Edit tour

Windows Analysis Report
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Overview

General Information

Sample name:	17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe
Analysis ID:	1553106
MD5:	01ef0ba434c74e68df6e94737826d22f
SHA1:	86c934eb90ae6ecc38fd7dd38001552f618d5e5f
SHA256:	48ee878fefc7d5d9df66fc978dfaafcfb61129acf92b1143e1b865ab292be9f0
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Yara detected DcRat

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe (PID: 1992 cmdline: "C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe" MD5: 01EF0BA434C74E68DF6E94737826D22F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "dckast.duckdns.org", "Ports": "35650", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "IcjempBO8d2MCouzOGusB0svKBQJXA6a", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "ZIALyYaEK2Gf9gnEAWavWOlpzAiUytpYF0CfNaOtJ8GspQ6HPAr4iuTjM7Rva8TOykfQUmKjNP6Kbjdj6exK3H8TCZIcKZdURtF0TCwSQvECT0GIeTVFARCSyw9L7oDKWUmPRrmclA8bpdKzhVCHHWUMlnSSUQbraA0yIMRWCzQ=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9aec:$a2: timeout 3 > NUL 0x9b0c:$a3: START "" " 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9997:$s2: L2Mgc2NodGFza3MgL2 0x9916:$s3: QW1zaVNjYW5CdWZmZXI 0x9964:$s4: VmlydHVhbFByb3RlY3Q
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cce:$q1: Select * from Win32_CacheMemory 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa146:$s1: DcRatBy

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63fb:$a1: havecamera 0x98ec:$a2: timeout 3 > NUL 0x990c:$a3: START "" " 0x9797:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x984c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000002.3264671730.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x4f58c:$b2: DcRat By qwqdanchun1
00000000.00000002.3265097856.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x55d0:$b1: DcRatByqwqdanchun 0x29e3dc:$b2: DcRat By qwqdanchun1
Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x211e8:$a1: havecamera 0x4253:$b1: DcRatByqwqdanchun 0x25dcb:$b1: DcRatByqwqdanchun 0xbea0:$b2: DcRat By qwqdanchun1 0x2ce6e:$b2: DcRat By qwqdanchun1
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9aec:$a2: timeout 3 > NUL 0x9b0c:$a3: START "" " 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9997:$s2: L2Mgc2NodGFza3MgL2 0x9916:$s3: QW1zaVNjYW5CdWZmZXI 0x9964:$s4: VmlydHVhbFByb3RlY3Q
0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cce:$q1: Select * from Win32_CacheMemory 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa146:$s1: DcRatBy

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-10T11:53:27.865161+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.5	49707	TCP
2024-11-10T11:54:06.445320+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.5	49862	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Malware Configuration Extractor: AsyncRAT {"Server": "dckast.duckdns.org", "Ports": "35650", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "IcjempBO8d2MCouzOGusB0svKBQJXA6a", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "ZIALyYaEK2Gf9gnEAWavWOlpzAiUytpYF0CfNaOtJ8GspQ6HPAr4iuTjM7Rva8TOykfQUmKjNP6Kbjdj6exK3H8TCZIcKZdURtF0TCwSQvECT0GIeTVFARCSyw9L7oDKWUmPRrmclA8bpdKzhVCHHWUMlnSSUQbraA0yIMRWCzQ=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Multi AV Scanner detection for submitted file

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	ReversingLabs: Detection: 81%
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Virustotal: Detection: 76%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Joe Sandbox ML: detected

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: dckast.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: dckast.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 45.135.232.38:35650

Source: Joe Sandbox View

IP Address: 45.135.232.38 45.135.232.38

Source: Joe Sandbox View

ASN Name: ASBAXETNRU ASBAXETNRU

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49862
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49707

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: dckast.duckdns.org

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, 00000000.00000002.3265097856.0000000002D41000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.3264671730.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.3265097856.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Code function: 0_2_00007FF848DA308D

0_2_00007FF848DA308D

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, 00000000.00000000.2024789896.0000000000A8E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Binary or memory string: OriginalFilenameClient.exe" vs 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.3264671730.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.3265097856.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, Settings.cs	Base64 encoded string: 'XdIMr3DfHPVWG7i0DgU381uXZbKGsO343wXMjENGAQ3/S/xbBju3RpMBkyi5pGjqtvqAuOXG/Zo33UOMvuYtuA==', 'QKiV0MZ8cAMSMQPrZz6NjO73qu8qmMa8SelebdZYAISS8E8B5lDRlEvDUYDmUzq6chqVQHy2/yGWlV4Qt9iJ0g==', 'RCu73t0dkF5BCKgJOq8EqhwZkc3ILb4uReU7OuxcfXKXkWTyyva9YRotvewC3f7guNUBvBqEUE4BK0MAfZkoZYaYlaz0shLuBqMZJUFaVfI=', 'pUeVdv9HUKzewwjroNrDBMPVfA/PeUdWxDAwJ5ipQ10Ze6/XmyRlWNnk4zAcpFRxkrdeJE8/ZMSEDnTG0IDJ0fF85tBmJxwFHBBKo2nT9XeMiCIawK0je7cV32vT7umlAFuwCc822XusOyecc0l/lvZOQ0/5ogD+pRczQgVxnsC1RyBwcDPoNb+Upr64Vr3kPTKxmVIzcbH2zuPPRfkuQ/YkufwSgQbVIGS8dy9BWLVFmkt7a+rXMGj+6JHADywEJ0BVvFwvgpx1LI54WbhTi/oultIAO/++5Bcpjjv5vUQ=', 'mjvTqGmMaPrekjciiSBtVN6fC8hCPQ94oaV8dGQPhqFQBxgH06SX/Lcq0tYrVVe2Uvl/Ls1iL84Y9RJ0j0XzWA==', 'OC7lj/tI5fuT0CguxMaZWTHrXmjmV5iXdRKBHggA25SLCjqfe1rtSekFBr9Uf/4ODqxt/aajn/FQR9affsHrWw==', 'NpkG/O0FmKBBoGncAO2Fsu6lRYnPNVuc/FkV7xsQQ1ZO+AyWd3c2uDgQkgdcevWDgBdPsFEC9F92TOT8hOKROg==', 'ir3agYRntJvL4HwBx40oqoGOBczbE72UXzjqxpg3kn9fUmOHZuXWmDdUKpKoAOZrFALN54kQJl4EKKF5Mdij8A==', '+kxCV5kzL3RZ403WTn5+FC0bF/KEc0yt8pNpOLXQbqtZM/KV2PjQot+gmKPLruKHCF81H+s6wYQZskP4FU8RRg=='
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	ReversingLabs: Detection: 81%
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Virustotal: Detection: 76%

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Section loaded: schannel.dll	Jump to behavior

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Code function: 0_2_00007FF848DA00BD pushad ; iretd

0_2_00007FF848DA00C1

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992, type: MEMORYSTR

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Memory allocated: 2C90000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Memory allocated: 1AD40000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe TID: 1996

Thread sleep time: -95000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, 00000000.00000002.3266225739.000000001B6BE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, Amsi.cs	Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992, type: MEMORYSTR

Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match

File source: Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match

File source: Process Memory Space: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe PID: 1992, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	76%	Virustotal		Browse
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	100%	Avira	HEUR/AGEN.1307404
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
dckast.duckdns.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dckast.duckdns.org	45.135.232.38	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dckast.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe, 00000000.00000002.3265097856.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.135.232.38	dckast.duckdns.org	Russian Federation		49392	ASBAXETNRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553106
Start date and time:	2024-11-10 11:52:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.135.232.38	1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	sostener.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse
	172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe	Get hash	malicious	Remcos	Browse
	1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exe	Get hash	malicious	Remcos	Browse
	sostener.vbs	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASBAXETNRU	1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	45.135.232.38
	arm5.elf	Get hash	malicious	Mirai	Browse	212.196.181.187
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	194.87.252.100
	dvc2TBOZTh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	194.135.20.4
	teh76E2k50.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	194.135.20.4
	SecuriteInfo.com.Trojan.Siggen29.1091.20762.15518.exe	Get hash	malicious	Xmrig	Browse	45.89.228.144
	bin.armv7l.elf	Get hash	malicious	Mirai	Browse	212.192.15.49
	https://sub.investorscabirigroup.com/4WQbos10596ktJI775idiwtbqpkk1528WGTFCWTFRKDXPVO305927/749609o14	Get hash	malicious	Phisher	Browse	45.147.195.16
	https://sub.investorscabirigroup.com/4tBfEb10596UgJc775rrkvedqhmm1528ZICWGQLYSOBMUOM389951/749609V14	Get hash	malicious	Phisher	Browse	45.147.195.16
	7p6TMfaWhQ.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	45.142.44.233

