Click to jump to signature section
| Source: envnuev1124.duckdns.org | Avira URL Cloud: Label: malware |
| Source: zvXPSu3dK5.exe | Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "envnuev1124.duckdns.org", "Ports": "3013", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "false", "Install_Folder": "cE5YcGRiQ2tZRmVnWFhWT1B5STFUNm9mVXhZbUtHMVc=", "Install_File": "u+IClhfNDH2v5/ITCehCWdlfT6x5HInctrFCAdC2ui1bgbclbh7z5M1BzH6qyKiyJENTQKeUFk+bfc/Qfv2QNolb9eoE6CtkgauKPpSWN6Y=", "AES_key": "pNXpdbCkYFegXXVOPyI1T6ofUxYmKG1W", "Mutex": "GtOED+Ry5OzQroqL8VTF7kRnABQjPDBSBK77Mx2Io0FIGol6em/XVswHzSV7DyFzu101/QhKQkOKD/GUYNEvv+k3v0LQX/jm6TNz1x7pm04w7sBMwlNmEC5EAlxfzI8zfcJTJtNDsOnrx13rhbpoRburdAlVGXVOnttBPIZDGIYZcb5X2LAVSXGOli1dFbfTyQQVC3uhvKwcW9wBL+wh6y7N8vuxV6b/yPPWxM6jdMtytgFIvl7cHXL3Aj452vWbQWYbx7yS+X5LPv/tJbg+pJ/b5//xTDDch+tUsrft8nh4R+MmwXIj2r5gHpmDtQ77cg6dDyGRV5yYQeSts5v413IToDTLFFGtPTfIsJnvUTZBqehoscm+d6M56X4Ir1apO2Nvs0Edf+d38xnDKBWXTmN3L3GAnvzAk3yRxXwU6UmEXfwodryGDe4J2wxs60USpB82EEGfS2VtKbB2irCbls7l/H9lnKdLgg9UR1BS5JUnzUvGvxhx4x0riFwcsqWP7cGXLI7ZGNRBLIh1yATD4fTJ9dTf5I8MTwOBQI/4LXELLecXjJxQPo0UVlMm6Re48Ac9Y4ewngAazpYw1dC1Ci+W5/54nyCe6BlhiXdvdqgs6RdloskDyE1FyA7YWxmdWOCID1NPL0cR7Ud2yVyr5GRPeXH99RwpU2/6v43R1nc=", "Certificate": "false", "ServerSignature": "false", "BDOS": "false", "Startup_Delay": "3", "Group": "null"} |
| Source: zvXPSu3dK5.exe | ReversingLabs: Detection: 78% |
| Source: Submited Sample | Integrated Neural Analysis Model: Matched 100.0% probability |
| Source: zvXPSu3dK5.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
| Source: zvXPSu3dK5.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Source: Malware configuration extractor | URLs: envnuev1124.duckdns.org |
| Source: unknown | DNS query: name: envnuev1124.duckdns.org |
| Source: Yara match | File source: zvXPSu3dK5.exe, type: SAMPLE |
| Source: Yara match | File source: 0.0.zvXPSu3dK5.exe.550000.0.unpack, type: UNPACKEDPE |
| Source: Joe Sandbox View | IP Address: 192.169.69.26 192.169.69.26 |
| Source: Joe Sandbox View | IP Address: 192.169.69.26 192.169.69.26 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: global traffic | DNS traffic detected: DNS query: envnuev1124.duckdns.org |
| Source: zvXPSu3dK5.exe, 00000000.00000002.4632419326.00000000028A1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://t.me/xworm_v2 |
| Source: Yara match | File source: zvXPSu3dK5.exe, type: SAMPLE |
| Source: Yara match | File source: 0.0.zvXPSu3dK5.exe.550000.0.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 00000000.00000000.2187461490.0000000000552000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
| Source: Yara match | File source: Process Memory Space: zvXPSu3dK5.exe PID: 3524, type: MEMORYSTR |
| Source: zvXPSu3dK5.exe, LimeLogger.cs | .Net Code: KeyboardLayout |
| Source: zvXPSu3dK5.exe, type: SAMPLE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
| Source: zvXPSu3dK5.exe, type: SAMPLE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
| Source: 0.0.zvXPSu3dK5.exe.550000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
| Source: 0.0.zvXPSu3dK5.exe.550000.0.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
| Source: 00000000.00000000.2187461490.0000000000552000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
| Source: Process Memory Space: zvXPSu3dK5.exe PID: 3524, type: MEMORYSTR | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
