Edit tour
Windows
Analysis Report
QHLQyYBiH7.exe
Overview
General Information
Sample name: | QHLQyYBiH7.exerenamed because original name is a hash value |
Original sample name: | 5602b0e001ca58f3afa38ed2bebee63a.exe |
Analysis ID: | 1569562 |
MD5: | 5602b0e001ca58f3afa38ed2bebee63a |
SHA1: | 684042eb078191c1ae776491aed3ae302315224c |
SHA256: | d03990be37a53cf1ecb8189def43022ed7f04886b043c9640a32ea48fea1f1d4 |
Tags: | AsyncRATexeRATuser-abuse_ch |
Infos: | |
Detection
AsyncRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- QHLQyYBiH7.exe (PID: 4888 cmdline:
"C:\Users\ user\Deskt op\QHLQyYB iH7.exe" MD5: 5602B0E001CA58F3AFA38ED2BEBEE63A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
{"Server": "195.26.255.81", "Ports": "6606,7707,8808,0077,1996,2106,7777", "Version": "| Edit by Vinom Rat", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "Serv.exe", "AES_key": "x9K8SFfbc9rHbplQxeIAk3eFsy6rV3l4", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "true", "External_config_on_Pastebin": "true", "BDOS": "null", "Startup_Delay": "3", "HWID": "cmZpGwUhD3Q3V1iMbLVXav8uvPpzAtw4bzJPFTlbkTd+ccVIO2rmuKpEdkmUujJ4OcftVFceQCAEuOGjfHxnQQ==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAMBXvryHIFhGdkjw26gQjzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjExMDI2MTQ0MzIxWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJD2GxJUHyTA9QZO0N7p5cJ8PvZk4qsoa/2Iv3RqmEvIUkT1Rjz4LIcv/iaqADsBOqWCdJtu+GSnp+JieUKMG2315yw4pycAGPh+dJHJQ68IEuGLI6XdzXm0bG0yH76mvmTjsRh05kOVZUjAe9Vc8yqfBIndJBj5Gr6nSqDJ+V5mhivt26yLDC4GUcd9yNar1yOL4tJ2aRICakfQGhQIMOKUf2DmekYlqM3aneaLR5byZHKmiNuce3koRvx87xdlgLFjTcNCSv52q4t+Q5UN6sPqVrj3VJbwT1iW85zbwd/7DdTQ2JMtoNWXnwNiSS68QWW6XBc6UVcFwhE+Yg4TQD8Zyq1Nr5t3XXD1TpsOg+MWNDyJxI1A5b3mEbzHO3+dHoLcQ9RQ+bFg2nqtjcAU9bNfwtKiyygEYZxgU8BoOhxloS6KhF9NG7pw9lesMzq4sFK+0ko545drME1QIu1VorD0Zp8+HvTLUHvUjGUn1BkQiV5CzUufzMlnQEsH5ldEHFYkHzk8MfqERnJLyV21XLZCr1DmYkr5v3ZB4plVfrf9GQ6j2640gdu6LLAZhBRaDZqAjHOjAlLG4VqRLxUSvrVQm1rbV8uvQzsMi+lqvbW2r8Fkln3TxyyxFbDGdtbfKWZcIHXRVD9TFlx6d2sZmJKuyE+w8wlunZ2FnXt3xMYhAgMBAAGjMjAwMB0GA1UdDgQWBBTn2gTEZrwxp3sRYiCSJ1160JNqZDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBU/BrVpV8yhvG+75g8+n1D+KZLPnlyem/K4JQpGq5KESruvdCvUb2x/8KNlopa6R+R3c46cogLt++2dk8vxpwMuQuj+luCws38h8YFw5n0k2Al2RI+k1Tt9RQERZnphVrzJ22u4qYhxXzRJvJQSHw7FP8SeDAoCC7Aj1A8jysJ7B1URC6Ao7wPrFH9Q/fyYGp0dFWHRg3dOS9AoS8npJLYsF9sUxaCmgMeSNGWd3sAErMAsdtSr1EnVTn2axh7DNqlsyP8MyypGNUtv+mhTVBsXh5c2Wg9PMhapj3UqRUk61Ma+R/7PTZTQiggqY5r02dtrAypV/m7ghDZqieXJs6tiPh9d05qJfQtXFhbEJi//NGmojp4KBX9P2B4QwmhgegTRsDyiqZ6E9+NJnb890uFMgnqfsctyuXp0IL8gZcqh8aw08QSeWwNem5bWveMOXZX+O4Nkbw1Cd+9y1HnStIekc1hFuVtQwILcWckUkjbGrFmhT4fZ6kR5b/wvYhAaFsanIXXmDYBY12dVWlo3FGwZZx47wc8LKm7bAPhy2LmqJ12C99PLR/LI89UNw+q7YuIE5JqmfCRRAwD+UZ26JwuIo2EMv10kNrpuqyrSA+OT0rJgnfagTV6Q3zX6rGnDgwYd89qYrEauLMb4LyKlVdfE2b3iEgOujN/YPzd93Zq/Q==", "ServerSignature": "K8KuGCGi6GbaC+fhnxy0xzTLxVXLlaLrV7S1Ve5PG2X1/FVTeHsvjes53nn7E9dhFyg8SramiA5oj5eeFk0oJQRZWPr2/ZCVCk+VCUm03v7Zpk9hWPiVpjVFYgoWg+rU/V0+3voSPA1tBLiE8JM3QaimeMLRg/So3xPrlCqUBGN1ratFgZG9UELKijQzfOrgD2EMdzzkGXr6UyjopQ0oj4V8pSLgFr7iU2wYJxCOoEqmkQeEvwHT512ClQtFyeJvOAV1KtCreYR3sxv1V4cekfydaNkt24J7c8+7Z2BGf7VE5iU71KCKHHojItI3EEOroZ2C9ssPwXK2JoVq6EATjqANvOEbm1J/LkNAHmzfpEZqzzDHm46tcTqhRXrpRFLQRJ9W40UnQLeRiyx05trqK7q/vncbZcJMYvk/ntFxjg3B/welUF/nkz5+sGd3NDhufH0sP6dNRcQyc9yLh0fdpkOHhRm/TpYlAaE1WcIolJ6XWHmVb+bP23Q3FE2IYSUd1NGGFIItn6X2UZ55Cab+BYKR/JsFi0/7kC5hQZJyehv8NH9dX7J0MT55Det1FvlrAVub4VDyH6RAAbT8OrLM/RL0mdas7ujBMBnxlu1svxrppwh+Tz043gBiFtK7jBo26nAS2TH/iOjy6Hfn4U1FZtiOjXPwv2ujYrG0EQyxbYs=", "Group": "Default"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-05T21:01:59.087278+0100 | 2035595 | 1 | Domain Observed Used for C2 Detected | 195.26.255.81 | 7777 | 192.168.2.6 | 49708 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-05T21:01:59.087278+0100 | 2035607 | 1 | Domain Observed Used for C2 Detected | 195.26.255.81 | 7777 | 192.168.2.6 | 49708 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-05T21:01:59.087278+0100 | 2842478 | 1 | Malware Command and Control Activity Detected | 195.26.255.81 | 7777 | 192.168.2.6 | 49708 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |