Edit tour

Windows Analysis Report
850.exe

Overview

General Information

Sample name:	850.exe
Analysis ID:	1571223
MD5:	bbcb59d0329221e6ab409c0aceaef72a
SHA1:	317a9e5220efc1438df0957a7199377b8fc400d1
SHA256:	31f50eda5a542daad800246c8c8824650f1523bde4c3e944acda96c10fe3b0f7
Tags:	AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

.NET source code contains potential unpacker

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

850.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\850.exe" MD5: BBCB59D0329221E6AB409C0ACEAEF72A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "65.21.198.54", "Port": "850", "Version": "A 13", "MutexName": "AsyncMutex_5552454", "Autorun": "false", "Group": "true"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
850.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
850.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
850.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd998:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10e38:$a2: Stub.exe 0x10ec8:$a2: Stub.exe 0x9dac:$a3: get_ActivatePong 0xdbb0:$a4: vmware 0xda28:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xaedc:$a6: get_SslClient
850.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xda2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd82a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: 850.exe PID: 6920	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 850.exe PID: 6920	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1cf68:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.850.exe.bc0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.850.exe.bc0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.850.exe.bc0000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd998:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10e38:$a2: Stub.exe 0x10ec8:$a2: Stub.exe 0x9dac:$a3: get_ActivatePong 0xdbb0:$a4: vmware 0xda28:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xaedc:$a6: get_SslClient
0.0.850.exe.bc0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xda2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Base64 encoded string: 'Ywh6U9qkjx6Igc50M0jq7mCp9YdS2+tErnz3TBprAM/E0LZx1RjeeLwKMBMSIWTM2jODABl5q0EawqA4UXhPMg==', 'LMqlOIdy0lT5vXKb/LByp02UrAf791yfcXm1S8p4mu1rsH1QLqXUR4GLUFvzkDvfnMlZB1654Jvbf1uvae8qLg==', 'pE3eIOm2LFhxkKn7axUb9gNIzs1lLZLQEZu6Llneg0JBkLktf1oe0QlUmeeLJMG5+ZvIur/p+W8Wx9k6sL6PzQ==', 'JhS10/4XyoYM5zsZHsfughEczac6KjCdW3sv0DX4NNCaKSdsaZdh9zy9qK3GTFwExVfhaCKv4wjkX3RD7fK4VA==', 'Qxtb3t29aWPI9yCMcMcs7FWNfHXR0+CIr8eKXdMJx5t9HjqX/1XXF3dePQDl1fqmyTmwE11CvQbRtaxVoOARoCfEseKJooiDuq03rZ/uvUg=', 