| Source: zvXPSu3dK5.exe, 00000000.00000000.2187491148.0000000000562000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameStub.exe" vs zvXPSu3dK5.exe |
| Source: zvXPSu3dK5.exe | Binary or memory string: OriginalFilenameStub.exe" vs zvXPSu3dK5.exe |
| Source: zvXPSu3dK5.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
| Source: zvXPSu3dK5.exe, type: SAMPLE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
| Source: zvXPSu3dK5.exe, type: SAMPLE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
| Source: 0.0.zvXPSu3dK5.exe.550000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
| Source: 0.0.zvXPSu3dK5.exe.550000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
| Source: 00000000.00000000.2187461490.0000000000552000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
| Source: Process Memory Space: zvXPSu3dK5.exe PID: 3524, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
| Source: zvXPSu3dK5.exe, Settings.cs | Base64 encoded string: 'JKU8JxGpHRZRuzjAxuPqlr/bgoKjjNDMVWjKm4s6ayBgpl3W9N3cfKmi/B+DWXKJz1AXDph1pynMRE2nP9F9Dg==', 'W6l2oqDdWTUJ/M0XW1kBIfO/el9Tg/xyTUchP4eRiGnt4Qp2s2Plj5FisGAjUopkJGWOQq8xLKHa8XHBnu8zDg0Ms0slsViKDqz2Iw+9Rr0=', 'tuQhJgJZ3dthwzwCl1ddIn0p5X/XxJjgXSMecrScbC+n97OHvSiqyVpcczAue0KtgAtj7j3w4Yv6UVmZ05Oa0AHPE4JI8EM49U6+vbYApEfOYVHn518laO9Vx43ojxo+', 'u+IClhfNDH2v5/ITCehCWdlfT6x5HInctrFCAdC2ui1bgbclbh7z5M1BzH6qyKiyJENTQKeUFk+bfc/Qfv2QNolb9eoE6CtkgauKPpSWN6Y=', 'ziz3oMie+BKmgAQGnaVBkMXZRQsmLHwG3+QJ493XVfkAyec5kBaAwkk6HKjg+5C/eV0ZSnNY3coEby0+bFZMeR148HOJRwfQ1q+Mzrk4ToBtNajvbvtTpzgdTC4JeWR0NWLNsQVySW5+Dvnj+dr4QwZi4SUwQq2EdOovpdqtVVgXtHeTeab/MOIdgY8ccn6HEMkpd6CxxF6AUb0aMWA1XvXPaNEYeFIRwCXUQ3DPxHD1gteA8kR1Go2wfhRnlJIZ5OPnP/2xYb013jNhDtZzp/U7tXduHjnQPmE4qDoBoYNPoE3x9bJU1y7nUNwwMg2mQkq/opHdvRxrqJg/mbEOG9pGQnoS+XrF0J0UeAT0E1LJeJZoSKtlFg0BxkdTUbJE479/cglaVnRR921Ac3kWLzo5IaYYMbfNv1A7jtVU9OdoCBsMMxHlTZTY5t37J/bU86CqWHO3FK1PnaabzwKXazNxdKkGg1y2KBGx/biuIsjYOhpMWM3M9JOjVjd4f/UFQ+FUHp4EcDDKw9PYuzKuSpW1ARicVquTaaHYWQFo8kanAUQVEYgZOtSE2pXnbBbuCFdAmn45fBUjLWx7j/JuHoT7+DgaRymfm/1IY2pQLv8sNNH9BHDePymswoxrEQnqkA2A6SFlkljKk9cd25y4qFswbcDMT5TAuVVIdxgAOear5j6FfS4yfiZIi3HNB7dkiKdsXiBrrbP5ZbvqRlwWcznX/BbVVIsgzLWtHHAEBHYhPoJl2TBiIvZK8BsfAxRWs1Sqs3SZjuTOj49iD0dOjTkRlPFrgpyOhtcgpUdysfVfr5JaEkgogrhIEgL2+ieSaFZywzk3o0deY2t25jO5tjliDU2tBByU4Qk/1rOiLnXekRSm0M93cylh7KgHbVtct+ZrqWNtz0OmLwmdBN/k5YOR4z5lCK/+naHLlQnybqBFKPG2l2QNZqZibsW2tr5Jr443ZDhN7KuQoFqxeFXTNOJ/ikmi68OvRSILCRgSopAhuwPaqgDaFEjcKqxraCyxo2y5uU4+Zd/4uA2DHl0Gjk5P2c6CFjH4UKs9JmcjLjbeBDn1Wv+oXDngFP1sfkyLQ/HMVXdOq8leZNgKPJ4eeMfV5lPd7eduUUxFTRmRQr6MRw2COdiIQqEYAIj0+HSPLOedhhub+6RM7Aozqh/CzuR96SWFoMl0fJILuyml8ke0UKEmt3C01W6Ks4PbVsAkUxxoY9AgYC6tT1Jz2bN7JqdbwwzRFXw40nSPGBup3lr/H80kecdvWHgC28mpsrgFAmvCbTgwvgxAEwZwy+PpjGoMCNy5rb3N4ZbBT/OZ7CJk1kNofw4eD04ubCsXQcmFKHMx7u4EAitq8DwDr44vYU7UFD7NOGvVpFMOeKqEcKcjmWGTjyzgpd3/fyIN3iCnHDxerWoyLDvWWNU0ajzOCdFJ+6x4c+BLR4xjXpGSnhwf/MWo3DkF1DUjpU9yaITXHiizbF1+ch+JozKp6b3CnO4gL+5YUdSPEPJ7kyTUJJRE02bLTUWc4WzPrsDhNyyWER9icC9vYBSjZBpAZlBd6FjwE3iEX/5lqcQEF5BbRl0gio37zvmisl7kYO9DAfFiJd5Ii+9lfXYXSNn+ie8RNSUIt2ICkMBHvPa+HJcJRiaVOurcuGMxOsBoRPM7efVzkX8ASN/JfpoDULA/rbG4b2Y37h1+Vyh+OOZgLApfE8FsxfE1gJx9K4GkzHQeEBroxL+CfuL/7oFmFzjC59dx6Wt819oJMNwQiJRXZ5xesowhsJgTtRvutG/7QrQ1w8SDpu+jdNebxtXTgD4EN+iqvwcyG6quVTEJDdap4raHOmwk8qIezxRxFuBuGXngSLaWVvosxJ3PZCsx7kJdy4cxuEG3/p6XMlwNv9BFqfTFEEd3pjcoGACym+83Zs4sEY7obcjFQEDtyEYq6FLFNtbly0xabQ4Yr6UM0OqbmyXQQ6uo+TiCNmeQWgn7oG+ErTOh7U6FEzkc0MHQoJ9qlqbCdqYBopv |
Edit tour
zvXPSu3dK5.exe (PID: 3524 cmdline: 
