Edit tour

Windows Analysis Report
1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Overview

General Information

Sample name:	1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe
Analysis ID:	1572736
MD5:	54af7dde5c98e20089ae4a5dc295cb32
SHA1:	d7affca6008365f9e8c48ed22847f98d97781738
SHA256:	c66fdb0e04d7bee6ac4513956d1cf5f9fc21e27cad0d32bbc7906ff4440ed2e9
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected DcRat

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe (PID: 4580 cmdline: "C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe" MD5: 54AF7DDE5C98E20089AE4A5DC295CB32)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "dcrsf.duckdns.org", "Ports": "5999", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "DXHnpqvTVbV4bhEh6LUz5f6sS1braVIP", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "bOH4+nkkOuFt62yM3B3NrX5jCy5PJU3D72L179e0uKevKDfMJUljcwbS8epgem8pE2v7bumGCks5hNJ6yaqqRhVVc/7YrRk3B1yFueVgPNQJL+NYnbEAIIc94f2NV1IzZ0YUw9+iDwAWiK8vp8Zvjop2yuTCnm+vvjUom3TYAoU=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9aec:$a2: timeout 3 > NUL 0x9b0c:$a3: START "" " 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9997:$s2: L2Mgc2NodGFza3MgL2 0x9916:$s3: QW1zaVNjYW5CdWZmZXI 0x9964:$s4: VmlydHVhbFByb3RlY3Q
1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cce:$q1: Select * from Win32_CacheMemory 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa146:$s1: DcRatBy

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x4b7:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63fb:$a1: havecamera 0x98ec:$a2: timeout 3 > NUL 0x990c:$a3: START "" " 0x9797:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x984c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000002.3278618622.000000001B490000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xb05cc:$b2: DcRat By qwqdanchun1
00000000.00000002.3277175130.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x132a8:$b2: DcRat By qwqdanchun1 0x4dfcc:$b2: DcRat By qwqdanchun1 0x80c60:$b2: DcRat By qwqdanchun1
00000000.00000002.3277462109.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.3277462109.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x5488:$b1: DcRatByqwqdanchun 0x3f4a4:$b2: DcRat By qwqdanchun1
00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x21e3dc:$b2: DcRat By qwqdanchun1 0x27bd58:$b2: DcRat By qwqdanchun1 0x283a7c:$b2: DcRat By qwqdanchun1 0x283ccc:$b2: DcRat By qwqdanchun1
Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x39b32:$a1: havecamera 0xe4e:$b1: DcRatByqwqdanchun 0x3e715:$b1: DcRatByqwqdanchun 0xc938:$b2: DcRat By qwqdanchun1 0x11ccf:$b2: DcRat By qwqdanchun1 0x27dd5:$b2: DcRat By qwqdanchun1 0x31edd:$b2: DcRat By qwqdanchun1
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9aec:$a2: timeout 3 > NUL 0x9b0c:$a3: START "" " 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9997:$s2: L2Mgc2NodGFza3MgL2 0x9916:$s3: QW1zaVNjYW5CdWZmZXI 0x9964:$s4: VmlydHVhbFByb3RlY3Q
0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cce:$q1: Select * from Win32_CacheMemory 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa146:$s1: DcRatBy

Suricata Signatures

ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T20:16:03.387892+0100	2034847	1	Domain Observed Used for C2 Detected	45.135.232.38	5999	192.168.2.5	49704	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T20:16:03.387892+0100	2842478	1	Malware Command and Control Activity Detected	45.135.232.38	5999	192.168.2.5	49704	TCP

ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T20:16:03.387892+0100	2848048	1	Domain Observed Used for C2 Detected	45.135.232.38	5999	192.168.2.5	49704	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Malware Configuration Extractor: AsyncRAT {"Server": "dcrsf.duckdns.org", "Ports": "5999", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "DXHnpqvTVbV4bhEh6LUz5f6sS1braVIP", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "bOH4+nkkOuFt62yM3B3NrX5jCy5PJU3D72L179e0uKevKDfMJUljcwbS8epgem8pE2v7bumGCks5hNJ6yaqqRhVVc/7YrRk3B1yFueVgPNQJL+NYnbEAIIc94f2NV1IzZ0YUw9+iDwAWiK8vp8Zvjop2yuTCnm+vvjUom3TYAoU=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Multi AV Scanner detection for submitted file

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Joe Sandbox ML: detected

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.135.232.38:5999 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:5999 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:5999 -> 192.168.2.5:49704

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: dcrsf.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: dcrsf.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 45.135.232.38:5999

Source: Joe Sandbox View

IP Address: 45.135.232.38 45.135.232.38

Source: Joe Sandbox View

ASN Name: ASBAXETNRU ASBAXETNRU

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: dcrsf.duckdns.org

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3278618622.000000001B565000.00000004.00000020.00020000.00000000.sdmp, 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277175130.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277175130.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enO=
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277462109.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.3278618622.000000001B490000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.3277175130.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.3277462109.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Code function: 0_2_00007FF848E78346	0_2_00007FF848E78346
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Code function: 0_2_00007FF848E790F2	0_2_00007FF848E790F2
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Code function: 0_2_00007FF848E730E2	0_2_00007FF848E730E2

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000000.2017137647.00000000007FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Binary or memory string: OriginalFilenameClient.exe" vs 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.3278618622.000000001B490000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.3277175130.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.3277462109.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, Settings.cs	Base64 encoded string: 'xzR3cVVpgDycUQgY0as1vV57BHZFANfxtwXNElQNvlNX0kK0iU9IL3xQN2+XEpgKh0TW25v9/F5USJCldzWYSA==', 'Ojc7Uxt2W9ahvmpUFawD24kx1VS0h+nhY8bjPOB74xxMwZoFHQ3qPxNUSZHMhVGKCZwfi/ba73ygTvx56fc1fvKtMiaNGQyrEom49Jb/gZU=', 'n2yz6bXpDdFiWqy6BE4hAkYIiKu+t6elqgn/FXQfxee6+tfIjYGZpnvjENpvBx+vP2XiMQShK3QWLkByknWLpw==', 'Rl6k7a/cZa932SDiKo0g7lhLy45TcBgUyHiG7W44kBrxyE4ev1psl8qcb0Q8RlqcbKQgc1JoK7iq0HrF2r4FHz6wHmNom7WDgrTtbGRYuQs=', 'hZpw8az99+WrFwt1LWQtAkf/TyPWOxU0Gpv8OI6i84MfH0Awk9MK0retDp0F2ospB0hMB0VI9W0EHHIOdYXlFQ==', 'ZoN1FqpLDJ75VZHA+cYpo4pCXT3WlklTJz6yCOJ/TxNWPm6wBDQVRLk+XnZBsTo/Q2NRriAm1VXY7oq9qVvzUw==', 'O9B+96TM8gs9KNmuvCjeC94+uD0js550+ThdE7o8nggf4A1GwQz8NVBYSuTWVUWBqMsfSEeiWG7z77juJCcFvw=='
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Section loaded: msdmo.dll	Jump to behavior

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Code function: 0_2_00007FF848E700BD pushad ; iretd

0_2_00007FF848E700C1

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580, type: MEMORYSTR

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Memory allocated: D30000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Memory allocated: 1ABC0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Window / User API: threadDelayed 778			Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Window / User API: threadDelayed 9086			Jump to behavior

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe TID: 4028	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe TID: 1400	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe TID: 3816	Thread sleep count: 778 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe TID: 3816	Thread sleep count: 9086 > 30	Jump to behavior

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277175130.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3279079004.000000001B718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3279079004.000000001B718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWc

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, Amsi.cs	Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277462109.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277462109.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277462109.0000000002C36000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580, type: MEMORYSTR

Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3278929516.000000001B6AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3278929516.000000001B6AB000.00000004.00000020.00020000.00000000.sdmp, 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3278888765.000000001B680000.00000004.00000020.00020000.00000000.sdmp, 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277175130.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.3277462109.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.3277462109.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe PID: 4580, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	100%	Avira	HEUR/AGEN.1307404
1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
dcrsf.duckdns.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high
dcrsf.duckdns.org	45.135.232.38	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dcrsf.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277462109.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe, 00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.135.232.38	dcrsf.duckdns.org	Russian Federation		49392	ASBAXETNRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572736
Start date and time:	2024-12-10 20:15:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 23.193.114.26, 23.193.114.18, 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Simulations