'q9x8MVD4p/aYnW3586Ve/EWNwn7mwWGz8R1mYGRc9BPnVj/KKqmvdoTb8eRRQ4lU3QIHUuDXFVgPymfV7lovs26p1vhG1b65HkvRRaGc0XxbJTDV40fOBLlbe2jBCZ0/WCEWx0eNSPjQxkCKaLZKbayeSLNmTSSjZrbFqtytdJFBLRAr8VXCaJHipnWArde6up37MDZRQO2pcyNhFKBdDwUjMaRdZ0GLb7e/EI9JwLcf1/1DIGqBeLRNbG4GrLxZxtHe4i94Etkn6l+Yj8BpO8ueWmd0MFLd6kV5FicwmBO8P2XMnv68/lk8RloOKivCKDnmCLyUnxMQ5lPFMoRRDKXin6nHlt3FW6Zc6qbo1voDlWrghYuEemDx0OAkvux2FG9liHq+TJ4wInf1/q5/VguaDl/O+pgmq7CcMuwaoE83e8xyBOLDFkUnI9XjZjYhOEfR8yT70T0cKSMsfinTDzgRpJDaGQl4wNLySV306PW3/kXviL3m9fMslYU8nHnVo+01TiTR3MXpR8nsPDwo3G9tbITgGtfpO5pwGkxxHkGywVYh2ymQ9nzf5J+F69QLWZrOG3nzP2/cb7mM4r1xnb2ZqdbNqXHS9ZTYUzXBzSGu0V54UvRLRmgq6Hsk+JYIh1Rd+TzJ6bPLaCSdGiGunYdu8jLA8biuh1x1l3EKwvIOX9VJfoe+/Vf4rUFGFdAymXy4ey5P/iaQsbS8LRpZsLFq4ldHHXL0WePQ+mtoCueXS7RvsnfcTLZTKkhgb+ABr38TjnfDY5eFD4rQjJirtsLFTv/pWDw7XosxgXP0htym0Q3L0ebyckR0+Bh2n5wIocmEp0xuybT5r8xuP8cgVUsQHYib2ovSpUpP7IDfsabhFkGjyvwur6qHRFjfnwUEGWb3WLrjwRWXLl7Ortx3rTrSVrci0ATZNS+sk1sr/dnbbIgY6gijam+VKkixz4xWd3pWGtuKXAynuN6y5czgacVFl62aR6iVKFjh/kleuZ+IHkDudYaL0fxXxJcApe706fgYWkLAV9onyekFmpr0mOL70EduXvfigEv8hBTjVQoPlbpc5O0Ntt84YNNtyqEsKXUfG9kiPllyPYZT4EIRNdYqaCJX3TW6XIfgcOxKPiss1zPhHfPMAlBbTifBkHvzQ/Rr00LLixLs2Xq30S24IeNKc1QYm2Xkp9y0smyOLjRLnGS2zGzzw8nFGGYoHw2y0Zpi51CZQhEPGuDD1XLYxRHS9ZC+zSUj8qwh3yZZy+6K7LVcj65DeDx2mBAr5IAtO50Nz+3AqDCLNkqP7nGSMHDx4PrRFJlp4NEdFDYKPaJ8Dyl8Ch9ih1W+n/+uHhLdTGIpcN+CjjjpnZuC2NMHZ9UGtIfIpQWSrwsLE+uhk9dt289n407VZB9OdDVl+zVoxR1R3aUU3BH290a0wAy4PL6qkCgIF8wz4GqW1FmIKrGcGKuAyU9P7neA7pPFe35S5f8ianx4d8J4pfW13eNCkAjH9juxwEFe+fcDxSWwMu33rsHsAtrAcqGOZmqcRnxO5djlPXedo7xR51g9jNE7QpHTTgrwPQc+LNOgaA/k8pH9QNhenqhjUyihLRawHWSYBV2HmnysEREe44ZZ/Anr1TFFRpmTZ1WAj+19prxvJWAiEuhLpcsq8PzlLrIOMbOL2I4/5G8Lw5c4tRwr83R6D7R/lhiFp1kKsTKjlHLr47D/VD/f44F1s/rX+kItHESInHQqLjuc0z2tfxtIibA1CUwBh44s27zF1Gr7wV8oYZggqkewu6ZGyYAtLbGJf4X6DYrhU6+nIb7x0MTarmMkXUcVDCsF9T/Ro920o6G7NILzKkQQNuYAmj+ZSZ7zmsBKlOkTlWPV0WO248Hqe8cxrMK3xKNSOe3X0MDSNd+F4SCYPl/MnXxqdk4yrOFEVTLsnr/V83wT9BLLsbmXxfciAyRaVuL2L3MLXOXe9YlmLJSgdoFUcIpCEpQh745g8Zbvtny+c1TEMN3tBPrgb73BwxREiA8N0+tf3/QxiA741cwyTcQpysmSGvaZmCeJSi/nWje8aaUgI28kv6YrJImXWx8tx6Q8jvR83yeRPJcEU2Hz/UBLfY1XxoPiQBVIaKdNjAMkhXCA0DwHCa2x9HOcHJYd2Kuwb5VigSNN0VDpWl/8HRujrmPmrCUZLCGQiZj91iUhHeFk0xtsLKzkb33oCuynK4733Y8JMgRiH9rtdXZxNJkZPOAyEmAr+0nP+jgaC0exIHx+Zzpd5wYKSmYZif+sES7LoPgdc4dWeEryzPW9//Bf/4U5+6j7L4QA99pzvR8wA5ZS+ChFF3lyTjD8o/WRbjefbyjKhMTwn6bk/H8=', 'pz/ogAaRcWOtGNi20ZaWWMw3e97soaq/cIHLCuz+pexDz7HYAP5dt6yydvuNGXNKgfPxlWLqYuxHs+LY9GE/LhWaNvK04CuCP1+sWdUJWyPTu5cuTBN67Sp1s8VCrfGKplYHBXMr+oCI8vAOGZg4getDTKxSYcSmCPnPWFm

