Edit tour

Windows Analysis Report
173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Overview

General Information

Sample name:	173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe
Analysis ID:	1570019
MD5:	ea40e46310163064f9f33ff2fb152364
SHA1:	6f5e20a87fd4b534e112928aff8d655559f6758b
SHA256:	f9c4ce97de10b00f02f0edc2417e510fdb774243a7a41426ac918c618bb3abac
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Yara detected DcRat

.NET source code references suspicious native API functions

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe (PID: 1020 cmdline: "C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe" MD5: EA40E46310163064F9F33FF2FB152364)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "87.120.116.179", "Ports": "1500", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "wpaFxIcglMLADiogibPnifaeFDBMwMuF", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIGBz6Y+7gj2nikjFjRUrU+W1e6pMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMTIwMTE4NTMxOVoXDTM0MDkwOTE4NTMxOVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ7RkCU5e5ZZGOVZ75AKjw+32BE4r7Gh+NDIHidnET15r/o8cPJFvS5gpG4+iibf2Z0nRFnEuoTMJw07xCT/SG57sbHxxQWqLy+MzOO9Ja6xoYoZtHX2eKqlB8q/A+zgAA/ncmt7XysT58Qj/RJ8VVdvTNW2XqUpu67cC4U/VowjAgMBAAGjMjAwMB0GA1UdDgQWBBQGF84dbwRGs8dcAxJjYPEQ0vFz8DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAGElFBgck3Tl9JJ+akExL1Hf05KnfjNQqJh1Pb+sJI9mnuysEVbl9VfAwBmKCdvydwyWbc7opnIfL95l3s1WxqDM2iMqdHvKJAAqrdKbS+41ISGFkJYIApAxxE8iY2y0Nc9h4uS4wQ7EA95s0iYS3FU6a3fTiuBtdWqpIkSmIB3N", "ServerSignature": "BeuIAVEwZRflCChxbBouOkU4PHb82EjrnChy5tY9ZLUF9209+gb1OdfbM3LYzyzrwVJ2FuUrNib1mzMhYhPzzV5qj4NZWUFFWChE+8RScndJABLhzP86T9S8dw2xlnrMCojFUlu4HV4DwsBjHso4WQ/rQSHfAWYDO1D1ALcsJK4=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65f7:$a1: havecamera 0x9ac0:$a2: timeout 3 > NUL 0x9ae0:$a3: START "" " 0x996b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a20:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a20:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x996b:$s2: L2Mgc2NodGFza3MgL2 0x98ea:$s3: QW1zaVNjYW5CdWZmZXI 0x9938:$s4: VmlydHVhbFByb3RlY3Q
173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9ca2:$q1: Select * from Win32_CacheMemory 0x9ce2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d30:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9d7e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa11a:$s1: DcRatBy

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63f7:$a1: havecamera 0x98c0:$a2: timeout 3 > NUL 0x98e0:$a3: START "" " 0x976b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9820:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000002.3273764026.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x4e4ac:$b2: DcRat By qwqdanchun1
00000000.00000002.3274113126.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x55a8:$b1: DcRatByqwqdanchun 0x29e2e4:$b2: DcRat By qwqdanchun1
Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x5c2:$a1: havecamera 0x5194:$b1: DcRatByqwqdanchun 0x6a54:$b1: DcRatByqwqdanchun 0xe64d:$b2: DcRat By qwqdanchun1 0x29679:$b2: DcRat By qwqdanchun1
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65f7:$a1: havecamera 0x9ac0:$a2: timeout 3 > NUL 0x9ae0:$a3: START "" " 0x996b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a20:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a20:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x996b:$s2: L2Mgc2NodGFza3MgL2 0x98ea:$s3: QW1zaVNjYW5CdWZmZXI 0x9938:$s4: VmlydHVhbFByb3RlY3Q
0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9ca2:$q1: Select * from Win32_CacheMemory 0x9ce2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d30:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9d7e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa11a:$s1: DcRatBy

