Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe

Overview

General Information

Sample name:17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe
Analysis ID:1555518
MD5:a5ecad34cb793dbb9c03a601093e1c96
SHA1:6cebe7561b40cc11e15629ef7a3df55f3f411cbb
SHA256:cdbd60dbcef6cb4aab7fc1094547a3f16500c0c70032b30faacd6df5a5b0199b
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected DcRat
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "dckazts.duckdns.org", "Ports": "35650", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "KqHyAloIVZbvGi3MrMWH21oQwLkhebmF", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "hmePP5ubexg0uqiG87LncCQ0+hwnlruI8+t984Vgf53QHnvJIyMKJiIoghHP8eh4f17f8idwGvwY1RLvvRih3wW6hK/AG+tBrAIi0eHlsyGEuXt3Bwz3mcuSTh18LdyKI99KndUqHikd8saf6IFsnFfSI5FnpjD9EEqN0DVe24M=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x65fb:$a1: havecamera
    • 0x9aec:$a2: timeout 3 > NUL
    • 0x9b0c:$a3: START "" "
    • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
    • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x9997:$s2: L2Mgc2NodGFza3MgL2
    • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
    17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x9cce:$q1: Select * from Win32_CacheMemory
    • 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0xa146:$s1: DcRatBy

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x507:$b2: DcRat By qwqdanchun1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2723773811.0000000001213000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0xded8:$b2: DcRat By qwqdanchun1
    00000000.00000002.2723462562.00000000011B7000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x4b68c:$b2: DcRat By qwqdanchun1
    00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x63fb:$a1: havecamera
      • 0x98ec:$a2: timeout 3 > NUL
      • 0x990c:$a3: START "" "
      • 0x9797:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x984c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      00000000.00000002.2725457488.000000001B7F0000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0xc2b0:$b2: DcRat By qwqdanchun1
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x65fb:$a1: havecamera
        • 0x9aec:$a2: timeout 3 > NUL
        • 0x9b0c:$a3: START "" "
        • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
        • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
        0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
        • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
        • 0x9997:$s2: L2Mgc2NodGFza3MgL2
        • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
        • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
        0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
        • 0x9cce:$q1: Select * from Win32_CacheMemory
        • 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
        • 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
        • 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
        0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
        • 0xa146:$s1: DcRatBy

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-14T01:58:38.554711+010020229301A Network Trojan was detected52.149.20.212443192.168.2.849708TCP
        2024-11-14T01:59:17.974684+010020229301A Network Trojan was detected52.149.20.212443192.168.2.849716TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-14T01:58:23.010827+010020348471Domain Observed Used for C2 Detected45.135.232.3835650192.168.2.849706TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-14T01:58:23.010827+010028424781Malware Command and Control Activity Detected45.135.232.3835650192.168.2.849706TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-14T01:58:23.010827+010028480481Domain Observed Used for C2 Detected45.135.232.3835650192.168.2.849706TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeAvira: detected
        Found malware configuration
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeMalware Configuration Extractor: AsyncRAT {"Server": "dckazts.duckdns.org", "Ports": "35650", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "KqHyAloIVZbvGi3MrMWH21oQwLkhebmF", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "hmePP5ubexg0uqiG87LncCQ0+hwnlruI8+t984Vgf53QHnvJIyMKJiIoghHP8eh4f17f8idwGvwY1RLvvRih3wW6hK/AG+tBrAIi0eHlsyGEuXt3Bwz3mcuSTh18LdyKI99KndUqHikd8saf6IFsnFfSI5FnpjD9EEqN0DVe24M=", "BDOS": "null", "External_config_on_Pastebin": "false"}
        Multi AV Scanner detection for submitted file
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeReversingLabs: Detection: 81%
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeVirustotal: Detection: 73%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for sample
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeJoe Sandbox ML: detected
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.135.232.38:35650 -> 192.168.2.8:49706
        Source: Network trafficSuricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:35650 -> 192.168.2.8:49706
        Source: Network trafficSuricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:35650 -> 192.168.2.8:49706
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: dckazts.duckdns.org
        Uses dynamic DNS services
        Source: unknownDNS query: name: dckazts.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.8:49706 -> 45.135.232.38:35650
        Source: Joe Sandbox ViewIP Address: 45.135.232.38 45.135.232.38
        Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
        Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.8:49708
        Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.8:49716
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: dckazts.duckdns.org
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723462562.0000000001155000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2725457488.000000001B7F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab6
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2725457488.000000001B826000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c4044c02f6f2
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723773811.0000000001213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ens
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723958398.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723958398.0000000002FA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe PID: 4932, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 00000000.00000002.2723773811.0000000001213000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000002.2723462562.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000002.2725457488.000000001B7F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000002.2723958398.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000002.2723958398.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe PID: 4932, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeCode function: 0_2_00007FFB4AD383460_2_00007FFB4AD38346
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeCode function: 0_2_00007FFB4AD330E20_2_00007FFB4AD330E2
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeCode function: 0_2_00007FFB4AD390F20_2_00007FFB4AD390F2
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000000.1463072024.0000000000BDE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeBinary or memory string: OriginalFilenameClient.exe" vs 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 00000000.00000002.2723773811.0000000001213000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000002.2723462562.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000002.2725457488.000000001B7F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000002.2723958398.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000002.2723958398.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe PID: 4932, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, Settings.csBase64 encoded string: '//HJeb5sRkZ/jyu4Zk8cnF1iGZNHgNUolG7L2FJ9lkJeO77eV6E6JaA+IfypY7PE+iO9b6bnr7H+wwmUcMdkww==', 'VKsJIODt0nwnDkQh8qW6HggmsCgaKRRHDXg3V/Gtz/v0/+jr36JYzYUflIAzp2ANTYYog5cZQOW9wFYy8j17TjaOH0Rvz1aAToAeQc2p+GI=', 'Nrg4UySFqHbln8mpiuuwy8/SYMBq8MgIBsbixawgdprgJvO4gRsexrXJyCYmA51RGMUICmARiEvC2cgB+tKQqw==', 'iHqRIyWrxWuiZPBpWyqr7teMKq0puHV22EeHdmDJPlSHMYTZE/hlp94uez2825oQJcYPzKPbJYMYc+EeCq76yA==', '+Mz3WxW+Qlw2lMTWl/nlfY9fplEnsrdIiX3EgNvfP6bJzXNjO9D1/PeBbgbDtPAa51C1JdCGV9FO/M/+a+53SOEB5t565CI0xac1PeBLJ9o=', 'rJviQvi4AQRecfEsLecQgj8H4WfYjtgbggWdzomyotAF0mNnKVlZoevqPKYHLxYM/qeNtaKO6nFS0lwtyqasri0fMJK+0CWYbxezW5T2g4PSp/lAum0feYY4AHQJicFtjFEoK/cjiD1Jfp4LxyiBspW1LlBz6EIERraQKy7Atv9RFhbaf1ALEJUjCrJRnufox2cEZ/IHPOEBOJnKMKN2EjBCGhF8Rt317mmmktJA7N3y8e69mMs39Yq84ZHjryBczyEcv3gyY33XzGZYPlz6pPyZMiGk1ifffOVdhReoPrm02pD8Vtod6GSdVBB2T3J7o4i/jRxhHjtB5A76/x09jHZDZSnbkwm0Fua9HKHm3h4ou7PMsO45jlTkq1uxGeRlNuur6KXszvotKabB0cE8X0r8U2iA3XM7XVFUhbt/VplVG/bjK1rtZnEwcQYgB2+VXTj0uAgpt8dE/0KCDK6SXG4ChVk5/Vl6VwaMSqi+f5+aiWr345YWoVxh/qNUsiVEWXCPEboiRts4CkAKo1e8npOG/kck+cwl5sQSJZC6thMAd8KW3RqvKgui6y4baVjITkzZG46h25LiJn6I74/Ps7o+8WO9vDpffPXe+3nt7UF9W++Vlc+gPFmgqqKJZD53/MdaF2h1KThL/UpRrr9wqH2CEyVhhBxFHZiMklEkSZnQ0HBGgF3lV/xIyiKNKsiTo9Qaud6n+uOgraLMCEBCYSvz+2H7c/Niq02vFZST6wnqXtypLIGNvOvY9PwCI5lv7uN2C6wUVmILjVeuWzbUcCi5ULOEgy62ABmyT5Hgti+J0to+Ni/LxajOGK68tbqYb2ScnyAtzEGcjHf0jYHGOO1cMnmUzd2hLwxQ7K2SoEw7IDbHzuxAUdui/fQe8V5xFE7cyFCsW1zQVzpNRSLwdoeJNCiVYmcBW8CZCnBb5PpcvjoNP7wMqpXaiodkRhyuBF6q4a0PaVYAUvPgGbJNp0rC02l1pwpMXAVXp1L8GRbIvV1St5yofPnWgECk7zKDUMzUnIfAzcwojATrJ2IT0kKhPjNAi90pm1WiVhF/63QUuwXn6+YwtwnvOqt+QHDl', 'hK6vjYujSKDvPDGpDd6NedjLNP6m79JRktj4AluUeeXBJSfgE0E0cGNfZZzRVG0nU0WjoOJ2/YAyQ/DLY/Y7U770A2iREebuzhvnu82IP4lG4yHpHK68bOaQdrtxIJk1oopf5fjYWaCBHSFAWxrryA+niyEnzIBQpv1ITIimsXZC1kws3wFNySrR9ZHrinw6qrvEcMPYs3VK9KevMfSY/ZD1atmFE3X/olpWUCjzrdkGfDysHyyVmh8PU/estmB5pb0ySwViYTzvNM+Kn2Xd7Gb+67AcJ8x4/UtTrdfDIhU=', 'oig3WO19f1iO9GGN1TZ4n9mxpo/XCDP4WkOg4UTLq+YlTT1fFQQv/FRWQEEoqC+SR/Bu3vh1drfWIQEF376qOQ==', 'kKYRzJCSmkMrbRhJeb1w54SP75FsvJi0gmc5vKtPeFyUF+EhMxIa4YMK9F2GmLhTEQvEpEJvtKl39ee7VMx/Sg==', 'PQNr3tJtg0jZf1dt+Pd1yEUkIKSjpSJg3zEivmE6BF/xK3rBa9XMEz5xpe+FZq7I8Wz/LdnluiOXkcbTd5AAtQ=='
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
        Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@1/1
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeMutant created: NULL
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeReversingLabs: Detection: 81%
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeVirustotal: Detection: 73%
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: cryptnet.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: webio.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: devenum.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeSection loaded: msdmo.dllJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeCode function: 0_2_00007FFB4AD300BD pushad ; iretd 0_2_00007FFB4AD300C1
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeCode function: 0_2_00007FFB4AD30690 pushad ; retn FB4Ah0_2_00007FFB4AD306DB

