA1UdDgQWBBQbaxfiE1h/zzfdLHK2Y9C2qyy8ITAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAFcWnogvkrMkdwkiJLc7kR6ntspay88jl/0EkB+JQu9+WJx0poJDW5wTagTKIbPu19sloMAf1rJPmIZ+gn3AhRFowfy+YOT2Bxxjklv9Y+zu3rkXbWcqzH+t4A0V3mbQSgD8K5Ulgrgn35gUcCdC5kymRjwdrKfy3Qk1MIIrtqJP", "ServerSignature": "gCqxGN2XFz6m+Z9HeZmzkjMv3rqhTklv/R54m+q9IzJOC1WTeGYnTBHgEHP7RHOPDvHLdwCV0GVcEsyIPaFaTupUdTnKkBRj+0aQMfGKtySDBV7dakDsnQtcDzDhokI1I3dazs2Mc/vloCurAZcnNwgO0XThq+f26gcPFC/czS8=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Multi AV Scanner detection for submitted file

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Joe Sandbox ML: detected

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: sostener2024.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: sostener2024.duckdns.org

Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49781
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49731

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sostener2024.duckdns.org

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, 00000000.00000002.3021179672.0000000002D01000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.3020676790.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.3021179672.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Code function: 0_2_00007FFD9B9030E5

0_2_00007FFD9B9030E5

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, 00000000.00000000.1769313262.000000000087E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Binary or memory string: OriginalFilenameClient.exe" vs 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.3020676790.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.3021179672.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, Settings.cs	Base64 encoded string: 'TFJspWD7GsHQMZk5UpkFiEkF2W8i6lF5YjmQP2kjAejFHftLHr/L1D5e+gaMfu6L38fb/AIcmCRR1WTi62phdg==', 'lU2GskampQbZN5NhwH3m7uSd7yMmhK0fR0Zej7eMp93lr2MwWx8qD+OsPX1PoQFtxSrMZAujfvSECKpIaxBl8Q==', 'htwC7eftEkjRbD+cufqUoeuEY1R46Iq/gTSt6wPHCCIYLKARWOln5TLITNb2UFeHTzp9L4VBUfa7nAe5clnPRw==', 'LCyumoDtjFSIJEagBeu3UfsZmIyW9maacktOUH4S//sMFk/zR4l9sLMGfGlwmCMGuO5cVHOB/o3oJP7DEgy4ch3Ywxvq8NEfPpbacWFHgnU=', 'Q8jj2InI+I8wXQd/X6ST9Ivf8TV3nI1MzF/oLXflrL398i54MSA3jcwJDvVhCKgFLQ10aiAXyffENfvpriFAgVNZ4m1oHNYTg9stsyy/+jflXOlOceW8DM9ia2vZf03W+bXQ/yb98OMyAo/XbgibQ6GnFBtMucvFicAEvb3hfitUEJRVBY5HIMqL05BBKHE7cn75n+vJHuX3il9RVnB1GIdYoVD3ByPTewmaLHrzZhWSH9bf3mGxT0eyNEiQHjTEJliKK4IcOvn6RxHCAnmqQHXPQ8g5tCz/HfodAa267sQT+sRmQ7TYzuGbrOt/aJbV1pZfqvow1KwBfuopjFREKfdomslKbqOZTEL79exXGvHcyyYMyxs96n1Dvu1r3SuQvrYXFSJ+G+XRv3kZJ9uqaCppOyRZbaSvwCCbnrnivD9wiGCjCImR5z0PdsmNd7VudbgBclTiEvoSCI7yP05pigS4+B+RMMkmhRsiabY6H188wOHNH+eUxxLdq8tqQAYku9uTnZxUbJz/fVvbwfoFVznK253GmZQ2SgySMXozn945+nH7XpBqfi2XKB8TyTpGznHaUPHl2AmE+oxwZimWGFoFRJIm4czKE5+xBxVWKcGSGstjeuZooS0UFUAoP8fXxu3kkjEr0Hd1ooqg90/tVRSsGLojtdXVjVW3kI80ymcRoNnTpMrKsEPnSMFYG2mjsTX14M11qqR8DARE86ga9K9cA6w7qXly28YmOPB2LR6/M400M6grLOQyHVC7ks6gx+zb+VhhzpXneLmyiP20C8P1COwRvBGbiz/cKuQxz/WgYjgC3DaJxUsu5ZLhd0YqnHTO7tZ5zLW0qqgzxg3HNVNp7B6sGNidoEOPAnfPJOnhrl8g3Y7YYpQzMcgB67ZA8sYoGM0c+fyOol5Afxr6sCVTGjyNvU1WAn1W3TM100MAf6Nwp80S2rTEWA2gH8AgFR++pwycNTdyiF29SeOoT/KS7Y70QmAD9OttphW+f42/dtj75+a/vv06KueVI1yoR0YVEQbCTKrZLb2tH1jjNkJzTRfqt9vm3dhAUmZWrASpZURe8oSQ5qnssCVMkIKZ', 'NoIhHBH5bfbiyagZh3dRg7/Px4YZJ2eUwWH4/UMoOBwHFlTzPe/5PK5UnrS45W0B8fT06W4AtyzgmkOHKX7e5HB3X1bB81PFmPPq8NLipjrSMA79U6G/oB7cHyCeBsEt7ln5m/WgvShHOucpD8FSekrSCPlnQy+SCP333pP//G5YzmCu6DLIV3HpX7F16lwaK2osqVtuUrb6P54yN16QJiHF40lnTwhhRdjacT6PuVy/Upt30iN/7CTsIWnDox4cGB0a3otfNkGCpwQd3ee5PrhqzxkMfnfa8L/3zmRZ3Kc=', 'T2A/8H2KAy0oymS0/rlSrP06sF1CQoMBYRRLSqtZZ5g9aOfYhLUqZjCfJPUOcOdZygMtMwJ/Ggl4DF0Dxe8U8w==', '/YAgNBdLNjTJToggewvNuEiwrOPpJSiKwW3Oi7tnfvBJlHJkbj8XjDYlsG2mSZSS0Seyuml9LLx7tUe56jT5aQ==', 'I8YgPYILlfn2ERWSVCKOF7yn6F6yyEAexl/+Go7X5L6TmfaKjjYkLRqd7G1rnVUbft4sZDNiMBdEVlZpzE64TQ==', 'N+HHqNTvY8ONW5CvHI5XgafXsBEAj2M6637NxicMfAXvppsFmg02MTrHbcV6An1deP8RUT554DfwOy8MFaIkhw==', 'XDlA+rud57XgoBMeguKqH9gWQV/a3wcxs2TIG0xptC/1r7JoZjgFRqfVTipVvzecE4DtyjaiLamHuzHG0xJCbQ=='
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@21/1