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Malware Configuration Extractor: AsyncRAT {"Server": "87.120.116.179", "Ports": "1500", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "wpaFxIcglMLADiogibPnifaeFDBMwMuF", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIGBz6Y+7gj2nikjFjRUrU+W1e6pMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMTIwMTE4NTMxOVoXDTM0MDkwOTE4NTMxOVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ7RkCU5e5ZZGOVZ75AKjw+32BE4r7Gh+NDIHidnET15r/o8cPJFvS5gpG4+iibf2Z0nRFnEuoTMJw07xCT/SG57sbHxxQWqLy+MzOO9Ja6xoYoZtHX2eKqlB8q/A+zgAA/ncmt7XysT58Qj/RJ8VVdvTNW2XqUpu67cC4U/VowjAgMBAAGjMjAwMB0GA1UdDgQWBBQGF84dbwRGs8dcAxJjYPEQ0vFz8DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAGElFBgck3Tl9JJ+akExL1Hf05KnfjNQqJh1Pb+sJI9mnuysEVbl9VfAwBmKCdvydwyWbc7opnIfL95l3s1WxqDM2iMqdHvKJAAqrdKbS+41ISGFkJYIApAxxE8iY2y0Nc9h4uS4wQ7EA95s0iYS3FU6a3fTiuBtdWqpIkSmIB3N", "ServerSignature": "BeuIAVEwZRflCChxbBouOkU4PHb82EjrnChy5tY9ZLUF9209+gb1OdfbM3LYzyzrwVJ2FuUrNib1mzMhYhPzzV5qj4NZWUFFWChE+8RScndJABLhzP86T9S8dw2xlnrMCojFUlu4HV4DwsBjHso4WQ/rQSHfAWYDO1D1ALcsJK4=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Multi AV Scanner detection for submitted file

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Joe Sandbox ML: detected

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 87.120.116.179:1500

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.116.179

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, 00000000.00000002.3274113126.00000000029C1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.3273764026.0000000000C62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.3274113126.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Code function: 0_2_00007FF848F430E5

0_2_00007FF848F430E5

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, 00000000.00000000.2025039468.000000000070E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Binary or memory string: OriginalFilenameClient.exe" vs 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.3273764026.0000000000C62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.3274113126.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, Settings.cs	Base64 encoded string: 'UKk/prLjaCEdV7txv+yGZrp0S5STXIa+zFqyOUrIhwyzlnwbavti7MCYjJFyHwoGEHmGl9B9pqBPmkuydYYucA==', 'gYA+r/KDoN84ARnBcOf8aAI3Q4u7UO9ndzXOq91IsrptyWaWN8zLNnqr2Aaovq9MGG0DFZWuH2vcYFfMIcwz7A==', 'go/ni6lRwY6pooXrQwAN06Viuxc6C0UCeuCkhNZQWER2UXJOkaUJ8doWphYVUh4AqkqHinXT322SmYN7jAdKOA==', 'UdVwZzv+kSKx0MU+lsFLufZGlckVZFDo/LFGA5F24YafJ6F/Duft+5T4Bc0CYN1Bas7Vnyo0BjUSWqmz4S0iYQ==', 'gpkk6lnzJsgMkB/xwv1p1GncZrZ8bQwPfi6EjzMIcyoUO64RhlIpvqA/pG2bOnfRQJiY/pBicGx6i200l3rWKA==', 'orZZ89yMyg/TLlsO9OPjjNyQN+bEEyfwlW2mCeG1G1SRYvFkypjjhER4VVUzcqn1Me1OnCly6Cn1mAM769og2g=='
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Section loaded: schannel.dll	Jump to behavior

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Code function: 0_2_00007FF848F43F18 push E95CC1ABh; ret		0_2_00007FF848F43F29
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Code function: 0_2_00007FF848F400BD pushad ; iretd		0_2_00007FF848F400C1

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020, type: MEMORYSTR

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Memory allocated: 2700000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	Memory allocated: 1A9C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe TID: 1248

Thread sleep time: -65000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, 00000000.00000002.3275260006.000000001B443000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, Amsi.cs	Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020, type: MEMORYSTR

Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match

File source: Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match

File source: Process Memory Space: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe PID: 1020, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	100%	Avira	HEUR/AGEN.1307404
173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe, 00000000.00000002.3274113126.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.116.179	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570019
Start date and time:	2024-12-06 14:14:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
87.120.116.179	173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe	Get hash	malicious	XWorm	Browse
	17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNACS-AS-BG8000BurgasBG	173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exe	Get hash	malicious	XWorm	Browse	87.120.116.179
	1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exe	Get hash	malicious	XWorm	Browse	87.120.116.179
	17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exe	Get hash	malicious	XWorm	Browse	87.120.116.179
	17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exe	Get hash	malicious	XWorm	Browse	87.120.116.179
	yIla7SeJ6r.doc	Get hash	malicious	XenoRAT	Browse	87.120.120.27
	gjot5vxpIC.exe	Get hash	malicious	XenoRAT	Browse	87.120.120.27
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Stealc, Vidar	Browse	87.120.125.31
	po4877383.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	e824975.html	Get hash	malicious	Unknown	Browse	87.120.114.172

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.616671765821841
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe
File size:	48'640 bytes
MD5:	ea40e46310163064f9f33ff2fb152364
SHA1:	6f5e20a87fd4b534e112928aff8d655559f6758b
SHA256:	f9c4ce97de10b00f02f0edc2417e510fdb774243a7a41426ac918c618bb3abac
SHA512:	59d090807eb27afdab1aa8ca0d831efa0917cab9ad38ed662bb29c50bfc826877ea2453ef917656af74334edb911d27fa1a0ee9feb4d6739c573c185710bee7c
SSDEEP:	768:dOEuILWCKi+DiBtelDSN+iV08YbygeKNWap+vEgK/J9lZVc6KN:dOtmBtKDs4zb1fNWRnkJ3ZVclN
TLSH:	9D235C4037E88136E2FD4BB8ADF2A54186B9D2676903C6596CC814EA1F13BC596036FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40cb8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60930A0B [Wed May 5 21:11:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb3c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xab94	0xac00	855a9fc8bff2f2b21410de51229f1930	False	0.5017033066860465	data	5.64159433302446	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0xdf7	0xe00	2083376922615c09cdda9acfd9305376	False	0.4017857142857143	data	5.110607648061562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	d2892f5e6b6d9366633263ebc642dea3	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2d4	data			0.4350828729281768
RT_MANIFEST	0xe374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 14:15:08.715178013 CET	49704	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:08.835129976 CET	1500	49704	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:08.835247993 CET	49704	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:08.856750965 CET	49704	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:08.976443052 CET	1500	49704	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:10.986429930 CET	1500	49704	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:10.986510038 CET	49704	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:16.025044918 CET	49704	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:16.029709101 CET	49705	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:16.144978046 CET	1500	49704	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:16.149573088 CET	1500	49705	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:16.149671078 CET	49705	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:16.150186062 CET	49705	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:16.269970894 CET	1500	49705	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:18.295732975 CET	1500	49705	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:18.295856953 CET	49705	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:23.309282064 CET	49705	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:23.310065031 CET	49706	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:23.429577112 CET	1500	49705	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:23.430192947 CET	1500	49706	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:23.430310965 CET	49706	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:23.430741072 CET	49706	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:23.550492048 CET	1500	49706	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:25.561389923 CET	1500	49706	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:25.561480045 CET	49706	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:30.576113939 CET	49706	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:30.576585054 CET	49717	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:30.695954084 CET	1500	49706	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:30.696307898 CET	1500	49717	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:30.696386099 CET	49717	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:30.701807022 CET	49717	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:30.821656942 CET	1500	49717	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:32.826926947 CET	1500	49717	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:32.827115059 CET	49717	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:37.840423107 CET	49717	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:37.840828896 CET	49738	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:37.960316896 CET	1500	49717	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:37.960616112 CET	1500	49738	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:37.960736036 CET	49738	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:37.965111017 CET	49738	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:38.085037947 CET	1500	49738	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:40.112360954 CET	1500	49738	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:40.112462044 CET	49738	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:45.121716976 CET	49738	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:45.122123957 CET	49754	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:45.241482019 CET	1500	49738	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:45.241879940 CET	1500	49754	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:45.241971970 CET	49754	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:45.243891001 CET	49754	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:45.363610983 CET	1500	49754	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:47.395306110 CET	1500	49754	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:47.395385027 CET	49754	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:52.402925014 CET	49754	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:52.403410912 CET	49770	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:52.524281979 CET	1500	49754	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:52.524761915 CET	1500	49770	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:52.524897099 CET	49770	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:52.525357962 CET	49770	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:52.644990921 CET	1500	49770	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:54.666462898 CET	1500	49770	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:54.666676044 CET	49770	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:59.668471098 CET	49770	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:59.668840885 CET	49791	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:59.788295984 CET	1500	49770	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:59.788562059 CET	1500	49791	87.120.116.179	192.168.2.5
Dec 6, 2024 14:15:59.788655996 CET	49791	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:59.789105892 CET	49791	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:15:59.908884048 CET	1500	49791	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:01.940740108 CET	1500	49791	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:01.940885067 CET	49791	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:06.950032949 CET	49791	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:06.950517893 CET	49808	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:07.069863081 CET	1500	49791	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:07.070238113 CET	1500	49808	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:07.070348024 CET	49808	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:07.070821047 CET	49808	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:07.190522909 CET	1500	49808	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:09.222117901 CET	1500	49808	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:09.225589991 CET	49808	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:14.231092930 CET	49808	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:14.231623888 CET	49824	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:14.350863934 CET	1500	49808	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:14.351391077 CET	1500	49824	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:14.351496935 CET	49824	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:14.351847887 CET	49824	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:14.471544981 CET	1500	49824	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:16.499623060 CET	1500	49824	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:16.499720097 CET	49824	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:21.512329102 CET	49824	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:21.512777090 CET	49845	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:21.632061958 CET	1500	49824	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:21.632551908 CET	1500	49845	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:21.632646084 CET	49845	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:21.633090973 CET	49845	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:21.753206968 CET	1500	49845	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:23.784455061 CET	1500	49845	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:23.784524918 CET	49845	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:28.794080019 CET	49845	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:28.794547081 CET	49861	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:28.914011002 CET	1500	49845	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:28.914272070 CET	1500	49861	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:28.914359093 CET	49861	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:28.914836884 CET	49861	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:29.034607887 CET	1500	49861	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:31.052269936 CET	1500	49861	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:31.052411079 CET	49861	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:36.059340000 CET	49861	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:36.059834003 CET	49877	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:36.179275990 CET	1500	49861	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:36.179620028 CET	1500	49877	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:36.179749012 CET	49877	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:36.180074930 CET	49877	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:36.299757004 CET	1500	49877	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:38.347346067 CET	1500	49877	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:38.347497940 CET	49877	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:43.356386900 CET	49877	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:43.356767893 CET	49898	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:43.476129055 CET	1500	49877	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:43.476452112 CET	1500	49898	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:43.476579905 CET	49898	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:43.477005005 CET	49898	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:43.596685886 CET	1500	49898	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:45.610059023 CET	1500	49898	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:45.610200882 CET	49898	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:50.621819973 CET	49898	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:50.622208118 CET	49914	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:50.741753101 CET	1500	49898	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:50.741904020 CET	1500	49914	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:50.742053032 CET	49914	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:50.742546082 CET	49914	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:50.862282038 CET	1500	49914	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:52.878922939 CET	1500	49914	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:52.879049063 CET	49914	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:57.887226105 CET	49914	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:57.887609005 CET	49930	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:58.007325888 CET	1500	49914	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:58.007484913 CET	1500	49930	87.120.116.179	192.168.2.5
Dec 6, 2024 14:16:58.007560968 CET	49930	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:58.008033037 CET	49930	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:16:58.127768993 CET	1500	49930	87.120.116.179	192.168.2.5
Dec 6, 2024 14:17:00.125433922 CET	1500	49930	87.120.116.179	192.168.2.5
Dec 6, 2024 14:17:00.125585079 CET	49930	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:17:05.137403965 CET	49930	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:17:05.137805939 CET	49947	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:17:05.258318901 CET	1500	49930	87.120.116.179	192.168.2.5
Dec 6, 2024 14:17:05.258661985 CET	1500	49947	87.120.116.179	192.168.2.5
Dec 6, 2024 14:17:05.258774042 CET	49947	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:17:05.259234905 CET	49947	1500	192.168.2.5	87.120.116.179
Dec 6, 2024 14:17:05.378891945 CET	1500	49947	87.120.116.179	192.168.2.5
Dec 6, 2024 14:17:07.394742966 CET	1500	49947	87.120.116.179	192.168.2.5
Dec 6, 2024 14:17:07.394857883 CET	49947	1500	192.168.2.5	87.120.116.179

Analysis Process: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exePID: 1020, Parent PID: 1028

General

Target ID:	0
Start time:	08:15:05
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe"
Imagebase:	0x700000
File size:	48'640 bytes
MD5 hash:	EA40E46310163064F9F33FF2FB152364
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.2025019884.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3273764026.0000000000C62000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3274113126.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exePID: 1020, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	24%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F430E5 Relevance: 2.0, Strings: 1, Instructions: 750
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 00007FF848F4321A

Memory Dump Source

Source File: 00000000.00000002.3275790682.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 12a60f96bba71904d71bdc744a7e1b7a20689954cec8baf4902556c62febc038
Instruction ID: 82c39dea4259fd81a25fed6daf16ff06a96388be4e2c18e6981308e2d99475b2
Opcode Fuzzy Hash: 12a60f96bba71904d71bdc744a7e1b7a20689954cec8baf4902556c62febc038
Instruction Fuzzy Hash: 0D32C031A1D90A8FE798FB2C94556B9B7E2FFA8790F50057AD00ED32C6DF28AC418745

Function 00007FF848F429E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FF848F42ABF

Memory Dump Source

Source File: 00000000.00000002.3275790682.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 64d1baa544a3c42b26e9e2675646358ce0c681f84caed3cfffaf00bdf0480396
Instruction ID: 1a57f69f3a0f5eb385a54d11ab9547dd5272b64fa53a562c24042017bc540ea1
Opcode Fuzzy Hash: 64d1baa544a3c42b26e9e2675646358ce0c681f84caed3cfffaf00bdf0480396
Instruction Fuzzy Hash: AA413A30908A5C8FDB98EF98D859BE9BBF1FB99310F10416AD04DD7292CB75A845CB81

Function 00007FF848F42D3D Relevance: 1.6, APIs: 1, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FF848F42E1A

Memory Dump Source

Source File: 00000000.00000002.3275790682.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b65eb13b3b2cd5bcfd62e547033a234e9f87fd35a35fb6dcede20bf914289911
Instruction ID: 719840899a3370efd193875b54b1599b472a627079d982204fe445cfe67cf0a4
Opcode Fuzzy Hash: b65eb13b3b2cd5bcfd62e547033a234e9f87fd35a35fb6dcede20bf914289911
Instruction Fuzzy Hash: 6B41063190D7884FDB199BA89C466AD7FF0EF96321F0442AFD089D3293CB786406C796

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Windows Analysis Report
173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exe

Function 00007FF848F430E5 Relevance: 2.0, Strings: 1, Instructions: 750
COMMON

Function 00007FF848F429E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Function 00007FF848F42D3D Relevance: 1.6, APIs: 1, Instructions: 138
memoryCOMMON