Behavior and APIs

Time	Type	Description
14:16:05	API Interceptor	1x Sleep call for process: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.135.232.38	1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe	Get hash	malicious	Remcos	Browse
	17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	sostener.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse
	172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe	Get hash	malicious	Remcos	Browse
	1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exe	Get hash	malicious	Remcos	Browse
	sostener.vbs	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	DHL__734825514204.exe	Get hash	malicious	FormBook	Browse	199.232.214.172
	FG Or#U00e7amento JAN 2025.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	Stonhard Response Required 10 Dec, 2024- 0PH8-NYFV0C-ZDU7.msg	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://intelligentrepairsolutions-my.sharepoint.com/:b:/g/personal/a_zell_irs-group_com/ETrGN6yXppBBt5Jzbj4zKhgBq4v6Oyb7O70AESL4N06CfQ?e=4%3aChQOAq&at=9	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://listafrica.org/Receipt.html	Get hash	malicious	WinSearchAbuse	Browse	199.232.210.172
	ExternalREMITTANCE ACH SCHEDULED 1210241424bec0c449d38092c0dbd844252d73 (24.0 KB).msg	Get hash	malicious	Unknown	Browse	199.232.214.172
	Ziraat Bankasi Swift Mesaji.dqy.dll	Get hash	malicious	AsyncRAT, VenomRAT	Browse	199.232.214.172
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse	199.232.214.172
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	199.232.214.172
	E-dekont.exe	Get hash	malicious	MassLogger RAT	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASBAXETNRU	Josho.spc.elf	Get hash	malicious	Unknown	Browse	212.192.27.99
	payload.elf	Get hash	malicious	Unknown	Browse	212.192.15.59
	hax.sh4.elf	Get hash	malicious	Mirai	Browse	91.193.216.228
	nscmips.elf	Get hash	malicious	Unknown	Browse	212.192.12.119
	ET5.exe	Get hash	malicious	Unknown	Browse	45.8.159.106
	apilibx64.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	45.130.145.152
	venomderek.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	45.130.145.152
	botnet.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	212.196.108.28
	mips.elf	Get hash	malicious	Unknown	Browse	212.192.15.158
	ppc.elf	Get hash	malicious	Unknown	Browse	212.192.15.158

Process:	C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.144086598890895
Encrypted:	false
SSDEEP:	6:kKaaL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:BiDnLNkPlE99SNxAhUe/3
MD5:	B251F79C5942E6DFA5AD6BBF8DF9B703
SHA1:	F710D85FC7B1BF92765B752EC317B927F63B50D8
SHA-256:	1D2CBEE4ADF7A4C606AF5FC974F2EB78810440EDD001AD3251B5414D103F43A1
SHA-512:	3D2939491C55741F13316922CDC55CD1C7146DD85AB78C92EBDCABE3BECFD61D4EAC8BFFD143CFFBDD2C1975D9AF5DC0F41A5AA47A88E781903909BA902CA53D
Malicious:	false
Reputation:	low
Preview:	p...... ...........7K..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.6204762789751666
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe
File size:	48'640 bytes
MD5:	54af7dde5c98e20089ae4a5dc295cb32
SHA1:	d7affca6008365f9e8c48ed22847f98d97781738
SHA256:	c66fdb0e04d7bee6ac4513956d1cf5f9fc21e27cad0d32bbc7906ff4440ed2e9
SHA512:	c2fa8350cdaa1ba19da3bea5c6ef2a90b6cce3f6a9618483cebaf83c4ed47a1dd90aa5a4708ee31fe35a13ef991aa4d66fa3858497bda3d61a8ba1d5c9a52352
SSDEEP:	768:xGq+s3pUtDILNCCa+Di+0jd3gLqRp8AoPiIiYbrge4k6kNaioVFIJ5vEgK/JLZVS:8q+AGtQO+GaPAKBbUkN8C5nkJLZVclN
TLSH:	B5237E0037E9C136E2FD4BB4A8F2924582B9D66B6903DB596CC411EA1F13BC597036FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40cbbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60930A0B [Wed May 5 21:11:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb68	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xabc4	0xac00	d1321a55bfb633435ca6ed2a56b2550e	False	0.5023846293604651	data	5.646251060684921	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0xdf7	0xe00	2083376922615c09cdda9acfd9305376	False	0.4017857142857143	data	5.110607648061562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	82148d01c3935cf90ef81a3dd1fad607	False	0.044921875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2d4	data			0.4350828729281768
RT_MANIFEST	0xe374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T20:16:03.387892+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	45.135.232.38	5999	192.168.2.5	49704	TCP
2024-12-10T20:16:03.387892+0100	2034847	ET MALWARE Observed Malicious SSL Cert (AsyncRAT)	1	45.135.232.38	5999	192.168.2.5	49704	TCP
2024-12-10T20:16:03.387892+0100	2848048	ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)	1	45.135.232.38	5999	192.168.2.5	49704	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 20:16:01.802001953 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:01.922418118 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:01.922518969 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:01.943928957 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:02.067188025 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:03.256216049 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:03.266293049 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:03.387892008 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:03.706769943 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:03.759587049 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:06.827230930 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:06.953440905 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:06.953500986 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:07.073065042 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:15.411967039 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:15.462788105 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:15.615587950 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:15.665858984 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:17.996289968 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:18.116497993 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:18.116588116 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:18.237580061 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:18.601259947 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:18.650227070 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:18.790946960 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:18.800122976 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:18.919531107 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:18.919594049 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:19.039717913 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:29.166645050 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:29.288120031 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:29.288168907 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:29.407548904 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:29.767936945 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:29.822137117 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:29.959809065 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:29.961548090 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:30.080857038 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:30.080926895 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:30.201452971 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:40.338366985 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:40.458393097 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:40.458451986 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:40.578392982 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:40.939496040 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:40.994005919 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:41.131176949 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:41.132734060 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:41.257961988 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:41.258048058 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:41.384761095 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:45.412847042 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:45.462733984 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:45.604840040 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:45.650233984 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:51.510117054 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:51.629745007 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:51.629852057 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:51.749413013 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:52.111699104 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:52.165877104 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:52.303086042 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:52.304716110 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:52.425376892 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:16:52.425467014 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:16:52.545461893 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:02.681998968 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:02.802885056 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:02.802946091 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:02.924954891 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:03.322424889 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:03.368997097 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:03.540584087 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:03.551318884 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:03.675327063 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:03.675411940 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:03.802160978 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:13.857110023 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:13.982580900 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:13.982640982 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:14.106453896 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:14.466368914 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:14.525315046 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:14.657773972 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:14.663151026 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:14.785814047 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:14.785924911 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:14.907242060 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:15.417395115 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:15.462768078 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:15.606928110 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:15.650268078 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:25.046766996 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:25.172135115 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:25.172214031 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:25.295485973 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:25.654552937 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:25.697191000 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:25.846483946 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:25.848222971 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:26.019962072 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:26.020045042 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:26.147808075 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:36.197582960 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:36.330612898 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:36.330672979 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:36.495647907 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:36.812256098 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:36.853518963 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:37.004226923 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:37.006690979 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:37.130260944 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:37.130321980 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:37.256381035 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:45.417232990 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:45.462809086 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:45.609090090 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:45.650312901 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:47.369676113 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:47.489237070 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:47.489293098 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:47.611387968 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:48.028755903 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:48.072346926 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:48.220537901 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:48.222224951 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:48.422280073 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:48.422398090 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:48.543632984 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:58.541300058 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:58.660885096 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:58.660967112 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:58.782511950 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:59.141976118 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:59.181543112 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:59.333857059 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:59.335422039 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:59.454721928 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:17:59.454781055 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:17:59.576860905 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:18:04.728861094 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:18:04.856704950 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:18:04.856760025 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:18:04.976571083 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:18:05.338068008 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:18:05.384676933 CET	49704	5999	192.168.2.5	45.135.232.38
Dec 10, 2024 20:18:05.530998945 CET	5999	49704	45.135.232.38	192.168.2.5
Dec 10, 2024 20:18:05.572170973 CET	49704	5999	192.168.2.5	45.135.232.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 20:16:01.456506968 CET	51399	53	192.168.2.5	1.1.1.1
Dec 10, 2024 20:16:01.796236992 CET	53	51399	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 20:16:01.456506968 CET	192.168.2.5	1.1.1.1	0x46df	Standard query (0)	dcrsf.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 20:16:01.796236992 CET	1.1.1.1	192.168.2.5	0x46df	No error (0)	dcrsf.duckdns.org	45.135.232.38	A (IP address)	IN (0x0001)	false
Dec 10, 2024 20:16:16.693447113 CET	1.1.1.1	192.168.2.5	0xb0da	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 10, 2024 20:16:16.693447113 CET	1.1.1.1	192.168.2.5	0xb0da	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false

Analysis Process: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exePID: 4580, Parent PID: 1028

General

Target ID:	0
Start time:	14:15:57
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe"
Imagebase:	0x7f0000
File size:	48'640 bytes
MD5 hash:	54AF7DDE5C98E20089AE4A5DC295CB32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.2017122021.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3278618622.000000001B490000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3277175130.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.3277462109.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3277462109.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3277462109.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exePID: 4580, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	22.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848E730E2 Relevance: 2.0, Strings: 1, Instructions: 760
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 00007FF848E7321A

Memory Dump Source

Source File: 00000000.00000002.3279743510.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d001984.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: c7bf2eb49eee2524fc09061740d9b6e3a427ad8da9586257a9c2d6db6daf47c9
Instruction ID: dad090ca42377a8abdebc3dcdce95cbe83ed5364118194f6e776c1f10a1cc436
Opcode Fuzzy Hash: c7bf2eb49eee2524fc09061740d9b6e3a427ad8da9586257a9c2d6db6daf47c9
Instruction Fuzzy Hash: B132CD31A1C90A9FE798EB2CD0556B9B7E2FF98790F940579D01EC32C6DF38A8428745

Function 00007FF848E78346 Relevance: .5, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3279743510.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d001984.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3bc99b728ed0cd6ccbb787d5bc8dc7005b1bf66e27f1b08794f1cf8dacac7a
Instruction ID: 9db6bd977039a98b48205d291f65cbac6e7f930a9a899806375a5bd46a2b9c6c
Opcode Fuzzy Hash: 3a3bc99b728ed0cd6ccbb787d5bc8dc7005b1bf66e27f1b08794f1cf8dacac7a
Instruction Fuzzy Hash: B8F1B23090CA8D8FEBA8EF28C8557E937D1FF64350F04426AE85DC7295DB7499418B86

Function 00007FF848E790F2 Relevance: .5, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3279743510.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d001984.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012ce350776342a61bf32c1937ffd6749e442ebb6eeb2a9e711d2a5641706756
Instruction ID: ed57347b27dfe614816576b49a05ad2272562fa5b9fd031d77e8a894f62927bf
Opcode Fuzzy Hash: 012ce350776342a61bf32c1937ffd6749e442ebb6eeb2a9e711d2a5641706756
Instruction Fuzzy Hash: 27E1C13090CA8D8FEBA9EF28D8557E977E1FF54350F04426EE84DC7295DB78A8418B81

Function 00007FF848E729E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF848E72ABF

Memory Dump Source

Source File: 00000000.00000002.3279743510.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d001984.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3135a243f20f0d94c6e61806f1a8b2e6441c4f303f7fa2e6e3ce0b092a720fd7
Instruction ID: 80bb06370499c35c02b7de7d2fc2ff24a3681dc9a6f897c060c48f1a8e362e0f
Opcode Fuzzy Hash: 3135a243f20f0d94c6e61806f1a8b2e6441c4f303f7fa2e6e3ce0b092a720fd7
Instruction Fuzzy Hash: AB416A70908A4C8FDB98EF58D845BEDBBF1FB99310F04426AD00ED7292DB75A845CB81

Function 00007FF848E72D3D Relevance: 1.6, APIs: 1, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FF848E72E1A

Memory Dump Source

Source File: 00000000.00000002.3279743510.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e70000_1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d001984.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b4ec7af0f2ed740bc98e7d227df1c92b7ed888fa15938ae0d153165ed536736b
Instruction ID: fee99acce37759d8634cecdbf76265667e2f1a0985864ac0e17884406952c58e
Opcode Fuzzy Hash: b4ec7af0f2ed740bc98e7d227df1c92b7ed888fa15938ae0d153165ed536736b
Instruction Fuzzy Hash: EE41E63190DB885FDB1A9B689C466ED7FE0EF96321F0442AFD089C3193DB746406C796

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe

Function 00007FF848E730E2 Relevance: 2.0, Strings: 1, Instructions: 760
COMMON

Function 00007FF848E78346 Relevance: .5, Instructions: 472
COMMON

Function 00007FF848E790F2 Relevance: .5, Instructions: 458
COMMON

Function 00007FF848E729E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Function 00007FF848E72D3D Relevance: 1.6, APIs: 1, Instructions: 138
memoryCOMMON