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.620781820179294
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe
File size:	48'640 bytes
MD5:	01ef0ba434c74e68df6e94737826d22f
SHA1:	86c934eb90ae6ecc38fd7dd38001552f618d5e5f
SHA256:	48ee878fefc7d5d9df66fc978dfaafcfb61129acf92b1143e1b865ab292be9f0
SHA512:	d489c98df8ae90621922cba7d4ff0e3d937382ef60900cd2af7b319e2902048576f8a41c32210ea6b555c0ae753d5f930d234f28827227e2fe1343cc2a46057f
SSDEEP:	768:xGq+s3pUtDILNCCa+Di+0j1rgLqRp8AofiV8YbOgekOHg3LTvEgK/JLZVc6KN:8q+AGtQO+OOPAbzbxgHcTnkJLZVclN
TLSH:	5B236D0037D8C136E2FD4BB4A9F2A2458279D6675903CA996CC815EA2B13FC597036FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40cbbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60930A0B [Wed May 5 21:11:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb68	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xabc4	0xac00	ccfb5bc34bf8e2c2f1fb1b8335f8ff03	False	0.5024073401162791	data	5.6464763236392	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0xdf7	0xe00	2083376922615c09cdda9acfd9305376	False	0.4017857142857143	data	5.110607648061562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	82148d01c3935cf90ef81a3dd1fad607	False	0.044921875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2d4	data			0.4350828729281768
RT_MANIFEST	0xe374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-10T11:53:27.865161+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.5	49707	TCP
2024-11-10T11:54:06.445320+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.5	49862	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2024 11:53:12.031997919 CET	49704	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:12.036824942 CET	35650	49704	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:12.036917925 CET	49704	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:12.057600021 CET	49704	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:12.062524080 CET	35650	49704	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:12.656487942 CET	35650	49704	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:12.656637907 CET	49704	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:17.752285957 CET	49704	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:17.753823996 CET	49705	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:17.911768913 CET	35650	49704	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:17.911792040 CET	35650	49705	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:17.911922932 CET	49705	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:17.912415028 CET	49705	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:17.918600082 CET	35650	49705	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:18.526166916 CET	35650	49705	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:18.526287079 CET	49705	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:23.530694008 CET	49705	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:23.531831980 CET	49706	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:23.535490036 CET	35650	49705	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:23.536561012 CET	35650	49706	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:23.536638021 CET	49706	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:23.536927938 CET	49706	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:23.541680098 CET	35650	49706	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:24.163470984 CET	35650	49706	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:24.163547993 CET	49706	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:29.171411037 CET	49706	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:29.172456026 CET	49714	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:29.176176071 CET	35650	49706	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:29.177290916 CET	35650	49714	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:29.177367926 CET	49714	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:29.177675009 CET	49714	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:29.182389021 CET	35650	49714	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:29.795591116 CET	35650	49714	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:29.795665979 CET	49714	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:34.796605110 CET	49714	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:34.797620058 CET	49745	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:34.801445007 CET	35650	49714	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:34.802402973 CET	35650	49745	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:34.802491903 CET	49745	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:34.802819967 CET	49745	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:34.807816982 CET	35650	49745	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:35.423825979 CET	35650	49745	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:35.423886061 CET	49745	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:40.436989069 CET	49745	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:40.437971115 CET	49777	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:40.442044020 CET	35650	49745	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:40.443003893 CET	35650	49777	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:40.443072081 CET	49777	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:40.443293095 CET	49777	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:40.448093891 CET	35650	49777	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:41.053394079 CET	35650	49777	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:41.053492069 CET	49777	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:46.062001944 CET	49777	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:46.062768936 CET	49854	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:46.066926003 CET	35650	49777	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:46.067584991 CET	35650	49854	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:46.067646027 CET	49854	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:46.067832947 CET	49854	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:46.072566032 CET	35650	49854	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:46.072979927 CET	35650	49854	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:51.078989029 CET	49859	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:51.083878040 CET	35650	49859	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:51.083991051 CET	49859	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:51.084250927 CET	49859	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:51.089051008 CET	35650	49859	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:51.702980042 CET	35650	49859	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:51.703077078 CET	49859	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:56.719588041 CET	49859	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:56.720385075 CET	49860	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:56.724389076 CET	35650	49859	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:56.725222111 CET	35650	49860	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:56.725282907 CET	49860	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:56.725562096 CET	49860	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:56.730108023 CET	35650	49860	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:56.730173111 CET	49860	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:53:56.730331898 CET	35650	49860	45.135.232.38	192.168.2.5
Nov 10, 2024 11:53:56.734927893 CET	35650	49860	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:01.734946012 CET	49861	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:01.739713907 CET	35650	49861	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:01.739805937 CET	49861	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:01.740067959 CET	49861	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:01.744833946 CET	35650	49861	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:02.352153063 CET	35650	49861	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:02.352227926 CET	49861	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:07.358957052 CET	49861	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:07.359776020 CET	49863	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:07.363940954 CET	35650	49861	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:07.364785910 CET	35650	49863	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:07.364871025 CET	49863	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:07.365176916 CET	49863	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:07.370059967 CET	35650	49863	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:07.978771925 CET	35650	49863	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:07.978846073 CET	49863	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:12.983974934 CET	49863	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:12.988816023 CET	35650	49863	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:13.102504015 CET	49864	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:13.107431889 CET	35650	49864	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:13.107501030 CET	49864	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:13.107774973 CET	49864	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:13.112519026 CET	35650	49864	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:13.721029043 CET	35650	49864	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:13.721120119 CET	49864	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:18.734035969 CET	49864	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:18.735045910 CET	49865	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:18.739237070 CET	35650	49864	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:18.739875078 CET	35650	49865	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:18.739959002 CET	49865	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:18.740231991 CET	49865	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:18.745012045 CET	35650	49865	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:18.745064974 CET	49865	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:18.745119095 CET	35650	49865	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:18.750684977 CET	35650	49865	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:23.752490997 CET	49866	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:23.757515907 CET	35650	49866	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:23.757582903 CET	49866	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:23.757913113 CET	49866	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:23.762682915 CET	35650	49866	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:24.393441916 CET	35650	49866	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:24.393517971 CET	49866	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:29.405945063 CET	49866	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:29.406838894 CET	49867	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:29.410797119 CET	35650	49866	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:29.411616087 CET	35650	49867	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:29.411696911 CET	49867	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:29.412101984 CET	49867	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:29.416815996 CET	35650	49867	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:29.416825056 CET	35650	49867	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:29.416877031 CET	49867	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:29.421632051 CET	35650	49867	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:34.427782059 CET	49868	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:34.433037043 CET	35650	49868	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:34.433115959 CET	49868	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:34.433451891 CET	49868	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:34.438762903 CET	35650	49868	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:34.438796997 CET	35650	49868	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:34.438833952 CET	49868	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:34.443775892 CET	35650	49868	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:39.454268932 CET	49869	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:39.459081888 CET	35650	49869	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:39.459172010 CET	49869	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:39.459512949 CET	49869	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:39.464246035 CET	35650	49869	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:40.099806070 CET	35650	49869	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:40.099898100 CET	49869	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:45.109091043 CET	49869	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:45.109878063 CET	49870	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:45.113954067 CET	35650	49869	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:45.114650011 CET	35650	49870	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:45.114717007 CET	49870	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:45.115113974 CET	49870	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:45.119771004 CET	35650	49870	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:45.119843960 CET	49870	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:45.119857073 CET	35650	49870	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:45.124594927 CET	35650	49870	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:50.125715017 CET	49871	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:50.130546093 CET	35650	49871	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:50.130629063 CET	49871	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:50.130893946 CET	49871	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:50.135632992 CET	35650	49871	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:50.746371984 CET	35650	49871	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:50.746444941 CET	49871	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:55.749741077 CET	49871	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:55.750850916 CET	49872	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:55.754547119 CET	35650	49871	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:55.755662918 CET	35650	49872	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:55.755747080 CET	49872	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:55.756056070 CET	49872	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:54:55.760971069 CET	35650	49872	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:56.367728949 CET	35650	49872	45.135.232.38	192.168.2.5
Nov 10, 2024 11:54:56.367834091 CET	49872	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:01.381477118 CET	49872	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:01.385504007 CET	49873	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:01.386384964 CET	35650	49872	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:01.390316010 CET	35650	49873	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:01.390391111 CET	49873	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:01.390707016 CET	49873	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:01.395308971 CET	35650	49873	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:01.395364046 CET	49873	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:01.395446062 CET	35650	49873	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:01.400125027 CET	35650	49873	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:06.463587999 CET	49874	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:06.468508959 CET	35650	49874	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:06.468621969 CET	49874	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:06.473761082 CET	35650	49874	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:06.473834991 CET	49874	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:06.488254070 CET	49874	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:06.493046045 CET	35650	49874	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:11.500880957 CET	49875	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:11.505697012 CET	35650	49875	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:11.505783081 CET	49875	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:11.506089926 CET	49875	35650	192.168.2.5	45.135.232.38
Nov 10, 2024 11:55:11.510858059 CET	35650	49875	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:12.125915051 CET	35650	49875	45.135.232.38	192.168.2.5
Nov 10, 2024 11:55:12.125976086 CET	49875	35650	192.168.2.5	45.135.232.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2024 11:53:11.050909042 CET	55953	53	192.168.2.5	1.1.1.1
Nov 10, 2024 11:53:12.024605989 CET	53	55953	1.1.1.1	192.168.2.5
Nov 10, 2024 11:54:12.984689951 CET	50120	53	192.168.2.5	1.1.1.1
Nov 10, 2024 11:54:13.101888895 CET	53	50120	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 10, 2024 11:53:11.050909042 CET	192.168.2.5	1.1.1.1	0x231c	Standard query (0)	dckast.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 10, 2024 11:54:12.984689951 CET	192.168.2.5	1.1.1.1	0x5dca	Standard query (0)	dckast.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 10, 2024 11:53:12.024605989 CET	1.1.1.1	192.168.2.5	0x231c	No error (0)	dckast.duckdns.org		45.135.232.38	A (IP address)	IN (0x0001)	false
Nov 10, 2024 11:54:13.101888895 CET	1.1.1.1	192.168.2.5	0x5dca	No error (0)	dckast.duckdns.org		45.135.232.38	A (IP address)	IN (0x0001)	false

Analysis Process: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exePID: 1992, Parent PID: 1028

General

Target ID:	0
Start time:	05:53:07
Start date:	10/11/2024
Path:	C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe"
Imagebase:	0xa80000
File size:	48'640 bytes
MD5 hash:	01EF0BA434C74E68DF6E94737826D22F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.2024775474.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3264671730.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3265097856.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exePID: 1992, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	27.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848DA308D Relevance: 2.0, Strings: 1, Instructions: 786
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 00007FF848DA321A

Memory Dump Source

Source File: 00000000.00000002.3267024568.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e1.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 5a76795d3849e5ecb6c8b98e285c2283883591695e4212a49c57206b3da64349
Instruction ID: 9b54812081e6af7abe1d4fd80b1acaa8a4f1568d24b4cc364cfbac3e810a4d63
Opcode Fuzzy Hash: 5a76795d3849e5ecb6c8b98e285c2283883591695e4212a49c57206b3da64349
Instruction Fuzzy Hash: 91320030A1DA4A8FEB98FB2C94557B973E2FF98390F640579D04EC36C6CF28A8458745

Function 00007FF848DA29E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FF848DA2ABF

Memory Dump Source

Source File: 00000000.00000002.3267024568.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e1.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a1b7cc905a5fcc3a5f3b139e20890a644ef985ff48f5fe010b562b25b584bd19
Instruction ID: df6da54957d5c1162b61458d55bd8b373dd5156df6ac5f670dfff6e5c50c27e3
Opcode Fuzzy Hash: a1b7cc905a5fcc3a5f3b139e20890a644ef985ff48f5fe010b562b25b584bd19
Instruction Fuzzy Hash: F7415D30909A5C8FDB98EF58D845BE9BBF1FF99310F10416AD00DD7296CB75A845CB81

Function 00007FF848DA2D3D Relevance: 1.6, APIs: 1, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FF848DA2E1A

Memory Dump Source

Source File: 00000000.00000002.3267024568.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b8b5c99e3bbc11e9a18f4cf2d96f226829b4af824605e787d39cb17d573e19ce
Instruction ID: 42223e337b7179f2b1f9390d274837e170a8829360b1286bf3d9f138fb584752
Opcode Fuzzy Hash: b8b5c99e3bbc11e9a18f4cf2d96f226829b4af824605e787d39cb17d573e19ce
Instruction Fuzzy Hash: BF41063190D7885FDB199B6898466A97FE0EF96321F1442AFD089C3193CB746806C796

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe

Function 00007FF848DA308D Relevance: 2.0, Strings: 1, Instructions: 786
COMMON

Function 00007FF848DA29E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Function 00007FF848DA2D3D Relevance: 1.6, APIs: 1, Instructions: 138
memoryCOMMON