        Boot Survival

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe PID: 4932, type: MEMORYSTR
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe PID: 4932, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeMemory allocated: 1120000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeMemory allocated: 1AF20000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeWindow / User API: threadDelayed 7277Jump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeWindow / User API: threadDelayed 2577Jump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe TID: 4692Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe TID: 5904Thread sleep count: 37 > 30Jump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe TID: 5904Thread sleep time: -34126476536362649s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe TID: 5896Thread sleep count: 7277 > 30Jump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe TID: 5896Thread sleep count: 2577 > 30Jump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723773811.0000000001213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723773811.0000000001213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWA
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        .NET source code references suspicious native API functions
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723958398.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723958398.0000000002F94000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723958398.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723958398.0000000002F94000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe.bd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe PID: 4932, type: MEMORYSTR
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MSASCui.exe
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723462562.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2725621389.000000001B87B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procexp.exe
        Source: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MsMpEng.exe
        Source: C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

        Stealing of Sensitive Information

        barindex
        Yara detected DcRat
        Source: Yara matchFile source: 00000000.00000002.2723958398.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2723958398.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe PID: 4932, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected DcRat
        Source: Yara matchFile source: 00000000.00000002.2723958398.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2723958398.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe PID: 4932, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        Scheduled Task/Job        		1
        Process Injection        		1
        Disable or Modify Tools        		OS Credential Dumping1
        Query Registry        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Scheduled Task/Job        		1
        DLL Side-Loading        		1
        Scheduled Task/Job        		31
        Virtualization/Sandbox Evasion        		LSASS Memory121
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Native API        		Logon Script (Windows)1
        DLL Side-Loading        		1
        Process Injection        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
        Obfuscated Files or Information        		NTDS31
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput Capture21
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe82%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
        17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe74%VirustotalBrowse
        17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe100%AviraHEUR/AGEN.1307404
        17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        dckazts.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bg.microsoft.map.fastly.net
        		199.232.210.172
        		truefalse
          		high
          dckazts.duckdns.org
          		45.135.232.38
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            dckazts.duckdns.orgtrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723958398.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe, 00000000.00000002.2723958398.0000000002FA5000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              45.135.232.38
              		dckazts.duckdns.orgRussian Federation
              		49392ASBAXETNRUtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1555518
              Start date and time:2024-11-14 01:57:13 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 21s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/2@1/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 6
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 199.232.210.172, 93.184.221.240
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              19:58:23API Interceptor1x Sleep call for process: 17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              45.135.232.3817312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                  sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                    172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeGet hashmaliciousRemcosBrowse
                      1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                        decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exeGet hashmaliciousRemcosBrowse
                          sostener.vbsGet hashmaliciousRemcosBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            bg.microsoft.map.fastly.net1f6e2459-4201-c48e-d422-ad529ba9691a.emlGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            http://subjectsfaintly.comGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            https://buycode.us/Get hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            http://badbutperfect.comGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            http://u48113141.ct.sendgrid.net/Get hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            https://vivantskincare.taplink.wsGet hashmaliciousHTMLPhisherBrowse
                            • 199.232.214.172
                            sbafla - John Bradley your alert(s) workspace - to review - 11132024.msgGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            https://usps.com-qaze.xyz/lGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            http://rdsdelivery.comGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            https://hisplavv4237link239.z11.web.core.windows.net/winside/00Windbndktw0win11advance/index.htmlGet hashmaliciousUnknownBrowse
                            • 199.232.210.172

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ASBAXETNRU17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                            • 45.135.232.38
                            1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                            • 45.135.232.38
                            arm5.elfGet hashmaliciousMiraiBrowse
                            • 212.196.181.187
                            Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                            • 194.87.252.100
                            dvc2TBOZTh.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                            • 194.135.20.4
                            teh76E2k50.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                            • 194.135.20.4
                            SecuriteInfo.com.Trojan.Siggen29.1091.20762.15518.exeGet hashmaliciousXmrigBrowse
                            • 45.89.228.144
                            bin.armv7l.elfGet hashmaliciousMiraiBrowse
                            • 212.192.15.49
                            https://sub.investorscabirigroup.com/4WQbos10596ktJI775idiwtbqpkk1528WGTFCWTFRKDXPVO305927/749609o14Get hashmaliciousPhisherBrowse
                            • 45.147.195.16
                            https://sub.investorscabirigroup.com/4tBfEb10596UgJc775rrkvedqhmm1528ZICWGQLYSOBMUOM389951/749609V14Get hashmaliciousPhisherBrowse
                            • 45.147.195.16

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                            Download File
                            Process:C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe
                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                            Category:dropped
                            Size (bytes):71954
                            Entropy (8bit):7.996617769952133
                            Encrypted:true
                            SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                            MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                            SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                            SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                            SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                            Download File
                            Process:C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):328
                            Entropy (8bit):3.245596380966818
                            Encrypted:false
                            SSDEEP:6:kKTUTLD9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:7UTLaDImsLNkPlE99SNxAhUe/3
                            MD5:FBCAE3E590EC2F7C7437778927E38162
                            SHA1:4F1CEF1A63F37C22010A0C3FF59F59E578F6CB14
                            SHA-256:3ECE7355CA7D028FCBAF82495637A4BDDDE1161CDD4A148B81DE6F3DB9867F22
                            SHA-512:C5A4714475E3AC334F92DD2B1D24E117E03975D4CDA53893579AD73A861D3617FE90656E94E50BAFB78E6A2DDB0750B486D27D447F33B01CFBC44B3E9B8FC6DA
                            Malicious:false
                            Reputation:low
                            Preview:p...... ........[..M06..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):5.618163997317169
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe
                            File size:48'640 bytes
                            MD5:a5ecad34cb793dbb9c03a601093e1c96
                            SHA1:6cebe7561b40cc11e15629ef7a3df55f3f411cbb
                            SHA256:cdbd60dbcef6cb4aab7fc1094547a3f16500c0c70032b30faacd6df5a5b0199b
                            SHA512:612278e99c4bf570756f3511d60ecd8c46654aededc07419779786814cc09d1fc5bb7d51c0c3210d7ac7be84bf47b1a3e0931a2075afb64348f193c063ae62fb
                            SSDEEP:768:xGq+s3pUtDILNCCa+Di+0j1rgLqRp8Aofiw8Yblge5s69OhtvEgK/JLZVc6KN:8q+AGtQO+OOPAmzbiws69ynkJLZVclN
                            TLSH:3D236D0037D8C136E2FD4BB9A9F292458279D6676903CB596CC811EA2F13BC597036FE
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x40cbbe
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x60930A0B [Wed May 5 21:11:39 2021 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xcb680x53.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xdf7.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xabc40xac000ff92624136e3603add37af1e05fc811False0.5025890261627907data5.643961753928753IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xe0000xdf70xe002083376922615c09cdda9acfd9305376False0.4017857142857143data5.110607648061562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x100000xc0x20082148d01c3935cf90ef81a3dd1fad607False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xe0a00x2d4data0.4350828729281768
                            RT_MANIFEST0xe3740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-11-14T01:58:23.010827+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)145.135.232.3835650192.168.2.849706TCP
                            2024-11-14T01:58:23.010827+01002034847ET MALWARE Observed Malicious SSL Cert (AsyncRAT)145.135.232.3835650192.168.2.849706TCP
                            2024-11-14T01:58:23.010827+01002848048ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)145.135.232.3835650192.168.2.849706TCP
                            2024-11-14T01:58:38.554711+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.849708TCP
                            2024-11-14T01:59:17.974684+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.849716TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 14, 2024 01:58:22.109482050 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:22.114408016 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:22.114520073 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:22.137522936 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:22.142338037 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:22.998707056 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:23.005525112 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:23.010827065 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:23.274501085 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:23.321074963 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:24.634566069 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:24.639758110 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:24.639851093 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:24.644730091 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:27.398791075 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:27.446099043 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:27.543556929 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:27.586760044 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:35.871068001 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:35.876089096 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:35.876307964 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:35.881294012 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:36.147866011 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:36.196089983 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:36.293102026 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:36.332859039 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:36.338104010 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:36.338176966 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:36.342951059 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:47.103358030 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:47.108311892 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:47.108526945 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:47.113537073 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:47.376233101 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:47.430694103 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:47.520626068 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:47.571378946 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:47.657733917 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:47.662668943 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:47.662766933 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:47.667746067 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:57.403031111 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:57.446450949 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:57.548969984 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:57.602588892 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:58.337302923 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:58.342139006 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:58.342221022 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:58.346975088 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:58.621479034 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:58.664889097 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:58.761151075 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:58.763535976 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:58.768402100 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:58:58.768496990 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:58:58.773324966 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:09.575364113 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:09.580545902 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:09.580638885 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:09.585629940 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:09.851752043 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:09.899240017 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:09.993119001 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:09.994851112 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:09.999748945 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:09.999809980 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:10.004761934 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:20.806180000 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:20.811042070 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:20.811095953 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:20.815911055 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:21.079090118 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:21.133738995 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:21.223676920 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:21.225944042 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:21.231069088 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:21.231149912 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:21.236160994 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:27.399724007 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:27.446160078 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:27.544281960 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:27.586998940 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:32.040544987 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:32.045736074 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:32.046045065 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:32.051578999 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:32.316452980 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:32.368249893 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:32.462274075 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:32.464287996 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:32.473001957 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:32.473068953 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:32.479362011 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:43.275213003 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:43.280410051 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:43.280697107 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:43.285609961 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:43.548559904 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:43.602554083 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:43.692629099 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:43.694900036 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:43.699784994 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:43.699878931 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:43.704710007 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:54.509409904 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:54.514569998 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:54.514647007 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:54.519723892 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:54.783533096 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:54.837152958 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:54.927177906 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:54.929560900 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:54.934756994 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:54.934835911 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:54.943578959 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:57.395560980 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:57.446206093 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 01:59:57.539973974 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 01:59:57.586935043 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:05.743794918 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:05.748872995 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:05.749119043 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:05.753956079 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:06.016518116 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:06.071332932 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:06.160734892 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:06.162518024 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:06.167484045 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:06.167589903 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:06.172426939 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:16.978064060 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:16.983032942 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:16.983140945 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:16.988027096 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:17.250555992 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:17.290127993 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:17.395025015 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:17.396863937 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:17.401758909 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:17.401860952 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:17.406840086 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:25.525170088 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:25.530113935 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:25.530247927 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:25.535043955 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:25.797873020 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:25.852699041 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:25.943429947 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:25.944574118 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:25.949482918 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:25.949615955 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:25.954474926 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:27.397286892 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:27.446398973 CET4970635650192.168.2.845.135.232.38
                            Nov 14, 2024 02:00:27.541841984 CET356504970645.135.232.38192.168.2.8
                            Nov 14, 2024 02:00:27.587035894 CET4970635650192.168.2.845.135.232.38

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 14, 2024 01:58:21.974050999 CET5081553192.168.2.81.1.1.1
                            Nov 14, 2024 01:58:22.104664087 CET53508151.1.1.1192.168.2.8

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Nov 14, 2024 01:58:21.974050999 CET192.168.2.81.1.1.10x2855Standard query (0)dckazts.duckdns.orgA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 14, 2024 01:58:22.104664087 CET1.1.1.1192.168.2.80x2855No error (0)dckazts.duckdns.org45.135.232.38A (IP address)IN (0x0001)false
                            Nov 14, 2024 01:58:23.411525011 CET1.1.1.1192.168.2.80x7ad6No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                            Nov 14, 2024 01:58:23.411525011 CET1.1.1.1192.168.2.80x7ad6No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:19:58:18
                            Start date:13/11/2024
                            Path:C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe"
                            Imagebase:0xbd0000
                            File size:48'640 bytes
                            MD5 hash:A5ECAD34CB793DBB9C03A601093E1C96
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2723773811.0000000001213000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2723462562.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1463053475.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2725457488.000000001B7F0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2723958398.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2723958398.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2723958398.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2723958398.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:19.6%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:9
                              Total number of Limit Nodes:0
                              execution_graph 4514 7ffb4ad32d3d 4515 7ffb4ad32d4b VirtualProtect 4514->4515 4517 7ffb4ad32e2b 4515->4517 4518 7ffb4ad329e1 4519 7ffb4ad329eb LoadLibraryA 4518->4519 4521 7ffb4ad32ad2 4519->4521 4522 7ffb4ad318ca 4523 7ffb4ad32a00 LoadLibraryA 4522->4523 4525 7ffb4ad32ad2 4523->4525