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Section loaded: schannel.dll	Jump to behavior

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Code function: 0_2_00007FFD9B9000BD pushad ; iretd

0_2_00007FFD9B9000C1

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320, type: MEMORYSTR

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Memory allocated: 10C0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	Memory allocated: 1AD00000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe TID: 6304

Thread sleep time: -70000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, 00000000.00000002.3022441568.000000001B663000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, Amsi.cs	Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320, type: MEMORYSTR

Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match

File source: Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match

File source: Process Memory Space: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe PID: 6320, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	21 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	100%	Avira	HEUR/AGEN.1307404
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sostener2024.duckdns.org	192.169.69.26	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
sostener2024.duckdns.org	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe, 00000000.00000002.3021179672.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.169.69.26	sostener2024.duckdns.org	United States		23033	WOWUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546879
Start date and time:	2024-11-01 17:08:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@21/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.169.69.26	SX8OLQP63C.exe	Get hash	malicious	VjW0rm, AsyncRAT, RATDispenser	Browse	yuya0415.duckdns.org:1928/Vre
	confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbs	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	oKtkBYZMWl.exe	Get hash	malicious	Unknown	Browse	csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
	oKtkBYZMWl.exe	Get hash	malicious	Unknown	Browse	csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
	http://yvtplhuqem.duckdns.org/ja/	Get hash	malicious	Unknown	Browse	yvtplhuqem.duckdns.org/ja/
	http://fqqqffcydg.duckdns.org/en/	Get hash	malicious	Unknown	Browse	fqqqffcydg.duckdns.org/en/
	http://yugdzvsqnf.duckdns.org/en/	Get hash	malicious	Unknown	Browse	yugdzvsqnf.duckdns.org/en/
	&nuevo_pedido#..vbs	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	transferencia_Hsbc.xlsx	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	http://www.secure-0fflce-o365.duckdns.org/	Get hash	malicious	Unknown	Browse	www.secure-0fflce-o365.duckdns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sostener2024.duckdns.org	rKBGGJz4TB.exe	Get hash	malicious	AsyncRAT	Browse	179.14.9.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WOWUS	v6pwbOEUpl.elf	Get hash	malicious	Unknown	Browse	208.115.121.90
	QUOTE #46789_AL_JAMEELA24.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	173003310796a9a81fadbaf448c87ed10922a3747e183ef712567128e4bbfb00e7bcac9cd3988.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26
	kkkarm.elf	Get hash	malicious	Unknown	Browse	208.115.121.95
	UOp1kufsuw.exe	Get hash	malicious	Nanocore	Browse	192.169.69.26
	EXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletOpsistype.vbs	Get hash	malicious	Remcos, GuLoader	Browse	192.169.69.26
	DHL AWB_NO_928473.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	IMG465244247443 ORDER Opmagasinering.exe	Get hash	malicious	XWorm	Browse	192.169.69.26
	172966494683a361ba19e5107ad739c4261113c8b850c2db5512e1d9850ba41c9e7130006e629.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	17296642858200fb7d98884fd3fefd8063bc539e47fc39cf313b464256316dfe4c77155349452.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.169.69.26

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.616310833983759
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe
File size:	48'640 bytes
MD5:	ea189587eda182b5edcb3b4977dbe529
SHA1:	35ecab87e17c8bac42598118745c92f1bff46a43
SHA256:	bd0e792d8bccec62065711552deb0a997ff4132e4050f03e9a4adb4811e611cf
SHA512:	79f96f975d5926fe1f7c56f989d82e0ed1d7b77435d8335cc6bd1fb38ab0643b7e8656336a61b5d82bc90d561768e00d170f516e900d478e548b126102086518
SSDEEP:	768:4q+s3pUtDILNCCa+DiptelDSN+iV08Ybyge9uFGq3xKvEgK/JvZVc6KN:4q+AGtQOptKDs4zb1fKnkJvZVclN
TLSH:	36235C4037E88136E2BD4BB8ACF3E2458275D6676903DA5D6CC814EA1F13BC596036FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40cbbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60930A0B [Wed May 5 21:11:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb64	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xabc4	0xac00	f679f2191adcfb0045d464b044618a5f	False	0.501953125	data	5.641277698381036	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0xdf7	0xe00	2083376922615c09cdda9acfd9305376	False	0.4017857142857143	data	5.110607648061562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	82148d01c3935cf90ef81a3dd1fad607	False	0.044921875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2d4	data			0.4350828729281768
RT_MANIFEST	0xe374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T17:09:33.793529+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49731	TCP
2024-11-01T17:10:12.096403+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49781	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 17:09:29.055077076 CET	49730	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:29.060847044 CET	2020	49730	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:29.060961008 CET	49730	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:29.630889893 CET	49730	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:29.821495056 CET	2020	49730	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:30.055504084 CET	2020	49730	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:30.055572987 CET	49730	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:35.075131893 CET	49730	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:35.076411009 CET	49735	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:35.080492020 CET	2020	49730	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:35.081357002 CET	2020	49735	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:35.081424952 CET	49735	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:35.081799030 CET	49735	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:35.086998940 CET	2020	49735	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:35.864638090 CET	2020	49735	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:35.864775896 CET	49735	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:40.869112015 CET	49735	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:40.874017954 CET	2020	49735	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:40.895376921 CET	49738	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:40.900245905 CET	2020	49738	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:40.900312901 CET	49738	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:40.907749891 CET	49738	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:40.912729979 CET	2020	49738	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:41.741308928 CET	2020	49738	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:41.741379023 CET	49738	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:46.742119074 CET	49738	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:46.743019104 CET	49739	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:46.747975111 CET	2020	49738	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:46.748502970 CET	2020	49739	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:46.749145031 CET	49739	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:46.749428034 CET	49739	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:46.755039930 CET	2020	49739	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:47.570250034 CET	2020	49739	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:47.570426941 CET	49739	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:52.585900068 CET	49739	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:52.586627960 CET	49740	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:52.590724945 CET	2020	49739	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:52.591523886 CET	2020	49740	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:52.591613054 CET	49740	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:52.591835022 CET	49740	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:52.600878954 CET	2020	49740	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:53.466475964 CET	2020	49740	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:53.466558933 CET	49740	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:58.476691961 CET	49740	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:58.477987051 CET	49741	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:58.481637001 CET	2020	49740	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:58.482891083 CET	2020	49741	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:58.482959986 CET	49741	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:58.483258963 CET	49741	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:09:58.488256931 CET	2020	49741	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:59.314747095 CET	2020	49741	192.169.69.26	192.168.2.4
Nov 1, 2024 17:09:59.314884901 CET	49741	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:04.321381092 CET	49741	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:04.323596954 CET	49743	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:04.327085018 CET	2020	49741	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:04.328877926 CET	2020	49743	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:04.328954935 CET	49743	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:04.329271078 CET	49743	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:04.335832119 CET	2020	49743	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:05.201051950 CET	2020	49743	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:05.201134920 CET	49743	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:10.211146116 CET	49743	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:10.212081909 CET	49776	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:10.216051102 CET	2020	49743	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:10.217255116 CET	2020	49776	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:10.217333078 CET	49776	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:10.217571020 CET	49776	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:10.223187923 CET	2020	49776	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:11.048015118 CET	2020	49776	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:11.048098087 CET	49776	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:16.054873943 CET	49776	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:16.055908918 CET	49801	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:16.059916019 CET	2020	49776	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:16.061064005 CET	2020	49801	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:16.061144114 CET	49801	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:16.061446905 CET	49801	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:16.066271067 CET	2020	49801	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:16.950469971 CET	2020	49801	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:16.950603962 CET	49801	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:21.961172104 CET	49801	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:21.962138891 CET	49830	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:21.977442980 CET	2020	49801	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:21.977734089 CET	2020	49830	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:21.977816105 CET	49830	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:21.978125095 CET	49830	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:21.994379997 CET	2020	49830	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:22.870498896 CET	2020	49830	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:22.870569944 CET	49830	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:27.883018017 CET	49830	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:27.884139061 CET	49861	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:27.887943983 CET	2020	49830	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:27.889189959 CET	2020	49861	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:27.889262915 CET	49861	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:27.889635086 CET	49861	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:27.894479036 CET	2020	49861	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:28.680012941 CET	2020	49861	192.169.69.26	192.168.2.4
Nov 1, 2024 17:10:28.680108070 CET	49861	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:33.695601940 CET	49861	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:10:33.701133966 CET	2020	49861	192.169.69.26	192.168.2.4
Nov 1, 2024 17:11:11.680943966 CET	50013	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:11:11.688524008 CET	2020	50013	192.169.69.26	192.168.2.4
Nov 1, 2024 17:11:11.688601971 CET	50013	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:11:11.688941002 CET	50013	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:11:11.695766926 CET	2020	50013	192.169.69.26	192.168.2.4
Nov 1, 2024 17:11:12.608922958 CET	2020	50013	192.169.69.26	192.168.2.4
Nov 1, 2024 17:11:12.608987093 CET	50013	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:11:17.887624025 CET	50013	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:11:17.888349056 CET	50014	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:11:17.892625093 CET	2020	50013	192.169.69.26	192.168.2.4
Nov 1, 2024 17:11:17.893274069 CET	2020	50014	192.169.69.26	192.168.2.4
Nov 1, 2024 17:11:17.893345118 CET	50014	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:11:17.893683910 CET	50014	2020	192.168.2.4	192.169.69.26
Nov 1, 2024 17:11:17.898705006 CET	2020	50014	192.169.69.26	192.168.2.4
Nov 1, 2024 17:11:18.754641056 CET	2020	50014	192.169.69.26	192.168.2.4
Nov 1, 2024 17:11:18.754720926 CET	50014	2020	192.168.2.4	192.169.69.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 17:09:18.123394966 CET	49496	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:09:19.117243052 CET	49496	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:09:20.132859945 CET	49496	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:09:22.132827997 CET	49496	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:09:23.839931011 CET	53	49496	1.1.1.1	192.168.2.4
Nov 1, 2024 17:09:23.839982986 CET	53	49496	1.1.1.1	192.168.2.4
Nov 1, 2024 17:09:23.839993954 CET	53	49496	1.1.1.1	192.168.2.4
Nov 1, 2024 17:09:23.840029955 CET	53	49496	1.1.1.1	192.168.2.4
Nov 1, 2024 17:09:28.880295992 CET	64240	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:09:29.012103081 CET	53	64240	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:33.696456909 CET	63189	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:34.711292982 CET	63189	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:35.728046894 CET	63189	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:37.707153082 CET	53	63189	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:37.707171917 CET	53	63189	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:37.707592010 CET	53	63189	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:42.722829103 CET	50391	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:43.711448908 CET	50391	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:44.726794004 CET	50391	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:46.742384911 CET	50391	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:46.946970940 CET	53	50391	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:46.946991920 CET	53	50391	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:46.947005033 CET	53	50391	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:47.322351933 CET	53	50391	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:51.962037086 CET	57309	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:52.961390018 CET	57309	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:53.976757050 CET	57309	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:55.992539883 CET	57309	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:10:56.023420095 CET	53	57309	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:56.023442030 CET	53	57309	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:56.023452997 CET	53	57309	1.1.1.1	192.168.2.4
