Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe

Overview

General Information

Sample name:1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe
Analysis ID:1549924
MD5:e37ccbcd075c4ec7d14499980edb88ab
SHA1:8cf12f19bcbe18c21ba0069fec023fc43c107e97
SHA256:66663cf3596b0e6fd2721d81f91cda058ca61feb46f9943ef1a91fec7a68590d
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected DcRat
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "dcfas.duckdns.org", "Ports": "35650", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "tO9oLnyeTNi4YdVBqZKpnnz0bcclHTDq", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "GIHEiWfKfuooc8H6t/nBNveyrvGg+yyc05zOTRONM1x3ZUOAMetE3INwtqWKHwLxN71/W2hn50k/Gi9jG3UOrLfOMunmQYJmq/IamWD5vvmYS0Vsc04xvGGEdm8OMG1e/XQlGduqqhioTDY9Dy5WLtuzqrvcuNlTWSVpzDFSdnQ=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x65fb:$a1: havecamera
    • 0x9aec:$a2: timeout 3 > NUL
    • 0x9b0c:$a3: START "" "
    • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
    • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x9997:$s2: L2Mgc2NodGFza3MgL2
    • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
    1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x9cce:$q1: Select * from Win32_CacheMemory
    • 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0xa146:$s1: DcRatBy

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x915:$b2: DcRat By qwqdanchun1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.3301574225.000000001B7A1000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x37ac:$b2: DcRat By qwqdanchun1
    00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x63fb:$a1: havecamera
      • 0x98ec:$a2: timeout 3 > NUL
      • 0x990c:$a3: START "" "
      • 0x9797:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x984c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      00000000.00000002.3299677795.0000000000FF3000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x40368:$b2: DcRat By qwqdanchun1
      • 0x66b10:$b2: DcRat By qwqdanchun1
      • 0x6b1ec:$b2: DcRat By qwqdanchun1
      00000000.00000002.3300116066.0000000002E21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x65fb:$a1: havecamera
          • 0x9aec:$a2: timeout 3 > NUL
          • 0x9b0c:$a3: START "" "
          • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
          • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
          0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
          • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
          • 0x9997:$s2: L2Mgc2NodGFza3MgL2
          • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
          • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
          0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x9cce:$q1: Select * from Win32_CacheMemory
          • 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
          0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
          • 0xa146:$s1: DcRatBy

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-06T09:01:19.031231+010020229301A Network Trojan was detected52.149.20.212443192.168.2.549706TCP
          2024-11-06T09:02:00.401978+010020229301A Network Trojan was detected52.149.20.212443192.168.2.551671TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-06T09:01:14.623902+010020348471Domain Observed Used for C2 Detected45.135.232.3835650192.168.2.549704TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-06T09:01:14.623902+010028424781Malware Command and Control Activity Detected45.135.232.3835650192.168.2.549704TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-06T09:01:14.623902+010028480481Domain Observed Used for C2 Detected45.135.232.3835650192.168.2.549704TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeAvira: detected
          Found malware configuration
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeMalware Configuration Extractor: AsyncRAT {"Server": "dcfas.duckdns.org", "Ports": "35650", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "tO9oLnyeTNi4YdVBqZKpnnz0bcclHTDq", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "GIHEiWfKfuooc8H6t/nBNveyrvGg+yyc05zOTRONM1x3ZUOAMetE3INwtqWKHwLxN71/W2hn50k/Gi9jG3UOrLfOMunmQYJmq/IamWD5vvmYS0Vsc04xvGGEdm8OMG1e/XQlGduqqhioTDY9Dy5WLtuzqrvcuNlTWSVpzDFSdnQ=", "BDOS": "null", "External_config_on_Pastebin": "false"}
          Multi AV Scanner detection for submitted file
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeReversingLabs: Detection: 81%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeJoe Sandbox ML: detected
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.135.232.38:35650 -> 192.168.2.5:49704
          Source: Network trafficSuricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:35650 -> 192.168.2.5:49704
          Source: Network trafficSuricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:35650 -> 192.168.2.5:49704
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: dcfas.duckdns.org
          Uses dynamic DNS services
          Source: unknownDNS query: name: dcfas.duckdns.org
          Source: global trafficTCP traffic: 192.168.2.5:49704 -> 45.135.232.38:35650
          Source: Joe Sandbox ViewIP Address: 45.135.232.38 45.135.232.38
          Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49706
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:51671
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: dcfas.duckdns.org
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3299677795.0000000000FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en&.