                              Executed Functions

                              Function 00007FFB4AD330E2 Relevance: 2.0, Strings: 1, Instructions: 749COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 78 7ffb4ad330e2-7ffb4ad33142 85 7ffb4ad33381-7ffb4ad333c2 call 7ffb4ad31998 78->85 86 7ffb4ad33148-7ffb4ad331ed 78->86 94 7ffb4ad333c4-7ffb4ad333d5 85->94 95 7ffb4ad333d7-7ffb4ad333e0 85->95 114 7ffb4ad332b3 86->114 115 7ffb4ad331f3-7ffb4ad332a0 86->115 97 7ffb4ad333e8-7ffb4ad33404 94->97 95->97 104 7ffb4ad33406-7ffb4ad33417 97->104 105 7ffb4ad33419-7ffb4ad3341e 97->105 108 7ffb4ad33425-7ffb4ad3348b call 7ffb4ad319a8 call 7ffb4ad319b8 104->108 105->108 129 7ffb4ad33491-7ffb4ad334dd 108->129 130 7ffb4ad33512 108->130 119 7ffb4ad332b8-7ffb4ad332df 114->119 115->114 156 7ffb4ad332a2-7ffb4ad332ad 115->156 137 7ffb4ad332e1-7ffb4ad332ef 119->137 129->130 155 7ffb4ad334df-7ffb4ad3350b 129->155 134 7ffb4ad33517-7ffb4ad3353f 130->134 161 7ffb4ad33541-7ffb4ad33558 call 7ffb4ad338d5 134->161 143 7ffb4ad332f1-7ffb4ad3330b 137->143 144 7ffb4ad33365-7ffb4ad3337c 137->144 151 7ffb4ad33559-7ffb4ad3356a 143->151 153 7ffb4ad33311-7ffb4ad3332c 143->153 144->151 163 7ffb4ad33891 151->163 164 7ffb4ad33570-7ffb4ad3365e call 7ffb4ad319c8 call 7ffb4ad319d8 151->164 160 7ffb4ad33334-7ffb4ad33345 153->160 155->134 166 7ffb4ad3350d-7ffb4ad33510 155->166 156->119 159 7ffb4ad332af-7ffb4ad332b1 156->159 159->137 170 7ffb4ad3334c-7ffb4ad3335e 160->170 171 7ffb4ad33347 160->171 161->151 168 7ffb4ad33898-7ffb4ad338a4 163->168 164->114 190 7ffb4ad33664-7ffb4ad33690 164->190 166->161 170->153 173 7ffb4ad33360 170->173 171->151 173->151 192 7ffb4ad33692-7ffb4ad33698 190->192 193 7ffb4ad336d0-7ffb4ad337a6 call 7ffb4ad32418 192->193 194 7ffb4ad3369a-7ffb4ad336a1 192->194 216 7ffb4ad337a7-7ffb4ad337b8 193->216 194->192 197 7ffb4ad336a3-7ffb4ad336c5 call 7ffb4ad31988 call 7ffb4ad30628 194->197 206 7ffb4ad336ca 197->206 206->193 219 7ffb4ad337ba-7ffb4ad33889 call 7ffb4ad32418 216->219 229 7ffb4ad3388f 219->229 229->168
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2727052865.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4ad30000_17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f39.jbxd
                              Similarity
                              • API ID:
                              • String ID: ,
                              • API String ID: 0-3772416878
                              • Opcode ID: 6cde9dd4aceaf0e244cbc0d2ae6e6e63f0bb083ee8592514c34758b87350e2e8
                              • Instruction ID: db549a210041150329a06a937af786750603823d37e0772fc11df66c0e1ae063
                              • Opcode Fuzzy Hash: 6cde9dd4aceaf0e244cbc0d2ae6e6e63f0bb083ee8592514c34758b87350e2e8
                              • Instruction Fuzzy Hash: 5032A2A1B1DA0A4FE759FF38C0596B977D2EF98310F6445B9D45EC32C6CE28AC428741
                              Function 00007FFB4AD38346 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 342 7ffb4ad38346-7ffb4ad38353 343 7ffb4ad3835e-7ffb4ad38427 342->343 344 7ffb4ad38355-7ffb4ad3835d 342->344 348 7ffb4ad38493 343->348 349 7ffb4ad38429-7ffb4ad38432 343->349 344->343 351 7ffb4ad38495-7ffb4ad384ba 348->351 349->348 350 7ffb4ad38434-7ffb4ad38440 349->350 352 7ffb4ad38442-7ffb4ad38454 350->352 353 7ffb4ad38479-7ffb4ad38491 350->353 358 7ffb4ad384bc-7ffb4ad384c5 351->358 359 7ffb4ad38526 351->359 354 7ffb4ad38456 352->354 355 7ffb4ad38458-7ffb4ad3846b 352->355 353->351 354->355 355->355 357 7ffb4ad3846d-7ffb4ad38475 355->357 357->353 358->359 361 7ffb4ad384c7-7ffb4ad384d3 358->361 360 7ffb4ad38528-7ffb4ad385d0 359->360 372 7ffb4ad3863e 360->372 373 7ffb4ad385d2-7ffb4ad385dc 360->373 362 7ffb4ad3850c-7ffb4ad38524 361->362 363 7ffb4ad384d5-7ffb4ad384e7 361->363 362->360 364 7ffb4ad384eb-7ffb4ad384fe 363->364 365 7ffb4ad384e9 363->365 364->364 367 7ffb4ad38500-7ffb4ad38508 364->367 365->364 367->362 375 7ffb4ad38640-7ffb4ad38669 372->375 373->372 374 7ffb4ad385de-7ffb4ad385eb 373->374 376 7ffb4ad385ed-7ffb4ad385ff 374->376 377 7ffb4ad38624-7ffb4ad3863c 374->377 382 7ffb4ad3866b-7ffb4ad38676 375->382 383 7ffb4ad386d3 375->383 378 7ffb4ad38601 376->378 379 7ffb4ad38603-7ffb4ad38616 376->379 377->375 378->379 379->379 381 7ffb4ad38618-7ffb4ad38620 379->381 381->377 382->383 385 7ffb4ad38678-7ffb4ad38686 382->385 384 7ffb4ad386d5-7ffb4ad38766 383->384 393 7ffb4ad3876c-7ffb4ad3877b 384->393 386 7ffb4ad386bf-7ffb4ad386d1 385->386 387 7ffb4ad38688-7ffb4ad3869a 385->387 386->384 389 7ffb4ad3869e-7ffb4ad386b1 387->389 390 7ffb4ad3869c 387->390 389->389 391 7ffb4ad386b3-7ffb4ad386bb 389->391 390->389 391->386 394 7ffb4ad3877d 393->394 395 7ffb4ad38783-7ffb4ad387e8 call 7ffb4ad38804 393->395 394->395 402 7ffb4ad387ef-7ffb4ad38803 395->402 403 7ffb4ad387ea 395->403 403->402
                              Memory Dump Source
                              • Source File: 00000000.00000002.2727052865.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4ad30000_17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f39.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6ef48bdc742645bbe9d429295e890069d5f6317d4ca35dcfa1d79d4a3ca1d014
                              • Instruction ID: 3332c88784a2a4b85a3b7b60bb607951bccd0a13c647ddee7e1f6a65e02a0f5f
                              • Opcode Fuzzy Hash: 6ef48bdc742645bbe9d429295e890069d5f6317d4ca35dcfa1d79d4a3ca1d014
                              • Instruction Fuzzy Hash: 32F1B27060CA8D8FEBA9EF28C8457E977D1FF54310F1442BAE84DC7691CB34A9458B82
                              Function 00007FFB4AD390F2 Relevance: .5, Instructions: 460COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 404 7ffb4ad390f2-7ffb4ad390ff 405 7ffb4ad39101-7ffb4ad39109 404->405 406 7ffb4ad3910a-7ffb4ad391d7 404->406 405->406 410 7ffb4ad39243 406->410 411 7ffb4ad391d9-7ffb4ad391e2 406->411 412 7ffb4ad39245-7ffb4ad3926a 410->412 411->410 413 7ffb4ad391e4-7ffb4ad391f0 411->413 420 7ffb4ad3926c-7ffb4ad39275 412->420 421 7ffb4ad392d6 412->421 414 7ffb4ad391f2-7ffb4ad39204 413->414 415 7ffb4ad39229-7ffb4ad39241 413->415 417 7ffb4ad39206 414->417 418 7ffb4ad39208-7ffb4ad3921b 414->418 415->412 417->418 418->418 419 7ffb4ad3921d-7ffb4ad39225 418->419 419->415 420->421 422 7ffb4ad39277-7ffb4ad39283 420->422 423 7ffb4ad392d8-7ffb4ad392fd 421->423 424 7ffb4ad392bc-7ffb4ad392d4 422->424 425 7ffb4ad39285-7ffb4ad39297 422->425 429 7ffb4ad3936b 423->429 430 7ffb4ad392ff-7ffb4ad39309 423->430 424->423 427 7ffb4ad3929b-7ffb4ad392ae 425->427 428 7ffb4ad39299 425->428 427->427 431 7ffb4ad392b0-7ffb4ad392b8 427->431 428->427 433 7ffb4ad3936d-7ffb4ad3939b 429->433 430->429 432 7ffb4ad3930b-7ffb4ad39318 430->432 431->424 434 7ffb4ad39351-7ffb4ad39369 432->434 435 7ffb4ad3931a-7ffb4ad3932c 432->435 440 7ffb4ad3939d-7ffb4ad393a8 433->440 441 7ffb4ad3940b 433->441 434->433 436 7ffb4ad3932e 435->436 437 7ffb4ad39330-7ffb4ad39343 435->437 436->437 437->437 439 7ffb4ad39345-7ffb4ad3934d 437->439 439->434 440->441 443 7ffb4ad393aa-7ffb4ad393b8 440->443 442 7ffb4ad3940d-7ffb4ad394e5 441->442 453 7ffb4ad394eb-7ffb4ad394fa 442->453 444 7ffb4ad393f1-7ffb4ad39409 443->444 445 7ffb4ad393ba-7ffb4ad393cc 443->445 444->442 446 7ffb4ad393ce 445->446 447 7ffb4ad393d0-7ffb4ad393e3 445->447 446->447 447->447 449 7ffb4ad393e5-7ffb4ad393ed 447->449 449->444 454 7ffb4ad394fc 453->454 455 7ffb4ad39502-7ffb4ad39564 call 7ffb4ad39580 453->455 454->455 462 7ffb4ad3956b-7ffb4ad3957f 455->462 463 7ffb4ad39566 455->463 463->462
                              Memory Dump Source
                              • Source File: 00000000.00000002.2727052865.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4ad30000_17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f39.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 058da8ec53863dd0e72313ae45f89b4e654e9d50794eb5c7a0d8498e27045245
                              • Instruction ID: 12cef11646f8764460f715efa41b502980239f4384e32b8ad3e5b7b2d547508e
                              • Opcode Fuzzy Hash: 058da8ec53863dd0e72313ae45f89b4e654e9d50794eb5c7a0d8498e27045245
                              • Instruction Fuzzy Hash: BEE1E570A0CA8E8FEBA8EF28C8557E977D1FF54310F1482AED84DC7695CE7498418B81
                              Function 00007FFB4AD329E1 Relevance: 1.7, APIs: 1, Instructions: 152libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 230 7ffb4ad329e1-7ffb4ad32ad0 LoadLibraryA 236 7ffb4ad32ad2 230->236 237 7ffb4ad32ad8-7ffb4ad32b31 call 7ffb4ad32b32 230->237 236->237
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2727052865.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4ad30000_17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f39.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 140345c58e017e07ce13d0778ccf2f997520b91336f8e71cf048d5b03307e123
                              • Instruction ID: f1ffad88e664f3ec9bdb16806326270cd9ff33b877658368a8b1c0a2e02000f2
                              • Opcode Fuzzy Hash: 140345c58e017e07ce13d0778ccf2f997520b91336f8e71cf048d5b03307e123
                              • Instruction Fuzzy Hash: 41417F70A08A1C8FDB98EF68D849BEDBBF1FF59310F1041AAD04DD7256CA74A845CB40
                              Function 00007FFB4AD318CA Relevance: 1.6, APIs: 1, Instructions: 140libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 243 7ffb4ad318ca-7ffb4ad32ad0 LoadLibraryA 248 7ffb4ad32ad2 243->248 249 7ffb4ad32ad8-7ffb4ad32b31 call 7ffb4ad32b32 243->249 248->249
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2727052865.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4ad30000_17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f39.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 16fbe945693f78797f052b536b79bda67c873ebae0ea2d6c563e12172a2119aa
                              • Instruction ID: 4c45f09c236780138b0bd975c66f4af7c1f9bb0e0c8383c6c059b6fe34993e14
                              • Opcode Fuzzy Hash: 16fbe945693f78797f052b536b79bda67c873ebae0ea2d6c563e12172a2119aa
                              • Instruction Fuzzy Hash: 55413F70A08A1C8FDB98EF68D849BEDB7F1FB59310F1041AAD40EE7255CB75A846CB41
                              Function 00007FFB4AD32D3D Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 255 7ffb4ad32d3d-7ffb4ad32d49 256 7ffb4ad32d4b-7ffb4ad32d53 255->256 257 7ffb4ad32d54-7ffb4ad32d63 255->257 256->257 258 7ffb4ad32d6e-7ffb4ad32e29 VirtualProtect 257->258 259 7ffb4ad32d65-7ffb4ad32d6d 257->259 264 7ffb4ad32e2b 258->264 265 7ffb4ad32e31-7ffb4ad32e59 258->265 259->258 264->265
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2727052865.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4ad30000_17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f39.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 2f1055baa9b459ac31751eb994b266ebfb625e7a02b0a19fd0056b82645cd9a5
                              • Instruction ID: 6467cd829dddbcff258a18788d023a7bd0d1abe8349ee2aa231426a4958fe421
                              • Opcode Fuzzy Hash: 2f1055baa9b459ac31751eb994b266ebfb625e7a02b0a19fd0056b82645cd9a5
                              • Instruction Fuzzy Hash: 5941283190D7888FDB1AAF689C466A97FE0EF56321F1442EFD089C7192CA746806C792