Nov 1, 2024 17:10:56.032180071 CET	53	57309	1.1.1.1	192.168.2.4
Nov 1, 2024 17:11:01.040117979 CET	64961	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:11:02.056124926 CET	64961	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:11:03.055114985 CET	64961	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:11:05.050100088 CET	53	64961	1.1.1.1	192.168.2.4
Nov 1, 2024 17:11:05.050116062 CET	53	64961	1.1.1.1	192.168.2.4
Nov 1, 2024 17:11:05.050127983 CET	53	64961	1.1.1.1	192.168.2.4
Nov 1, 2024 17:11:10.056658983 CET	55906	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:11:11.070651054 CET	55906	53	192.168.2.4	1.1.1.1
Nov 1, 2024 17:11:11.680125952 CET	53	55906	1.1.1.1	192.168.2.4
Nov 1, 2024 17:11:11.682195902 CET	53	55906	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 17:09:18.123394966 CET	192.168.2.4	1.1.1.1	0xc66f	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:09:19.117243052 CET	192.168.2.4	1.1.1.1	0xc66f	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:09:20.132859945 CET	192.168.2.4	1.1.1.1	0xc66f	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:09:22.132827997 CET	192.168.2.4	1.1.1.1	0xc66f	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:09:28.880295992 CET	192.168.2.4	1.1.1.1	0xaf16	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:33.696456909 CET	192.168.2.4	1.1.1.1	0x6fc8	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:34.711292982 CET	192.168.2.4	1.1.1.1	0x6fc8	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:35.728046894 CET	192.168.2.4	1.1.1.1	0x6fc8	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:42.722829103 CET	192.168.2.4	1.1.1.1	0xb543	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:43.711448908 CET	192.168.2.4	1.1.1.1	0xb543	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:44.726794004 CET	192.168.2.4	1.1.1.1	0xb543	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:46.742384911 CET	192.168.2.4	1.1.1.1	0xb543	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:51.962037086 CET	192.168.2.4	1.1.1.1	0x2be2	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:52.961390018 CET	192.168.2.4	1.1.1.1	0x2be2	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:53.976757050 CET	192.168.2.4	1.1.1.1	0x2be2	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:55.992539883 CET	192.168.2.4	1.1.1.1	0x2be2	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:11:01.040117979 CET	192.168.2.4	1.1.1.1	0x4ab7	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:11:02.056124926 CET	192.168.2.4	1.1.1.1	0x4ab7	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:11:03.055114985 CET	192.168.2.4	1.1.1.1	0x4ab7	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:11:10.056658983 CET	192.168.2.4	1.1.1.1	0x47b8	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:11:11.070651054 CET	192.168.2.4	1.1.1.1	0x47b8	Standard query (0)	sostener2024.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 17:09:23.839931011 CET	1.1.1.1	192.168.2.4	0xc66f	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:09:23.839982986 CET	1.1.1.1	192.168.2.4	0xc66f	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:09:23.839993954 CET	1.1.1.1	192.168.2.4	0xc66f	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:09:23.840029955 CET	1.1.1.1	192.168.2.4	0xc66f	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:09:29.012103081 CET	1.1.1.1	192.168.2.4	0xaf16	No error (0)	sostener2024.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:37.707153082 CET	1.1.1.1	192.168.2.4	0x6fc8	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:37.707171917 CET	1.1.1.1	192.168.2.4	0x6fc8	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:37.707592010 CET	1.1.1.1	192.168.2.4	0x6fc8	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:46.946970940 CET	1.1.1.1	192.168.2.4	0xb543	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:46.946991920 CET	1.1.1.1	192.168.2.4	0xb543	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:46.947005033 CET	1.1.1.1	192.168.2.4	0xb543	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:47.322351933 CET	1.1.1.1	192.168.2.4	0xb543	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:56.023420095 CET	1.1.1.1	192.168.2.4	0x2be2	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:56.023442030 CET	1.1.1.1	192.168.2.4	0x2be2	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:56.023452997 CET	1.1.1.1	192.168.2.4	0x2be2	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:10:56.032180071 CET	1.1.1.1	192.168.2.4	0x2be2	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:11:05.050100088 CET	1.1.1.1	192.168.2.4	0x4ab7	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:11:05.050116062 CET	1.1.1.1	192.168.2.4	0x4ab7	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:11:05.050127983 CET	1.1.1.1	192.168.2.4	0x4ab7	Server failure (2)	sostener2024.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:11:11.680125952 CET	1.1.1.1	192.168.2.4	0x47b8	No error (0)	sostener2024.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false
Nov 1, 2024 17:11:11.682195902 CET	1.1.1.1	192.168.2.4	0x47b8	No error (0)	sostener2024.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false

Analysis Process: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exePID: 6320, Parent PID: 2580

General

Target ID:	0
Start time:	12:09:13
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe"
Imagebase:	0x870000
File size:	48'640 bytes
MD5 hash:	EA189587EDA182B5EDCB3B4977DBE529
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1769296546.0000000000872000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3020676790.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3021179672.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exePID: 6320, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	32.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B9030E5 Relevance: 2.0, Strings: 1, Instructions: 787
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 00007FFD9B90321A

Memory Dump Source

Source File: 00000000.00000002.3023255324.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b900000_17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bb.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 3ab758cc2e9664915bd79a0992065f59f8e1a125021a87296624826b29137a32
Instruction ID: 604ce870c72ca00505501b973c4f062fe27a3d5aa34dc9aab5496e8340389ba1
Opcode Fuzzy Hash: 3ab758cc2e9664915bd79a0992065f59f8e1a125021a87296624826b29137a32
Instruction Fuzzy Hash: C832F631B2D90A5FEB68EB6C84657B973D2FF98310F544579E05EC32EACE28A8418741

Function 00007FFD9B9029E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FFD9B902ABF

Memory Dump Source

Source File: 00000000.00000002.3023255324.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b900000_17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bb.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bcc5da6bfe6f94317de47a13b216f87ac0582525f78e8e74deed7b48f33d1916
Instruction ID: 5f0619c618fb1c0805783089f5d2c41eca1557a647aed71856d6a1f9c70c58f7
Opcode Fuzzy Hash: bcc5da6bfe6f94317de47a13b216f87ac0582525f78e8e74deed7b48f33d1916
Instruction Fuzzy Hash: B9416F30A08A5C8FDB98EF98D855BEDBBF1FF99310F1041AAD04DD7296CA75A845CB40

Function 00007FFD9B902D3D Relevance: 1.6, APIs: 1, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B902E1A

Memory Dump Source

Source File: 00000000.00000002.3023255324.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b900000_17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1451839f1e0531af876cf177fed8db34c162e9c432f44d47c6add4b52d786309
Instruction ID: c172a815f5072e38fd414a9ccfabaf8476251507b52230a7e73c23324776f12b
Opcode Fuzzy Hash: 1451839f1e0531af876cf177fed8db34c162e9c432f44d47c6add4b52d786309
Instruction Fuzzy Hash: F441193190D7884FDB199BA898566ED7FE0EF56321F0442AFD089C3193CA746806C796

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
17304772280366bf2e2bb7f849b5bf79510637548fa7c7d19dd73a2fc7893bc18cc1bbe09f276.dat-decoded.exe

Function 00007FFD9B9030E5 Relevance: 2.0, Strings: 1, Instructions: 787
COMMON

Function 00007FFD9B9029E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Function 00007FFD9B902D3D Relevance: 1.6, APIs: 1, Instructions: 138
memoryCOMMON