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3299677795.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3301694093.000000001B8E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab:
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3300116066.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3300116066.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe PID: 1488, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: 00000000.00000002.3301574225.000000001B7A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.3299677795.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.3300116066.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.3300116066.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: Process Memory Space: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe PID: 1488, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeCode function: 0_2_00007FF848F191320_2_00007FF848F19132
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeCode function: 0_2_00007FF848F130E50_2_00007FF848F130E5
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeCode function: 0_2_00007FF848F183860_2_00007FF848F18386
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000000.2044034990.0000000000B3E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeBinary or memory string: OriginalFilenameClient.exe" vs 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: 00000000.00000002.3301574225.000000001B7A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.3299677795.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.3300116066.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.3300116066.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: Process Memory Space: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe PID: 1488, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, Settings.csBase64 encoded string: 'i534Y3gMlV5U5HR8zm4ficv+0CVrdOxFD3SHfysITX0gRGKE1/b/qhfmz4kz+E8bHJBNdVR88lgWPHGMys/eKY6a/5eW00al1FZakUwaS4o=', 'J/V1poaQJxqXrfTObGHsZnat4Nx1VUtKp/jnxMnnMIc93GBcFwJPJWtn2SMLt6z8sLmMLJGa16DbvUA2Z4VDWg==', 'l8JCzo0RtcG9Lc0Db52AX/stmCxc59It3zSZZCK4L9lbOgoFC9syyOgTzT0wNXmzPVF0bulHoKkiLW6mYcijqbe88D8gfNAC4Km0eUq6CKH3NG0kwWFOkJ9iBdoz6RZFaIKr2HpePoHDFDbzTqEe7d9Hw+24rLjUJVkZR/VbB0I5e18OssBCW2lKUtDHXZaBc1WmdwkVaDy4aLSgBdVvxTksKnCjC9NsoDjst0hXwER6X6d/ow0FoSncBCjVf0xWiGFHqForOCgoqzC2pWA02Ibre3fmBB3VXxUj7DSqv/wweUfr6Y3mRfSwBp3kkg4LykIjJAfCOv+D1daApFKr4hFW2EpotmAQGyUCb697uFX4QdD8oOO05QTRwAN3B+6QFephszKZrjHbSBTUD6txjlZB0TXCnTcFd8mcSaC5iRuD0+Fa0sbTj05zouYGfFyHT+AaZjEGRjPFU+J7fNm/hm2x+2qxgYykfgXXmTYPioSXaxPsLH6u3QDDXdWXz8CN3+nKw+1lbPaP2nbHEEqynhOpTRviiupmAxCnL4OoQUWiMDJWhCPxUGW9wi4gVQw6L+ffeUPAR0F9vOyJYA3zZH5YxYJDb3gfaI0QNi80C/KdHyUjEuJ7ErKsdHiW/PeETQviMDXtCbbTJwOu/OiEuTYDhmUF309g1YS58LAMCTcKDfPzI6p6hGb8ibN2tyqEMnr0xyZIXTHBObDfXrnLYNmn1c52mjiz5i9zJO7yGQFBBmdaDp2eVPEhSyPWzkN5cJP2AF5ddRozmMIGqairXZ6HVbJpEJqYL9nBBPYidqthMrKjQ7RRgCc9ccPfcXenddJLpEEqx2JpzI6ptSgJTdD088zMezfcbeOr0/AryYEmAvOXSVjsRNcZBJciA9ff4m0hXTj5Jv/+9W/+AW6rx4fMm99jCk75whUKx98Deu3u7/WcXTIDBAJG4/1tmnsCTn5hzTERViR+wXHw2OVTGTzrr3aYcdZayvKDT4VSmSNAqCxe6Pb+YbkSHLi+Jkfyd41cUl1DSdAFeLHHhHIcK2S+XH20TQEJy+f3niwbIfzAAxCvH3i6i4ZWbG95VrS1', 'zwV/JPRDQ211U3K784E+jZZAwpuKpo7EmpKO7gWJV1y5Kiy5d4ku/FujYrtMpM+cB24dOH17zwjLpBCU3dZGjNWy16vST0NBVwu/F62UpbTr9ct7/E1//WV1edoTN9ak5zLCfPfRjLSgT4TEdzLck8x2532fl3B4hf4D4ezkmDDZxywHqd9xJIdtsdG6i3GDLQhiBnefQdalpS6AFswwufaSWuKyv8rZmkdEbP4k0FXSyoOLpGQRmLYQ1AE0TbhIksUEX925dA5y4bQ4PgBOA0CyzcsWHPiIoCCltmwFHPI=', 'Ls08fAzb8Prq9hP1clm5YdXH7U1dfhJITtn/5op9lMInpId5pR2qDXBLrkLzE6k+njL756ZqI2m3z48beSVtQg==', 'wo+/793E8nceC0xdgjM8Fg0S2Y0KQkjV7jtE7mc8i2HiioMrHJn9lV4bnC3Pf6wYeQ+WsJhd36/QUAM2poyiaQ==', 'p9W81MuDW8LYT8lJSZzpiGUo/qvo5tU+PTXwbSLM9QvNhBb0lG3IMTXyX5HNs5RAGY0iDfKqhby2zo/PSk4A7w==', 'zE4Lf4+29GuHDKbMKDecmwoUfVBiM2LN4Uz33wMZGJ0I/G1jNOT/nO0ACHvwG1ZmCDhMtmZ7W9iDUNueqsEepQ==', 'pTEc5d4kHjGtVBb9Nkt9Hn3xh+wuoB0lbxxD1jt+670OILltWZHtp8ZE9rMofvz4RLZMPtCez8PI5BRKuZDe8g=='
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@5/1
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeMutant created: NULL
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeReversingLabs: Detection: 81%
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: devenum.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeSection loaded: msdmo.dllJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeCode function: 0_2_00007FF848F100BD pushad ; iretd 0_2_00007FF848F100C1

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe PID: 1488, type: MEMORYSTR
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe PID: 1488, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeMemory allocated: 1AE20000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeWindow / User API: threadDelayed 9746Jump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe TID: 4712Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe TID: 5268Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe TID: 408Thread sleep count: 9746 > 30Jump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe TID: 408Thread sleep count: 112 > 30Jump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3302033669.000000001B9B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3302033669.000000001B9B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW_
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3299677795.0000000000FF3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3300116066.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3300116066.0000000002E95000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3300116066.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3300116066.0000000003158000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe.b30000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe PID: 1488, type: MEMORYSTR
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MSASCui.exe
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3302033669.000000001BA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procexp.exe
          Source: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MsMpEng.exe
          Source: C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected DcRat
          Source: Yara matchFile source: 00000000.00000002.3300116066.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.3300116066.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe PID: 1488, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected DcRat
          Source: Yara matchFile source: 00000000.00000002.3300116066.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.3300116066.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe PID: 1488, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          Scheduled Task/Job          		1
          Process Injection          		1
          Disable or Modify Tools          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		31
          Virtualization/Sandbox Evasion          		LSASS Memory121
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API          		Logon Script (Windows)1
          DLL Side-Loading          		1
          Process Injection          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
          Obfuscated Files or Information          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture21
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe82%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
          1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe100%AviraHEUR/AGEN.1307404
          1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          dcfas.duckdns.org0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          dcfas.duckdns.org
          		45.135.232.38
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            dcfas.duckdns.orgtrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3300116066.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe, 00000000.00000002.3300116066.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              45.135.232.38
              		dcfas.duckdns.orgRussian Federation
              		49392ASBAXETNRUtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1549924
              Start date and time:2024-11-06 09:00:07 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 4s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:4
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/2@5/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 5
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded IPs from analysis (whitelisted): 2.19.126.137, 2.19.126.163
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • VT rate limit hit for: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              03:01:15API Interceptor2x Sleep call for process: 1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              45.135.232.38sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                    decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exeGet hashmaliciousRemcosBrowse
                      sostener.vbsGet hashmaliciousRemcosBrowse

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        ASBAXETNRUarm5.elfGet hashmaliciousMiraiBrowse
                        • 212.196.181.187
                        Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                        • 194.87.252.100
                        dvc2TBOZTh.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                        • 194.135.20.4
                        teh76E2k50.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                        • 194.135.20.4
                        SecuriteInfo.com.Trojan.Siggen29.1091.20762.15518.exeGet hashmaliciousXmrigBrowse
                        • 45.89.228.144
                        bin.armv7l.elfGet hashmaliciousMiraiBrowse
                        • 212.192.15.49
                        https://sub.investorscabirigroup.com/4WQbos10596ktJI775idiwtbqpkk1528WGTFCWTFRKDXPVO305927/749609o14Get hashmaliciousPhisherBrowse
                        • 45.147.195.16
                        https://sub.investorscabirigroup.com/4tBfEb10596UgJc775rrkvedqhmm1528ZICWGQLYSOBMUOM389951/749609V14Get hashmaliciousPhisherBrowse
                        • 45.147.195.16
                        7p6TMfaWhQ.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                        • 45.142.44.233
                        SecuriteInfo.com.Trojan.Siggen29.1091.19313.13427.exeGet hashmaliciousXmrigBrowse
                        • 45.89.228.144

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe
                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                        Category:dropped
                        Size (bytes):71954
                        Entropy (8bit):7.996617769952133
                        Encrypted:true
                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):328
                        Entropy (8bit):3.1333860653411176
                        Encrypted:false
                        SSDEEP:6:kK8l99UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:VDnLNkPlE99SNxAhUe/3
                        MD5:52914AA4DE725A029A4852D2CD6D0AFD
                        SHA1:321AEF598B85E987049819BB0D36C7094257AC1F
                        SHA-256:9F05F6F41FB0C992888E527F9744409512626E7F236CABD3B2338BD7BE95C886
                        SHA-512:5201ACFA532C5528006B0ECE338590ED9261E7C63698F70309A7896063728D45C154E38C8E201AD3AD730E14064591D8DB9AAFBCCEAEE50D802ABE80F46C3FC3
                        Malicious:false
                        Reputation:low
                        Preview:p...... ............"0..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):5.619014410241646
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe
                        File size:48'640 bytes
                        MD5:e37ccbcd075c4ec7d14499980edb88ab
                        SHA1:8cf12f19bcbe18c21ba0069fec023fc43c107e97
                        SHA256:66663cf3596b0e6fd2721d81f91cda058ca61feb46f9943ef1a91fec7a68590d
                        SHA512:bf65695638c4fbeac8d44698bef9e3d1955ba6dc99a7d23c5de68ee108be22b4bbf6f47474f6f3916f314c9e4640f3878f3bf72fe8fcbd641326cc1bd9c8e5da
                        SSDEEP:768:xGq+s3pUtDILNCCa+DiC0jxYsLqRl8Aonia8YbXgepGQPPWLvEgK/JLZVc6KN:8q+AGtQOCCzLAozbw3QPonkJLZVclN
                        TLSH:4D236D0037D8C136E6FD4BB4A9F2A1458279D66B6903CB5D6CC811AA2F13BC597036FE
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x40cbbe
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x60930A0B [Wed May 5 21:11:39 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xcb680x53.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xdf7.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xabc40xac00297e35fb1b2ba7ce0fb8ab72bbb386a8False0.502452761627907data5.644861345556527IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xe0000xdf70xe002083376922615c09cdda9acfd9305376False0.4017857142857143data5.110607648061562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x100000xc0x20082148d01c3935cf90ef81a3dd1fad607False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0xe0a00x2d4data0.4350828729281768
                        RT_MANIFEST0xe3740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-06T09:01:14.623902+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)145.135.232.3835650192.168.2.549704TCP
                        2024-11-06T09:01:14.623902+01002034847ET MALWARE Observed Malicious SSL Cert (AsyncRAT)145.135.232.3835650192.168.2.549704TCP
                        2024-11-06T09:01:14.623902+01002848048ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)145.135.232.3835650192.168.2.549704TCP
                        2024-11-06T09:01:19.031231+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.549706TCP
                        2024-11-06T09:02:00.401978+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.551671TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 6, 2024 09:01:13.739643097 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:13.744512081 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:13.744630098 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:13.896202087 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:13.901128054 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:14.609607935 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:14.619095087 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:14.623902082 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:14.881273985 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:14.925512075 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:16.391300917 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:16.396203995 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:16.396261930 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:16.401096106 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:26.271666050 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:26.316128969 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:26.412055016 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:26.456861019 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:26.661181927 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:26.661264896 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:27.474497080 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:27.479408979 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:27.479482889 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:27.484504938 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:27.741640091 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:27.784871101 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:27.882124901 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:27.891859055 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:27.896747112 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:27.896908998 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:27.901835918 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:38.567058086 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:38.572002888 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:38.572062016 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:38.577085018 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:38.834331989 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:38.878648043 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:38.974942923 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:38.976650000 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:38.982137918 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:38.982228041 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:38.987107038 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:49.660295010 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:49.665143967 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:49.665208101 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:49.669949055 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:49.927891970 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:49.972666979 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:50.067101002 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:50.068557978 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:50.073374033 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:50.073426008 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:50.078305006 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:56.269520044 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:56.316319942 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:01:56.410384893 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:01:56.456948042 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:00.754931927 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:00.759790897 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:00.760284901 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:00.765108109 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:01.021641970 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:01.066248894 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:01.162177086 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:01.163732052 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:01.168499947 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:01.168559074 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:01.173333883 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:11.848113060 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:11.852963924 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:11.853034019 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:11.857770920 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:12.114833117 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:12.159935951 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:12.255162001 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:12.256855965 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:12.261667013 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:12.261723042 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:12.266624928 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:22.941658974 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:22.946481943 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:22.946578026 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:22.951409101 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:23.208801985 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:23.253758907 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:23.349399090 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:23.351771116 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:23.356725931 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:23.356775999 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:23.361695051 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:26.292332888 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:26.331834078 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:26.432744026 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:26.488070011 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:34.035310984 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:34.040201902 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:34.040261030 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:34.045188904 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:34.301908970 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:34.347481966 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:34.442142963 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:34.443839073 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:34.448788881 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:34.448834896 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:34.453691959 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:45.129179001 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:45.134331942 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:45.134391069 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:45.139249086 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:45.406689882 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:45.456979036 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:45.536451101 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:45.538346052 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:45.543164015 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:45.543235064 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:45.548054934 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:56.273350954 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:56.276352882 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:56.281328917 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:56.281395912 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:56.286350965 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:56.415566921 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:56.467264891 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:56.554310083 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:56.562968016 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:56.567873955 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:02:56.567935944 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:02:56.572958946 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:03:06.129072905 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:03:06.133933067 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:03:06.134011030 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:03:06.138881922 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:03:06.396907091 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:03:06.441277981 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:03:06.537622929 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:03:06.538393021 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:03:06.543327093 CET356504970445.135.232.38192.168.2.5
                        Nov 6, 2024 09:03:06.543412924 CET4970435650192.168.2.545.135.232.38
                        Nov 6, 2024 09:03:06.548583984 CET356504970445.135.232.38192.168.2.5

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 6, 2024 09:01:03.062659025 CET6425153192.168.2.51.1.1.1
                        Nov 6, 2024 09:01:04.050671101 CET6425153192.168.2.51.1.1.1
                        Nov 6, 2024 09:01:05.066374063 CET6425153192.168.2.51.1.1.1
                        Nov 6, 2024 09:01:07.081918955 CET6425153192.168.2.51.1.1.1
                        Nov 6, 2024 09:01:08.671559095 CET53642511.1.1.1192.168.2.5
                        Nov 6, 2024 09:01:08.671578884 CET53642511.1.1.1192.168.2.5
                        Nov 6, 2024 09:01:08.671588898 CET53642511.1.1.1192.168.2.5
                        Nov 6, 2024 09:01:08.671602964 CET53642511.1.1.1192.168.2.5
                        Nov 6, 2024 09:01:13.696635962 CET5875153192.168.2.51.1.1.1
                        Nov 6, 2024 09:01:13.704188108 CET53587511.1.1.1192.168.2.5
                        Nov 6, 2024 09:01:22.120151997 CET53626631.1.1.1192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Nov 6, 2024 09:01:03.062659025 CET192.168.2.51.1.1.10xd210Standard query (0)dcfas.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 6, 2024 09:01:04.050671101 CET192.168.2.51.1.1.10xd210Standard query (0)dcfas.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 6, 2024 09:01:05.066374063 CET192.168.2.51.1.1.10xd210Standard query (0)dcfas.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 6, 2024 09:01:07.081918955 CET192.168.2.51.1.1.10xd210Standard query (0)dcfas.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 6, 2024 09:01:13.696635962 CET192.168.2.51.1.1.10xbe66Standard query (0)dcfas.duckdns.orgA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 6, 2024 09:01:08.671559095 CET1.1.1.1192.168.2.50xd210Server failure (2)dcfas.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                        Nov 6, 2024 09:01:08.671578884 CET1.1.1.1192.168.2.50xd210Server failure (2)dcfas.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                        Nov 6, 2024 09:01:08.671588898 CET1.1.1.1192.168.2.50xd210Server failure (2)dcfas.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                        Nov 6, 2024 09:01:08.671602964 CET1.1.1.1192.168.2.50xd210Server failure (2)dcfas.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                        Nov 6, 2024 09:01:13.704188108 CET1.1.1.1192.168.2.50xbe66No error (0)dcfas.duckdns.org45.135.232.38A (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:03:00:59
                        Start date:06/11/2024
                        Path:C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe"
                        Imagebase:0xb30000
                        File size:48'640 bytes
                        MD5 hash:E37CCBCD075C4EC7D14499980EDB88AB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3301574225.000000001B7A1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.2044018990.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3299677795.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.3300116066.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3300116066.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.3300116066.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3300116066.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        Reputation:low
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:26.2%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:6
                          Total number of Limit Nodes:0
                          execution_graph 4984 7ff848f12d3d 4985 7ff848f12d4b VirtualProtect 4984->4985 4987 7ff848f12e2b 4985->4987 4988 7ff848f129e1 4989 7ff848f129eb LoadLibraryA 4988->4989 4991 7ff848f12ad2 4989->4991

                          Executed Functions

                          Function 00007FF848F130E5 Relevance: 2.0, Strings: 1, Instructions: 750COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 124 7ff848f130e5-7ff848f13142 130 7ff848f13148-7ff848f131ed 124->130 131 7ff848f13381-7ff848f133c2 call 7ff848f11998 124->131 159 7ff848f132b3 130->159 160 7ff848f131f3-7ff848f132a0 130->160 139 7ff848f133c4-7ff848f133d5 131->139 140 7ff848f133d7-7ff848f133e0 131->140 143 7ff848f133e8-7ff848f13404 139->143 140->143 149 7ff848f13419-7ff848f1341e 143->149 150 7ff848f13406-7ff848f13417 143->150 153 7ff848f13425-7ff848f1348b call 7ff848f119a8 call 7ff848f119b8 149->153 150->153 173 7ff848f13491-7ff848f134dd 153->173 174 7ff848f13512 153->174 164 7ff848f132b8-7ff848f132df 159->164 160->159 200 7ff848f132a2-7ff848f132ad 160->200 183 7ff848f132e1-7ff848f132ef 164->183 173->174 202 7ff848f134df-7ff848f1350b 173->202 177 7ff848f13517-7ff848f1353f 174->177 206 7ff848f13541-7ff848f13558 call 7ff848f138d5 177->206 188 7ff848f132f1-7ff848f1330b 183->188 189 7ff848f13365-7ff848f1337c 183->189 196 7ff848f13559-7ff848f1356a 188->196 198 7ff848f13311-7ff848f1332c 188->198 189->196 207 7ff848f13570-7ff848f1365e call 7ff848f119c8 call 7ff848f119d8 196->207 208 7ff848f13891 196->208 205 7ff848f13334-7ff848f13345 198->205 200->164 204 7ff848f132af-7ff848f132b1 200->204 202->177 214 7ff848f1350d-7ff848f13510 202->214 204->183 215 7ff848f1334c-7ff848f1335e 205->215 216 7ff848f13347 205->216 206->196 207->159 235 7ff848f13664-7ff848f13690 207->235 211 7ff848f13898-7ff848f138a4 208->211 214->206 215->198 219 7ff848f13360 215->219 216->196 219->196 237 7ff848f13692-7ff848f13698 235->237 238 7ff848f1369a-7ff848f136a1 237->238 239 7ff848f136d0-7ff848f137a6 call 7ff848f12418 237->239 238->237 244 7ff848f136a3-7ff848f136c5 call 7ff848f11988 call 7ff848f10628 238->244 262 7ff848f137a7-7ff848f137b8 239->262 253 7ff848f136ca 244->253 253->239 265 7ff848f137ba-7ff848f13889 call 7ff848f12418 262->265 275 7ff848f1388f 265->275 275->211
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3302757485.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff848f10000_1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f12.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,
                          • API String ID: 0-3772416878
                          • Opcode ID: 7079fb434d8e457416f52fd623630a8fcb044aabaea39b60e0e6a17313645882
                          • Instruction ID: 5e911088446ed92d8dc020e8f13e2e368e8f93b6f9aa04f27348484274098954
                          • Opcode Fuzzy Hash: 7079fb434d8e457416f52fd623630a8fcb044aabaea39b60e0e6a17313645882
                          • Instruction Fuzzy Hash: 9732BF31A1D90A8FEB98FB2C94696B977E2FF98390F500579D04EC32C6DE2CAC418745
                          Function 00007FF848F18386 Relevance: .5, Instructions: 476COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3302757485.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff848f10000_1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f12.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fa460f6b9ae4f02571319da57309a158769c3145070077fda82a59695a6f57e2
                          • Instruction ID: 15cc96b883391f762985cc7d4153141426e92aa17b31ab3dc9df29aa3b00951f
                          • Opcode Fuzzy Hash: fa460f6b9ae4f02571319da57309a158769c3145070077fda82a59695a6f57e2
                          • Instruction Fuzzy Hash: 43F1913091CA8D8FEBA8EF28C8557E937E1FF54350F44426AE84DC7291DF7899458B82
                          Function 00007FF848F19132 Relevance: .5, Instructions: 460COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3302757485.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff848f10000_1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f12.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a754baac45399d2cc80dc6124a4cc1dfb47a65cea7037291b1eca6977f36ead1
                          • Instruction ID: 25d1cb538dfb692513c056b727b6a47fd0a41766d92f5c32d684a12b478f021f
                          • Opcode Fuzzy Hash: a754baac45399d2cc80dc6124a4cc1dfb47a65cea7037291b1eca6977f36ead1
                          • Instruction Fuzzy Hash: 01E1C330A0CA8D8FEBA9EF28C8557E977D1FF54350F44426AD84DC7695CB78A8418B81
                          Function 00007FF848F129E1 Relevance: 1.7, APIs: 1, Instructions: 152libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 488 7ff848f129e1-7ff848f12ad0 LoadLibraryA 494 7ff848f12ad8-7ff848f12b31 call 7ff848f12b32 488->494 495 7ff848f12ad2 488->495 495->494
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.3302757485.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff848f10000_1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f12.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: b8135a9390954d1e198763f83fc69b1f30d9572ee00ab4afc632fb149a9b5469
                          • Instruction ID: 8530a0d1a4553e3a7fe581e947a3a9c2e5ed01f0a724e35c8f2c10026e5fa834
                          • Opcode Fuzzy Hash: b8135a9390954d1e198763f83fc69b1f30d9572ee00ab4afc632fb149a9b5469
                          • Instruction Fuzzy Hash: 9E414B30908A5C8FDB98EF98D859BE9BBF1FF99310F10416AD04DD7292CB75A845CB81
                          Function 00007FF848F12D3D Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 501 7ff848f12d3d-7ff848f12d49 502 7ff848f12d4b-7ff848f12d53 501->502 503 7ff848f12d54-7ff848f12d63 501->503 502->503 504 7ff848f12d6e-7ff848f12e29 VirtualProtect 503->504 505 7ff848f12d65-7ff848f12d6d 503->505 510 7ff848f12e2b 504->510 511 7ff848f12e31-7ff848f12e59 504->511 505->504 510->511
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.3302757485.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ff848f10000_1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f12.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 0db70f14d2dd5e5a2c766350fe786f442773fbaba2e542603524cb58ed10845b
                          • Instruction ID: eaa39dd8370efe58ac8efe596b0432226861229a69d6f56971af99b2a01e814c
                          • Opcode Fuzzy Hash: 0db70f14d2dd5e5a2c766350fe786f442773fbaba2e542603524cb58ed10845b
                          • Instruction Fuzzy Hash: 0141043190D7884FDB19DBA89C566A97FF1EF96321F0442AFD089C3193CB786806C796