Edit tour
Windows
Analysis Report
8a984491558f624bf313baf8453d547c0f714822058a2aca540f64dc78e4078f.exe
Overview
General Information
Sample name: | 8a984491558f624bf313baf8453d547c0f714822058a2aca540f64dc78e4078f.exe |
Analysis ID: | 1564558 |
MD5: | bd29364f916d0e1bba479e785773e00e |
SHA1: | 7f6a2fee536af37dcfbd46d316c061ba63bc7fd7 |
SHA256: | 95061805157fafa10b3587bb9a2aae6e149e5ac7c7829f648ad8a988d78efe59 |
Tags: | exefat7ola0077-ddns-netuser-JAMESWT_MHT |
Infos: | |
Detection
AsyncRAT, PureLog Stealer, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- 8a984491558f624bf313baf8453d547c0f714822058a2aca540f64dc78e4078f.exe (PID: 7904 cmdline:
"C:\Users\ user\Deskt op\8a98449 1558f624bf 313baf8453 d547c0f714 822058a2ac a540f64dc7 8e4078f.ex e" MD5: BD29364F916D0E1BBA479E785773E00E)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
{"External_config_on_Pastebin": "null", "Server": "fat7ola0077.ddns.net", "Ports": "6666", "Version": "AWS | 3Losh", "Autorun": "false", "Install_Folder": "OUlTdmJkbVltOXNUWmJNSTNaenJBRFRHdW5DVEQ1NUY=", "Install_File": "/EXaE8Iv7YqwUvYpdCam7S2MxkUsp4f6lJ03myXyh6Q2qlSXKYTxmGM1hfEisqclWLa8M3DQpW1Z18oCMdCWvB0O67jIi88Nj9+C60s9nv4=", "AES_key": "9ISvbdmYm9sTZbMI3ZzrADTGunCTD55F", "Mutex": "e6cxv2vqqx5IGT6xHT4NI4U8+Cw/dU3kPjaWP5/Orp4bKr11+1tMVpzyrSwPysP/tXlPw8GYsbvLR82oHuEL+64SA8d7to64YTYd1wyu4i9OLRzsgkWfpanEwxRKF1vx89i3CK1CNbN0cbQhDNNMXo1xv5nze5bVdrps5hujecnBuWXj2mGKGfsw2BXxurBIMSXDoCPTVmpmJ8Nl+ArV/qx6bNPSxdh1sn+BxOzl+jvvey5FSWGxDrwz+5++bOEFPohFc1X5JxFDrXN5UqGuhrWLDGAGMu/uioeZxXz5LaedwpgKjbQLiklx4CE1tNFCLTW3cdMIgrfX3k0Xnw9GKSTx2mx6sHUCJu08LGucoPpJcqYLo8LA74lDmGlRU4IalpcFmpM3zzmZis0JKdoavVPRAUBofxoOZ7cg3xR9La2n7+TYCc2iOoMJu61fLMO963KR3n+YP23UQvldFfVTuie7Y8h9JWMAQnU98bmdhY4B8IBIiqC+niW9LWJ/FtiF6tNIzoOy2EDFCAM3ThiVfMdx5KiutDG0QtRZfZaxoFW+1lUcnVHN6HMU38GJ4mgX+DAqUhXorfR3cI/d7SbwWoXIdJ7qulQopR1q4YoKRrjxtvTY8cR/IuaeAtPXdKMXTGV0pf7A5xdk9nuV/53J2ju8K1BGTOy+MrD5FO4/ZK0=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_BrowserPasswordDump_1 | Yara detected BrowserPasswordDump | Joe Security | ||
Click to see the 8 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Click to see the 9 entries |
⊘No Sigma rule has matched
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-28T14:17:11.781215+0100 | 2035595 | 1 | Domain Observed Used for C2 Detected | 172.93.110.112 | 6666 | 192.168.2.8 | 49706 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-28T14:17:11.781215+0100 | 2035607 | 1 | Domain Observed Used for C2 Detected | 172.93.110.112 | 6666 | 192.168.2.8 | 49706 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-28T14:17:11.781215+0100 | 2842478 | 1 | Malware Command and Control Activity Detected | 172.93.110.112 | 6666 | 192.168.2.8 | 49706 | TCP |
2024-11-28T14:17:34.805738+0100 | 2842478 | 1 | Malware Command and Control Activity Detected | 172.93.110.112 | 6666 | 192.168.2.8 | 49710 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | DNS query: |
Source: | File source: | ||
Source: | File source: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | .Net Code: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_010CE508 | |
Source: | Code function: | 0_2_0742ED18 | |
Source: | Code function: | 0_2_0742CBC8 | |
Source: | Code function: | 0_2_0742B7F0 | |
Source: | Code function: | 0_2_07421559 | |
Source: | Code function: | 0_2_07428450 | |
Source: | Code function: | 0_2_07421CE8 | |
Source: | Code function: | 0_2_07421CF8 | |
Source: | Code function: | 0_2_0742E200 | |
Source: | Code function: | 0_2_0744F078 | |
Source: | Code function: | 0_2_074436C8 | |
Source: | Code function: | 0_2_074436BB | |
Source: | Code function: | 0_2_07441B10 | |
Source: | Code function: | 0_2_076FB668 | |
Source: | Code function: | 0_2_076F1ED0 | |
Source: | Code function: | 0_2_076F7508 | |
Source: | Code function: | 0_2_076FB65B | |
Source: | Code function: | 0_2_076F74F8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Base64 encoded string: |