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\850.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_5552454
Source: C:\Users\user\Desktop\850.exe	Mutant created: NULL

Source: 850.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 850.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\850.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 850.exe	ReversingLabs: Detection: 76%
Source: 850.exe	Virustotal: Detection: 79%

Source: C:\Users\user\Desktop\850.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Section loaded: schannel.dll	Jump to behavior

Source: 850.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 850.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 850.exe, yTXDgdzKkUZEy.cs

.Net Code: zZEnjKEUPGrPh System.AppDomain.Load(byte[])

Source: 850.exe, sJzixzjPUkf.cs

High entropy of concatenated method names: 'IfExTTjnktaX', 'MozAIbYaGW', 'SVsWodqLZneal', 'oIUANkEUIesYI', 'PuvDQwjHBTjnz', 'kzvhUTSjSSX', 'IQnjbAXBKPH', 'XaLeNchVQTI', 'cGXsmtmllnwPOZ', 'NtfFBQDmlfM'

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 850.exe, type: SAMPLE
Source: Yara match	File source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTR

Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 850.exe, type: SAMPLE
Source: Yara match	File source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 850.exe

Binary or memory string: SBIEDLL.DLLM\B(BC1|[13])[A-ZA-HJ-NP-Z0-9]{26,45}\B

Source: C:\Users\user\Desktop\850.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\850.exe	Window / User API: threadDelayed 3790			Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Window / User API: threadDelayed 6198			Jump to behavior

Source: C:\Users\user\Desktop\850.exe TID: 1648	Thread sleep count: 3790 > 30	Jump to behavior
Source: C:\Users\user\Desktop\850.exe TID: 1648	Thread sleep time: -3790000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\850.exe TID: 1648	Thread sleep count: 6198 > 30	Jump to behavior
Source: C:\Users\user\Desktop\850.exe TID: 1648	Thread sleep time: -6198000s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\850.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: 850.exe	Binary or memory string: vmware
Source: 850.exe, 00000000.00000002.3739345563.0000000001292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\850.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\850.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\850.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\850.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\850.exe	Queries volume information: C:\Users\user\Desktop\850.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\850.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\850.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 850.exe, type: SAMPLE
Source: Yara match	File source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTR

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 850.exe, 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: FalseQ\AppData\Roaming\Exodus\exodus.conf.json
Source: 850.exe, 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: FalseQ\AppData\Roaming\Exodus\exodus.conf.json
Source: 850.exe, 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: FalseQ\AppData\Roaming\Exodus\exodus.conf.json
Source: 850.exe, 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AtomicI\AppData\Roaming\binance\Preferences
Source: 850.exe, 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: InstalledK\AppData\Roaming\Ledger Live\app.json

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	121 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	121 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
850.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
850.exe	79%	Virustotal		Browse
850.exe	100%	Avira	TR/Dropper.Gen
850.exe	100%	Joe Sandbox ML

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
65.21.198.54	unknown	United States		199592	CP-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571223
Start date and time:	2024-12-09 07:11:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	850.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 12 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:34:17	API Interceptor	7635210x Sleep call for process: 850.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CP-ASDE	tDLozbx48F.exe	Get hash	malicious	Gurcu Stealer	Browse	65.21.49.163
	botx.spc.elf	Get hash	malicious	Mirai	Browse	65.21.172.4
	Finish_Agreement_DocuSign.pdf	Get hash	malicious	Unknown	Browse	65.21.29.43
	RasTls.dll	Get hash	malicious	Unknown	Browse	65.20.90.139
	RasTls.dll	Get hash	malicious	Unknown	Browse	65.20.90.139
	RFQ.scr.exe	Get hash	malicious	Discord Token Stealer	Browse	65.21.66.211
	hiss.arm7.elf	Get hash	malicious	Unknown	Browse	65.20.118.153
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	65.21.172.133
	Payload 94.75.225.exe	Get hash	malicious	Unknown	Browse	65.21.98.72
	0438.pdf.exe	Get hash	malicious	Unknown	Browse	65.21.245.7

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.496538881675499
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	850.exe
File size:	71'168 bytes
MD5:	bbcb59d0329221e6ab409c0aceaef72a
SHA1:	317a9e5220efc1438df0957a7199377b8fc400d1
SHA256:	31f50eda5a542daad800246c8c8824650f1523bde4c3e944acda96c10fe3b0f7
SHA512:	2ec6686cf4d46d68f7c4e10240b1f7dec3d4c78c62c5fd1358ac8dc001555e62fbf851897a47fb5681763b2ad7e75a435143f7e6bd67468f8fa30015a245e8ff
SSDEEP:	1536:goTwK0N6HQ/sKxDwtc/l39PvlbcdPVUdvLcMBYWSVtAONx:goTwK0N6HQ/Bxsq9NHlbcd9avLcMqvrz
TLSH:	A863D8007FF99015F2FEAF706DF665510BB9F5A76A12E50E2D8411C90922F819E02BBF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Rg.f.............................)... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4129be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D86752 [Wed Sep 4 13:57:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12964	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x109c4	0x10a00	eb60ca49bf5e9bbb67b5559c0a2b9daa	False	0.48265683740601506	data	5.5317449441437825	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x7ff	0x800	84ea5c50756e42389ede56e284c936a1	False	0.4169921875	data	4.887541126326967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xc	0x200	f15f3321ec5a6830049f05613ae4100a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x140a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0x1436c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 07:12:48.554074049 CET	49702	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:12:48.673346043 CET	850	49702	65.21.198.54	192.168.2.7
Dec 9, 2024 07:12:48.673445940 CET	49702	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:12:48.685082912 CET	49702	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:12:48.804383039 CET	850	49702	65.21.198.54	192.168.2.7
Dec 9, 2024 07:13:10.575392962 CET	850	49702	65.21.198.54	192.168.2.7
Dec 9, 2024 07:13:10.575539112 CET	49702	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:13:15.817523956 CET	49702	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:13:15.817831039 CET	49769	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:13:15.936817884 CET	850	49702	65.21.198.54	192.168.2.7
Dec 9, 2024 07:13:15.937021017 CET	850	49769	65.21.198.54	192.168.2.7
Dec 9, 2024 07:13:15.937098026 CET	49769	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:13:15.937422037 CET	49769	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:13:16.056682110 CET	850	49769	65.21.198.54	192.168.2.7
Dec 9, 2024 07:13:37.841666937 CET	850	49769	65.21.198.54	192.168.2.7
Dec 9, 2024 07:13:37.841798067 CET	49769	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:13:42.909854889 CET	49769	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:13:42.910156012 CET	49832	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:13:43.029130936 CET	850	49769	65.21.198.54	192.168.2.7
Dec 9, 2024 07:13:43.029381990 CET	850	49832	65.21.198.54	192.168.2.7
Dec 9, 2024 07:13:43.029443026 CET	49832	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:13:43.030072927 CET	49832	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:13:43.149692059 CET	850	49832	65.21.198.54	192.168.2.7
Dec 9, 2024 07:14:04.920241117 CET	850	49832	65.21.198.54	192.168.2.7
Dec 9, 2024 07:14:04.920301914 CET	49832	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:14:09.925344944 CET	49832	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:14:09.926141977 CET	49897	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:14:10.044668913 CET	850	49832	65.21.198.54	192.168.2.7
Dec 9, 2024 07:14:10.045344114 CET	850	49897	65.21.198.54	192.168.2.7
Dec 9, 2024 07:14:10.045702934 CET	49897	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:14:10.046278954 CET	49897	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:14:10.165715933 CET	850	49897	65.21.198.54	192.168.2.7
Dec 9, 2024 07:14:31.967644930 CET	850	49897	65.21.198.54	192.168.2.7
Dec 9, 2024 07:14:31.971045017 CET	49897	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:14:36.972353935 CET	49897	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:14:36.972820044 CET	49959	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:14:37.091645956 CET	850	49897	65.21.198.54	192.168.2.7
Dec 9, 2024 07:14:37.092124939 CET	850	49959	65.21.198.54	192.168.2.7
Dec 9, 2024 07:14:37.092195988 CET	49959	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:14:37.092528105 CET	49959	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:14:37.211831093 CET	850	49959	65.21.198.54	192.168.2.7
Dec 9, 2024 07:14:58.983865023 CET	850	49959	65.21.198.54	192.168.2.7
Dec 9, 2024 07:14:58.983933926 CET	49959	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:03.995475054 CET	49959	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:03.995939970 CET	49980	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:04.114810944 CET	850	49959	65.21.198.54	192.168.2.7
Dec 9, 2024 07:15:04.115151882 CET	850	49980	65.21.198.54	192.168.2.7
Dec 9, 2024 07:15:04.115236044 CET	49980	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:04.122294903 CET	49980	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:04.241888046 CET	850	49980	65.21.198.54	192.168.2.7
Dec 9, 2024 07:15:26.031671047 CET	850	49980	65.21.198.54	192.168.2.7
Dec 9, 2024 07:15:26.031791925 CET	49980	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:31.035170078 CET	49980	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:31.035547972 CET	49981	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:31.154561996 CET	850	49980	65.21.198.54	192.168.2.7
Dec 9, 2024 07:15:31.154783010 CET	850	49981	65.21.198.54	192.168.2.7
Dec 9, 2024 07:15:31.154882908 CET	49981	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:31.155360937 CET	49981	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:31.274811029 CET	850	49981	65.21.198.54	192.168.2.7
Dec 9, 2024 07:15:53.047343969 CET	850	49981	65.21.198.54	192.168.2.7
Dec 9, 2024 07:15:53.047713995 CET	49981	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:58.051016092 CET	49981	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:58.051698923 CET	49982	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:58.170202971 CET	850	49981	65.21.198.54	192.168.2.7
Dec 9, 2024 07:15:58.170938015 CET	850	49982	65.21.198.54	192.168.2.7
Dec 9, 2024 07:15:58.171057940 CET	49982	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:58.171720982 CET	49982	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:15:58.290925026 CET	850	49982	65.21.198.54	192.168.2.7
Dec 9, 2024 07:16:20.063688993 CET	850	49982	65.21.198.54	192.168.2.7
Dec 9, 2024 07:16:20.063747883 CET	49982	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:16:25.067095995 CET	49982	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:16:25.067096949 CET	49983	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:16:25.186506987 CET	850	49982	65.21.198.54	192.168.2.7
Dec 9, 2024 07:16:25.186526060 CET	850	49983	65.21.198.54	192.168.2.7
Dec 9, 2024 07:16:25.186815023 CET	49983	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:16:25.189241886 CET	49983	850	192.168.2.7	65.21.198.54
Dec 9, 2024 07:16:25.308514118 CET	850	49983	65.21.198.54	192.168.2.7
Dec 9, 2024 07:16:47.080790997 CET	850	49983	65.21.198.54	192.168.2.7
Dec 9, 2024 07:16:47.089345932 CET	49983	850	192.168.2.7	65.21.198.54

Target ID:	0
Start time:	01:12:43
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\850.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\850.exe"
Imagebase:	0xbc0000
File size:	71'168 bytes
MD5 hash:	BBCB59D0329221E6AB409C0ACEAEF72A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	60
Total number of Limit Nodes:	6

Executed Functions

Function 0150E328 Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3739605145.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_850.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47bd89d259f1253061b8a70656b81d278bbc0865354f4ad01795accae92c310
Instruction ID: e3730c2414aa7f424d0e37fdf9031d99f831908d0f66995f6b4b431a698ccc90
Opcode Fuzzy Hash: c47bd89d259f1253061b8a70656b81d278bbc0865354f4ad01795accae92c310
Instruction Fuzzy Hash: 62526F31A0061ACFDB16CF98C881AAEB7B2FF44304F558899D915AF291E771FD85CB50

Function 01507F5A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01507FDE
GetCurrentThread.KERNEL32 ref: 0150801B
GetCurrentProcess.KERNEL32 ref: 01508058
GetCurrentThreadId.KERNEL32 ref: 015080B1

Strings

5Wv, xrefs: 01507F7C

Memory Dump Source

Source File: 00000000.00000002.3739605145.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_850.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 5Wv
API String ID: 2063062207-2348436390
Opcode ID: 8f56b498fd33ba3b26f729656c4a4e0e1052af4f277fa2ca20507435bf87c525
Instruction ID: f74be1c587de303b1b0521fb73021bdae74ed108597ed09f96b54f363fcc03ff
Opcode Fuzzy Hash: 8f56b498fd33ba3b26f729656c4a4e0e1052af4f277fa2ca20507435bf87c525
Instruction Fuzzy Hash: 155143B0901309CFDB14DFAAD949BAEBBF1FF48314F208419E019A72A0DB356945CF66

Function 01507F60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01507FDE
GetCurrentThread.KERNEL32 ref: 0150801B
GetCurrentProcess.KERNEL32 ref: 01508058
GetCurrentThreadId.KERNEL32 ref: 015080B1

Strings

5Wv, xrefs: 01507F7C

Memory Dump Source

Source File: 00000000.00000002.3739605145.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_850.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 5Wv
API String ID: 2063062207-2348436390
Opcode ID: 65972bad4819c2a8ded0cf25e3291a5f732f84ba2b2c1c7c4298468c78030a50
Instruction ID: 1f8422b0a5083939ece3c37136e4ebb8ccf2b9e94bc610d8a0b45fa2ea048c88
Opcode Fuzzy Hash: 65972bad4819c2a8ded0cf25e3291a5f732f84ba2b2c1c7c4298468c78030a50
Instruction Fuzzy Hash: 665142B0901309CFDB14DFAAD549BAEBBF1BF88314F208419E019A72A0DB356945CF66

Function 01507CAC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0150816E,?,?,?,?,?), ref: 0150822F

Strings

5Wv, xrefs: 015081C7

Memory Dump Source

Source File: 00000000.00000002.3739605145.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_850.jbxd

Similarity

API ID: DuplicateHandle
String ID: 5Wv
API String ID: 3793708945-2348436390
Opcode ID: 01fca03dd46a2b08c69424e579babce4da093022ef63dbb848a8464a53582f7a
Instruction ID: d882fc720b359efdddd344b9af4ad156ca48ffc3bcfb1b7d7b3365f98b848993
Opcode Fuzzy Hash: 01fca03dd46a2b08c69424e579babce4da093022ef63dbb848a8464a53582f7a
Instruction Fuzzy Hash: 6021F2B5D003099FDB10CF9AD884AEEBBF4FB48310F14841AE918A7350D375A941CFA4

Function 015081A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0150816E,?,?,?,?,?), ref: 0150822F

Strings

5Wv, xrefs: 015081C7

Memory Dump Source

Source File: 00000000.00000002.3739605145.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_850.jbxd

Similarity

API ID: DuplicateHandle
String ID: 5Wv
API String ID: 3793708945-2348436390
Opcode ID: 0542883c5c710395cc671470055eb5b26e54f471afa3ecb284c16e7521f576a2
Instruction ID: 77cde26bf1d8205bdb4b4f9d7c69b69831a1eaffef44d2e19a18339268e35bda
Opcode Fuzzy Hash: 0542883c5c710395cc671470055eb5b26e54f471afa3ecb284c16e7521f576a2
Instruction Fuzzy Hash: A421E3B5D003099FDB10CF9AD985ADEBBF5FB08320F14841AE918A7350D778A955CFA4

Function 01502CA3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01502D23

Strings

5Wv, xrefs: 01502CC2

Memory Dump Source

Source File: 00000000.00000002.3739605145.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_850.jbxd

Similarity

API ID: HookWindows
String ID: 5Wv
API String ID: 2559412058-2348436390
Opcode ID: 8dfd35d03604a8f5ed5dee925c19146193ebce5fbb3a73383f41183793793de7
Instruction ID: 02d93094e6fd4fa21d5ab0632759f3e56f4ba500ebdc9f24558287f61e0f6e5b
Opcode Fuzzy Hash: 8dfd35d03604a8f5ed5dee925c19146193ebce5fbb3a73383f41183793793de7
Instruction Fuzzy Hash: 97213575D002099FDB24DF9AC844BEEBBF5FB88310F108429D419A7290CB75A941CFA4

Function 01502CA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01502D23

Strings

5Wv, xrefs: 01502CC2

Memory Dump Source

Source File: 00000000.00000002.3739605145.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_850.jbxd

Similarity

API ID: HookWindows
String ID: 5Wv
API String ID: 2559412058-2348436390
Opcode ID: 0794407857e291bfe0790fd59027150c100e960d9b09893980105bec1dd5c40c
Instruction ID: 5ffaf0aa965c71800d7d21ab23afc462941830a02c61740289279ba1e406222e
Opcode Fuzzy Hash: 0794407857e291bfe0790fd59027150c100e960d9b09893980105bec1dd5c40c
Instruction Fuzzy Hash: C7212475D002099FDB24DFAAD844BEEFBF5FB88310F10842AD419A7290CB74A945CFA4

Function 0150D648 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0150D6BD

Strings

5Wv, xrefs: 0150D66F

Memory Dump Source

Source File: 00000000.00000002.3739605145.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1500000_850.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 5Wv
API String ID: 2492992576-2348436390
Opcode ID: 7f27130aed2b0cf58c87b515e03b3d60685cda5154319f6c9955b0bfc9586df4
Instruction ID: cf42a7295826f936db4ff513f3febc680271d777b79bbe2d460f8bbd4a22751b
Opcode Fuzzy Hash: 7f27130aed2b0cf58c87b515e03b3d60685cda5154319f6c9955b0bfc9586df4
Instruction Fuzzy Hash: 2111AC75805389DEDB21DF9AC8057EEBFF4EB08314F14801AD599B7281CB399604CFA6

Function 011AD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3739028638.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_850.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ed296e628be1c4e117ac3937758af34ea24e9ef6666a0bb2f9be7a5877daec
Instruction ID: c2be53fc832886bdcf679f775478e3682eb1d2538f64f6c664559ced58c09881
Opcode Fuzzy Hash: d5ed296e628be1c4e117ac3937758af34ea24e9ef6666a0bb2f9be7a5877daec
Instruction Fuzzy Hash: D9213679504600DFDF19DF54E9C0B26BF71FB88324F60C569E9490AA56C336D406CBA2

Function 011BD0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3739101512.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11bd000_850.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b557cd171572db7a957ea6455376238010055459dd7066f4385235d1a9cb54c3
Instruction ID: 303d9266b52226b33dc90ec5daa8d382d6e905a2bcf4882b4398e43ace645ae2
Opcode Fuzzy Hash: b557cd171572db7a957ea6455376238010055459dd7066f4385235d1a9cb54c3
Instruction Fuzzy Hash: 5921F2B56042049FDF0DDF54E9C4B66BBA5EB88328F24C56DD8094B296C33AD846CA62

Function 011AD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3739028638.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_850.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: c0535c3b683604bc329f84d05550ceb01c0b663b1385638483bd4104ae9de4eb
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 6F11DFBA504240CFCF06CF58D5C0B16BF72FB84324F2485A9D9494B657C336D456CBA2

Function 011BD0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3739101512.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11bd000_850.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 6b18dbfe12654b8db7acb440af744d35fbde6e0d2476b8e858b29b5bc28db0f0
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: A411D075504240CFDB0ACF54D9C4B55BFB1FB44328F24C6ADD8494B256C33AD44ACB51

Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.198.54

Source: 850.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 850.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: 850.exe, 00000000.00000000.1286757447.0000000000BD4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs 850.exe
Source: 850.exe, 00000000.00000002.3740948439.0000000005929000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 850.exe
Source: 850.exe	Binary or memory string: OriginalFilenameStub.exe" vs 850.exe

Source: 850.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 850.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.850.exe.bc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1286737440.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: 850.exe PID: 6920, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 850.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
850.exe

Function 01507F5A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130
threadCOMMON

Function 01507F60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Function 01507CAC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Function 015081A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Function 01502CA3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Function 01502CA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Function 0150D648 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON