Edit tour

Windows Analysis Report
CrSpoofer.exe

Overview

General Information

Sample name:	CrSpoofer.exe
Analysis ID:	1575584
MD5:	2e87d4e593da9635c26553f5d5af389a
SHA1:	64fad232e197d1bf0091db37e137ef722024b497
SHA256:	561c94494c3cd0b918bdf5eb323682fad6596a0a54c4cdd85a99880b4028b3f8
Tags:	AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

CrSpoofer.exe (PID: 2104 cmdline: "C:\Users\user\Desktop\CrSpoofer.exe" MD5: 2E87D4E593DA9635C26553F5D5AF389A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "0.tcp.eu.ngrok.io", "Ports": "15174", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "XeSaBDVweaVCzikSzrqdWiRFXAruYM7t", "Mutex": "aNoM7pvDUvoo", "Certificate": "MIIE8jCCAtqgAwIBAgIQAIoZuyGKpML6FwTWDOtI5TANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwNDA2MTIwMjI5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJZ6JVhoHpMJrp+ZF6VZyNci1+wFQQZXPvK3ol8XOjtGF6xa/m+FGLfQxEZyvqdk7mAZoZlHiKXH9JIeP4USvDHniQIBBdNmMjdqD/Az0S9iCZrSfLFQ2xl8YgRqlCI1MIWEn4czpzAQSe+qSS5k5vv4HdzHdQAA/7yUv67ly2tGcr6FgCTkzpd9G3BvqIMhAkvBoG25P1zMLOLFr3jd2YrFqs3qcz64RV0g4WsAfJZXNmk8zDxny/bVknDU+sWZpyYc6RtKinVYyCXtsezN3DzDCUX6svO7X5YQIIBU3ASXKICrZWMJX15xY8x9msqrcbPqWXmj8uASqNcTPLdWrxOswuH2J2eVixX/SY5bLrC5kzVRf6y6hMM3S/s1RQq5/iIv9sHN9zUrUEm0vupLY63dl8U522oqSlt7UrXFJR3+wskqGV428MstlG2ApkMpxrncJbF9zUIx6bD+ZoUWxMlguy3KHn3hinI0wUXNb0w+Xc8P8LDxio5XGBSDLFoZo+NvXQC+jbJDxNX57CiBgG+2t2a9k8ZTzIf7S0T9UfbkSQAOfLUNwCw96ubtfuVtw4IFJ26YNpAXd0lJA0S6l4PmRL+vJxGvidRbZSX/2UJ5Jmt+niDmQSd325mjRW+u7O2a5ZWmPJeeYppVQOolKFLWMvbVoKEobIYMW32yU1tdAgMBAAGjMjAwMB0GA1UdDgQWBBQYShBgqhAxw87cFacj99Gkz0wG9TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBb2so6HEt2LKKe6yIPR9d4vghM+/w8/Q+yKoTdYU94mGIDeyyKd1/xCpNVTaQN9CXRGrKwd89ni2VVk1yJMlDsh6/jOuDToMjvIYbWd9FI33f32pij+OEldWW3SRWM9oPhRT3Gy3Neb/Gy/caFpDq4qFvTQL9QwbeqsxJV8uqQ76w0mng7EdcZFRKvJ8jZNnK3lmo53COjZE3vdqAqSjvkF6vsORDlA/uBeM1NrY1Y7tIa/9RgHWlHoGsywF9DYP+GBK/gnETAwXYSRvKj+6lWgHd1SRRO4LtjdX20+U58dNMU2APFu7f23cGi6jRf+MQJKJiYVcuqR6Sflef26uRP5RkOgrHpPjrILvECM2Wfnw6xGwAr+ZLjFBYiYx6moOXhWtJeeaa3Ey0UTIpL4/Z7knOl0TEqZZ+xmuPxZX2Y1U9toStTIQKkv9f4ShyGBFbtL89zTexgH2oPDQBzgBSZc4yX4BYW6Ei9SrcoAunjAqxWxjz5n2nwnl2zhNV/2pClPaF14Ry1FvHYSNu+GoWm18xGAZElCjWduBsFd1b2VtcY+tfjf/BID5XsPywztW2xz71n6g3naWMxX7x9GrErSU/xSyuXbnKk4IoyLjEvsxCrGn7rRcmPvuLSN4B9kDRUv+6+k5bTl4FviWlm9QGs+9rILxlut6sHDerwgWxwtQ==", "ServerSignature": "jsM0JRJqUcphb7ISpY/13cWuZ6JJRYxmALcVMldT4SEbji3q3n5M/EbMWdg26MbwHsra/xYT+JpT/w+i/KUgD/WNCaBuF94AZ5IzsOi5hO5W7RAEkAj2/ShR2Ucr/bBcNvLly8jFHiGxTCSTMuF1LN6eR8qPRxiIqLYNG1Kja63eSwdNJE67bVNTfuCdJEoCARh4V+GQQ3nfEMYY22jK5jZqJcc9Jb2gA/Z2nyhFxV2jJDihJS6Ge9V3+CzM0AXD28NowQ3EcM9IRKy7MXwEhcJ3YKQRC6wyabtjZlvT2kCBmc3BMr20t74f40VgJhf9tsHEmt41enLjDSWoO6EcSM+kM3wKGzvkJ5THjMfKUzHsQXGbcgoU46AxhoLlx1eTth+fS1Rrq4gyscVoNvkweC4YOo020YLknlUBHyqW0FrNCbaYQ3WDwM4Zv/84FJQyBaGTSVQymDZyrrGpshbryMdW3pISE74fjOM3lmRCJDm2uSsDk+Vtr928dYvcs26lhGsjOWAiXT7vQMRB0bnBTh0/zzxuZwtx2MTw/GF4c2SJspdU+U3TlgdSwVmdUdmjvx8MrRv6TgyVhIHPGdXtgy+L5GxkFl2DwpaDQYckH7unIVVCGSuCa4u4D+9M1KqfwcLjSk2i7zRnhkIpCw9OfszCwuTNzk92/5OR3u5E6MM=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
CrSpoofer.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
CrSpoofer.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
CrSpoofer.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa273:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x4d704:$a2: Stub.exe 0x4d794:$a2: Stub.exe 0x6f3a:$a3: get_ActivatePong 0xa48b:$a4: vmware 0xa303:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7cf5:$a6: get_SslClient
CrSpoofer.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa305:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000000.2298492071.0000000000A52000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000000.2298492071.0000000000A52000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa105:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: CrSpoofer.exe PID: 2104	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: CrSpoofer.exe PID: 2104	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1326a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.CrSpoofer.exe.a50000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.0.CrSpoofer.exe.a50000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa273:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x4d704:$a2: Stub.exe 0x4d794:$a2: Stub.exe 0x6f3a:$a3: get_ActivatePong 0xa48b:$a4: vmware 0xa303:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7cf5:$a6: get_SslClient
2.0.CrSpoofer.exe.a50000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa305:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CrSpoofer.exe

Avira: detected

Found malware configuration

Source: CrSpoofer.exe

Malware Configuration Extractor: AsyncRAT {"Server": "0.tcp.eu.ngrok.io", "Ports": "15174", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "XeSaBDVweaVCzikSzrqdWiRFXAruYM7t", "Mutex": "aNoM7pvDUvoo", "Certificate": "MIIE8jCCAtqgAwIBAgIQAIoZuyGKpML6FwTWDOtI5TANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwNDA2MTIwMjI5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJZ6JVhoHpMJrp+ZF6VZyNci1+wFQQZXPvK3ol8XOjtGF6xa/m+FGLfQxEZyvqdk7mAZoZlHiKXH9JIeP4USvDHniQIBBdNmMjdqD/Az0S9iCZrSfLFQ2xl8YgRqlCI1MIWEn4czpzAQSe+qSS5k5vv4HdzHdQAA/7yUv67ly2tGcr6FgCTkzpd9G3BvqIMhAkvBoG25P1zMLOLFr3jd2YrFqs3qcz64RV0g4WsAfJZXNmk8zDxny/bVknDU+sWZpyYc6RtKinVYyCXtsezN3DzDCUX6svO7X5YQIIBU3ASXKICrZWMJX15xY8x9msqrcbPqWXmj8uASqNcTPLdWrxOswuH2J2eVixX/SY5bLrC5kzVRf6y6hMM3S/s1RQq5/iIv9sHN9zUrUEm0vupLY63dl8U522oqSlt7UrXFJR3+wskqGV428MstlG2ApkMpxrncJbF9zUIx6bD+ZoUWxMlguy3KHn3hinI0wUXNb0w+Xc8P8LDxio5XGBSDLFoZo+NvXQC+jbJDxNX57CiBgG+2t2a9k8ZTzIf7S0T9UfbkSQAOfLUNwCw96ubtfuVtw4IFJ26YNpAXd0lJA0S6l4PmRL+vJxGvidRbZSX/2UJ5Jmt+niDmQSd325mjRW+u7O2a5ZWmPJeeYppVQOolKFLWMvbVoKEobIYMW32yU1tdAgMBAAGjMjAwMB0GA1UdDgQWBBQYShBgqhAxw87cFacj99Gkz0wG9TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBb2so6HEt2LKKe6yIPR9d4vghM+/w8/Q+yKoTdYU94mGIDeyyKd1/xCpNVTaQN9CXRGrKwd89ni2VVk1yJMlDsh6/jOuDToMjvIYbWd9FI33f32pij+OEldWW3SRWM9oPhRT3Gy3Neb/Gy/caFpDq4qFvTQL9QwbeqsxJV8uqQ76w0mng7EdcZFRKvJ8jZNnK3lmo53COjZE3vdqAqSjvkF6vsORDlA/uBeM1NrY1Y7tIa/9RgHWlHoGsywF9DYP+GBK/gnETAwXYSRvKj+6lWgHd1SRRO4LtjdX20+U58dNMU2APFu7f23cGi6jRf+MQJKJiYVcuqR6Sflef26uRP5RkOgrHpPjrILvECM2Wfnw6xGwAr+ZLjFBYiYx6moOXhWtJeeaa3Ey0UTIpL4/Z7knOl0TEqZZ+xmuPxZX2Y1U9toStTIQKkv9f4ShyGBFbtL89zTexgH2oPDQBzgBSZc4yX4BYW6Ei9SrcoAunjAqxWxjz5n2nwnl2zhNV/2pClPaF14Ry1FvHYSNu+GoWm18xGAZElCjWduBsFd1b2VtcY+tfjf/BID5XsPywztW2xz71n6g3naWMxX7x9GrErSU/xSyuXbnKk4IoyLjEvsxCrGn7rRcmPvuLSN4B9kDRUv+6+k5bTl4FviWlm9QGs+9rILxlut6sHDerwgWxwtQ==", "ServerSignature": "jsM0JRJqUcphb7ISpY/13cWuZ6JJRYxmALcVMldT4SEbji3q3n5M/EbMWdg26MbwHsra/xYT+JpT/w+i/KUgD/WNCaBuF94AZ5IzsOi5hO5W7RAEkAj2/ShR2Ucr/bBcNvLly8jFHiGxTCSTMuF1LN6eR8qPRxiIqLYNG1Kja63eSwdNJE67bVNTfuCdJEoCARh4V+GQQ3nfEMYY22jK5jZqJcc9Jb2gA/Z2nyhFxV2jJDihJS6Ge9V3+CzM0AXD28NowQ3EcM9IRKy7MXwEhcJ3YKQRC6wyabtjZlvT2kCBmc3BMr20t74f40VgJhf9tsHEmt41enLjDSWoO6EcSM+kM3wKGzvkJ5THjMfKUzHsQXGbcgoU46AxhoLlx1eTth+fS1Rrq4gyscVoNvkweC4YOo020YLknlUBHyqW0FrNCbaYQ3WDwM4Zv/84FJQyBaGTSVQymDZyrrGpshbryMdW3pISE74fjOM3lmRCJDm2uSsDk+Vtr928dYvcs26lhGsjOWAiXT7vQMRB0bnBTh0/zzxuZwtx2MTw/GF4c2SJspdU+U3TlgdSwVmdUdmjvx8MrRv6TgyVhIHPGdXtgy+L5GxkFl2DwpaDQYckH7unIVVCGSuCa4u4D+9M1KqfwcLjSk2i7zRnhkIpCw9OfszCwuTNzk92/5OR3u5E6MM=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Multi AV Scanner detection for submitted file

Source: CrSpoofer.exe	ReversingLabs: Detection: 84%
Source: CrSpoofer.exe	Virustotal: Detection: 79%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: CrSpoofer.exe

Joe Sandbox ML: detected

Source: CrSpoofer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CrSpoofer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 0.tcp.eu.ngrok.io

Yara detected Generic Downloader

Source: Yara match

File source: CrSpoofer.exe, type: SAMPLE

Source: global traffic	TCP traffic: 192.168.2.5:49747 -> 3.78.28.71:15174
Source: global traffic	TCP traffic: 192.168.2.5:49912 -> 18.153.198.123:15174

Source: Joe Sandbox View	IP Address: 3.78.28.71 3.78.28.71
Source: Joe Sandbox View	IP Address: 18.153.198.123 18.153.198.123

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 0.tcp.eu.ngrok.io

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: CrSpoofer.exe, type: SAMPLE
Source: Yara match	File source: 2.0.CrSpoofer.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2298492071.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CrSpoofer.exe PID: 2104, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: CrSpoofer.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: CrSpoofer.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.0.CrSpoofer.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 2.0.CrSpoofer.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000002.00000000.2298492071.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: CrSpoofer.exe PID: 2104, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: CrSpoofer.exe, 00000002.00000000.2298492071.0000000000AA0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs CrSpoofer.exe
Source: CrSpoofer.exe	Binary or memory string: OriginalFilenameStub.exe" vs CrSpoofer.exe

Source: CrSpoofer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CrSpoofer.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: CrSpoofer.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.0.CrSpoofer.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 2.0.CrSpoofer.exe.a50000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000000.2298492071.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: CrSpoofer.exe PID: 2104, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: CrSpoofer.exe, wKVPhtFtbPbiz.cs

Base64 encoded string: 'TTYmb+XHuWzSwG7wBjFXFLFb+g86kVcsWNMEswvHgHZFAyOXvm4dAQ4IxubbqwpiImZwVf/K2YFsDKikVaWH/U588VZfY+KcyE+2IWtsI/k=', 'l/B8XTg9S5xKJDLUol1cGt51fFzg7Kh9ql5vG7YVNf47xeWVJog/mLNMD5rSNWyOgWqvCQowry4tvzzld0RNdg==', 'UV1mAEKU45f3tqH1aeFw9QGuj2aP639kB1AfYcdcxYvNg+gKpkVp9E45smFAOj7l79m2s5WGE8bdcF8Z4eCk6A==', 'Ht3n6QKovmc+HSJH1KVuHmSWItL5nMXc+mJYcVoMMvPl1Oo5HZPq3RAAS49zQ7+PfzjmzVxjorL19oLb6b4ndOf8s81DM+oMnDSesMjHdKQYBoCK3nn/vPp4o7SLL1/q8W4DDRv94CdmpdlEUhHy1mdEUXwWHdINak6Lt9P4o8zSddEZ92mxGSaFDhPyXiWBx9dTYSzHuWdA4OOVHqj7Dpq0o8OCgZ6FgOrTMmFiOy6HGwaLMroiq03YPbD6A9x6JDMRJKJt2w4r6spPjIpp5iY4RhkO9rF9k4Li99d4Vuj2z7UiOWUUCjwe18h2Ey2d1RsgWnSvoTIXoNHQlLhUJxlVpOhWE6GOIcA3yyLd9a9/XEgKCNaZlX5FXxi+VNjfBlnej8PleJ0T+9Cg9M4JxQlOzOnrEhMMIR3hWLFKq8E2YzvI74Iqd8YUPKQ5Nuy8VhQcpEfsQvppwBBUDmJmhpr3XwOzOa+46R4NWRKJTv/Hw1GQXTveSzdgB3GYCt+dkv/J4WAQvFQ8O3Acx2Cf1cX8XQkQ1hheqX2rC/RZXx+1RqljlBvGiFBSBrXZq1GBdk5YNB8M5D9qkhLOeHXGu+LMgkgwn3lIJbxfJTOsZynW9dJOJd74D0WMkUWCjVW+o/+c+TwT1yz30cRQTRq6GxgjQxxywiD+ROqvUG2WpQtkN1FPKPgzKvDX25nPhHLhplW/XGfrYCavH7Byo74dEmsxSKEwnea3gsGbpnRhhlINevfjpWZOuF5fyvcd/GfCTS76Nh9jVr6qd3hMaI1U2TEGWTXmL3Bmf1WnYyRYAGaeV7MVn3NR7QEyNMgVTQa2riXOdSE7q/7yJ6o5tc1IoYdE72RUUOiLCxWqF1fLBAmCATEV9AwB7ES9x64YzNZ+YoXSKHixWimAG+14rqqA8AghnDB/9YJCSs5mkdNa4RSWKhfGTy8LRK0FlNWolnEXVvDv/REpqtjLQlK3E3Abt2UQIO9TMpwrQdcMRBdwhI8DEp4gtzP8Mq4kxTKPjE8gPpQ6tQAFdGluNZgY1e8yd9KVJq8TcvJ+1izAmcjpLZH1FWC6XsELVTcBEy5bqMudCUCb+oLNM64JygKHrRGVAVZCpGDTm0ZFpL3XJUo4jJVdQvvW35PIuZcit3dpL7Ok9NMh+x7ubttquxZegmQdUvbuA73uL6MI37uOpAGJzvGpM9/WEanfnv9KcXBmPWVZ+I2gTYXddSB6ookj/eFs0K/lUgPINx8rA2iplQGY+lO9vCUSRXT/aOgjAXloTkHcqthqnMyJdOE0VCMoTYiISl7qzl3+fXKT8LuudArUMfX8eqvEZAONKTtkT0RGXGBP5BQiy9y55pkaSBdOkQdhdEPjTriF9CWECG3/OntEHi0VdBkLVg3/l0HTMS5yrWqwM4pCOO2r5yFc0j9L0U0UYX5hckWu+OnFLzI8o2SiVpdLG/x3DGrPdhv0xj+zhEJfjWXvayfG3PmSvUN57YUiMgdK0eM1kIoHPjLtivbn6sN4dyJTnvGNwLgafPaUx3jPb7wNDL33EUIJX7XgJJA4aPMmW108KMoU5/G6fNc8j9tkVtMK/Wcf9Qle8SQ9vd9leRGYW8XcxEb7mVjiCuC/4rExC3hIjvLZkM3IBZIPGXtbRuL19HlugRnJR8/FjYAR02hREcbJMT/ikPjMB9RYCIU3d5j8GSiAZJoyvNwYguYf2bzAW6ZXIS6VgmLNepawamkXThRUiAk00X0Q8FKsTbF+S/RsZPKGHQaGLcjMFB41Cgw5wvOwZ7xW7YIivhi5jILgitXAL4Xiaf+4Z5mYKj30wnGjS9N0P1Mm0oaE7dvWBxzAIO6ZJy2nEXFoBr/Xb00j7J2JAf5xctscvEqZTFD+TqXMul+dVPJgeMwmXfPWRzfGawfvsXt5tXwZUoA1H8DDoU1rAF+QG7MidMtZYNg9ZuSdLsnuHyvliz2KqpcGsuyIRinio2Oi1/+TDdC7hxFEawSUfCbiKmqH+OsCWQuxT8IR1QaMXGzJhC1COM1IyKHX2eMOTjokMwfuyUK5oQNDGh1KlfnyTqcoXEkTJYX5wh01kzXS0bJTg4brhWz/H58TLXXF/H8sDBGW1hfMxYi9qht4QkP+AuByze+VpR46F7ovGH99zkKpMLaFALbHD+Y4BxVqn0D4+v4Nj8YrKb7TuAqe0vFkzfI0ba8vFkXp4AqN14d9ITO0neUo6MkvNrxafCJ1r8Yp8yzxbeAVMwo6UH+W4oQPkIJlWpbnXSoH6MMFDrvag92u/a/8Tf2D3LItjR0XFXYNaUTehipnFxcJdXpi4RHO8I0oCc5vYjaLfkh/Uf6pTlfz4HXWbRI=', 'ssULbq5nI3xQOXzskksHU+M2DBqgVt6BcZuvBQjRZ8ryAXUzvp2xJswmSeQjv0sqTYliBp4Aj4PbDCHQ3Dgp4w==', 'XWc5S6aolzSmnaV/JGeYbCZLwDVRpsh8hJllVh2zsiHAKEhQxnxYDm4uN+X/Ai2o7yFTPNiZSZGt0ytsoo2BpQ=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\CrSpoofer.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\CrSpoofer.exe	Mutant created: \Sessions\1\BaseNamedObjects\aNoM7pvDUvoo

Source: CrSpoofer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CrSpoofer.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\CrSpoofer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CrSpoofer.exe	ReversingLabs: Detection: 84%
Source: CrSpoofer.exe	Virustotal: Detection: 79%

Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Section loaded: schannel.dll	Jump to behavior

Source: CrSpoofer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CrSpoofer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: CrSpoofer.exe, UcfjAinbFA.cs

High entropy of concatenated method names: 'pxAJRsISVTXaO', 'jhSGqEPQhuwoFl', 'cpTEhwAVcVMtqkXH', 'WIVbrfvrpZKEFu', 'TNiIsuVZBkYM', 'xQpHbmwNmvkwDwleQ', 'qfkwHDVMsfma', 'ZDujyoaLfhh', 'lKfavNbZcmeY', 'yGleACzzVtGqK'

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: CrSpoofer.exe, type: SAMPLE
Source: Yara match	File source: 2.0.CrSpoofer.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2298492071.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CrSpoofer.exe PID: 2104, type: MEMORYSTR

Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: CrSpoofer.exe, type: SAMPLE
Source: Yara match	File source: 2.0.CrSpoofer.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2298492071.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CrSpoofer.exe PID: 2104, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: CrSpoofer.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\CrSpoofer.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Memory allocated: 2E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CrSpoofer.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\CrSpoofer.exe TID: 2780

Thread sleep time: -80000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\CrSpoofer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\CrSpoofer.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: CrSpoofer.exe	Binary or memory string: vmware
Source: CrSpoofer.exe, 00000002.00000002.3541344839.00000000010DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm

Source: C:\Users\user\Desktop\CrSpoofer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\CrSpoofer.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\CrSpoofer.exe

Queries volume information: C:\Users\user\Desktop\CrSpoofer.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\CrSpoofer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: CrSpoofer.exe, type: SAMPLE
Source: Yara match	File source: 2.0.CrSpoofer.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2298492071.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CrSpoofer.exe PID: 2104, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CrSpoofer.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
CrSpoofer.exe	79%	Virustotal		Browse
CrSpoofer.exe	100%	Avira	TR/Dropper.Gen
CrSpoofer.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
0.tcp.eu.ngrok.io	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high
0.tcp.eu.ngrok.io	3.78.28.71	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0.tcp.eu.ngrok.io	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.78.28.71	0.tcp.eu.ngrok.io	United States		16509	AMAZON-02US	true
18.153.198.123	unknown	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575584
Start date and time:	2024-12-16 06:17:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CrSpoofer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 17 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.190.181.0, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target CrSpoofer.exe, PID 2104 because it is empty
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
3.78.28.71	7299_output.vbs	Get hash	malicious	Unknown	Browse
	TLH3anP3lh.exe	Get hash	malicious	Njrat	Browse
	r0FS3r7Ore.exe	Get hash	malicious	Njrat	Browse
	lXLWfHWHMd.exe	Get hash	malicious	Njrat	Browse
	4zeGOaTirn.exe	Get hash	malicious	Njrat	Browse
18.153.198.123	YiWuyX184J.exe	Get hash	malicious	Njrat	Browse
	TLH3anP3lh.exe	Get hash	malicious	Njrat	Browse
	OLHskBFtS1.exe	Get hash	malicious	Njrat	Browse
	tjK8Z8Q3JH.exe	Get hash	malicious	Njrat	Browse
	4zeGOaTirn.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	ImageMso.Gallery.xll	Get hash	malicious	Unknown	Browse	13.107.246.63
	iAERhkhaZC.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	6eftz6UKDm.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.63
	Adver Ransomware.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	Starcat Ransomware 32bit.exe	Get hash	malicious	Starcat	Browse	13.107.246.63
	RCRU64 Ransomware.exe	Get hash	malicious	TrojanRansom	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.63
	O4nVtyc9UD.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	Yl5PzZNJRC.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
0.tcp.eu.ngrok.io	7299_output.vbs	Get hash	malicious	Unknown	Browse	3.78.28.71
	Opera.exe	Get hash	malicious	ZTrat	Browse	52.57.120.10
	YiWuyX184J.exe	Get hash	malicious	Njrat	Browse	3.74.27.83
	TLH3anP3lh.exe	Get hash	malicious	Njrat	Browse	52.57.120.10
	r0FS3r7Ore.exe	Get hash	malicious	Njrat	Browse	3.74.27.83
	OLHskBFtS1.exe	Get hash	malicious	Njrat	Browse	3.74.27.83
	lXLWfHWHMd.exe	Get hash	malicious	Njrat	Browse	18.192.31.30
	tjK8Z8Q3JH.exe	Get hash	malicious	Njrat	Browse	18.153.198.123
	4zeGOaTirn.exe	Get hash	malicious	Njrat	Browse	3.78.28.71
	C9zGTJBy3T.exe	Get hash	malicious	Njrat	Browse	3.125.209.94

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	18.224.21.137
	arm5.elf	Get hash	malicious	Unknown	Browse	35.164.31.57
	arm.elf	Get hash	malicious	Unknown	Browse	18.146.49.140
	sh4.elf	Get hash	malicious	Unknown	Browse	54.104.203.158
	ppc.elf	Get hash	malicious	Unknown	Browse	3.3.247.98
	mips.elf	Get hash	malicious	Unknown	Browse	18.202.125.197
	arm6.elf	Get hash	malicious	Unknown	Browse	18.253.84.76
	x86.elf	Get hash	malicious	Unknown	Browse	15.184.158.117
	hmips.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	sparc.elf	Get hash	malicious	Unknown	Browse	18.135.9.157
AMAZON-02US	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	18.224.21.137
	arm5.elf	Get hash	malicious	Unknown	Browse	35.164.31.57
	arm.elf	Get hash	malicious	Unknown	Browse	18.146.49.140
	sh4.elf	Get hash	malicious	Unknown	Browse	54.104.203.158
	ppc.elf	Get hash	malicious	Unknown	Browse	3.3.247.98
	mips.elf	Get hash	malicious	Unknown	Browse	18.202.125.197
	arm6.elf	Get hash	malicious	Unknown	Browse	18.253.84.76
	x86.elf	Get hash	malicious	Unknown	Browse	15.184.158.117
	hmips.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	sparc.elf	Get hash	malicious	Unknown	Browse	18.135.9.157

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.5553259242690545
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	CrSpoofer.exe
File size:	319'488 bytes
MD5:	2e87d4e593da9635c26553f5d5af389a
SHA1:	64fad232e197d1bf0091db37e137ef722024b497
SHA256:	561c94494c3cd0b918bdf5eb323682fad6596a0a54c4cdd85a99880b4028b3f8
SHA512:	0667ddaea41c4c4f21e7bc249384230763c4be7d9c01d6b1cf694da647fbcd66de859afad5f7c88399656da48b349e892f22301380da0bd100199e9c5b23c2e3
SSDEEP:	1536:vuPfZTgKa2fl7vACbbZvsZyMmXdz1P03Jr+4buiCsRxjToex:vuPBTgKa2NbA+bZE2XP2CsR9oex
TLSH:	9264E6607BA5AD0AE93B0BB85065D3B95363BF697202C3061CF1FC637533A821DD15D9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e.....................,......^.... ........@.. .......................@............@................................

File Icon


Icon Hash:	44de787832506410

Static PE Info

General

Entrypoint:	0x40d05e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd00c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x428cb	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x52000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb064	0xb200	d4b61db217386e02f629229e90265972	False	0.5413448033707865	data	5.618784830654349	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x428cb	0x42a00	b41db1ffef3210ef5bdd03eccbc2ab85	False	0.08520828447467167	data	1.7846622064522097	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x52000	0xc	0x200	15084b3914063aed16bc949794199c55	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xe130	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144	0.0822447258632423
RT_GROUP_ICON	0x50158	0x14	data	1.1
RT_VERSION	0x5016c	0x2cc	data	0.43575418994413406
RT_MANIFEST	0x50438	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 06:18:35.871062994 CET	49747	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:35.990847111 CET	15174	49747	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:35.991120100 CET	49747	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:36.005359888 CET	49747	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:36.125135899 CET	15174	49747	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:37.261856079 CET	15174	49747	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:37.262042999 CET	15174	49747	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:37.262465000 CET	49747	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:42.286933899 CET	49747	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:42.288299084 CET	49763	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:42.408077002 CET	15174	49763	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:42.408191919 CET	49763	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:42.408670902 CET	49763	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:42.528321028 CET	15174	49763	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:43.679924965 CET	15174	49763	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:43.680160046 CET	15174	49763	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:43.680228949 CET	49763	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:48.690808058 CET	49763	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:48.691755056 CET	49781	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:48.811510086 CET	15174	49781	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:48.811681032 CET	49781	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:48.812060118 CET	49781	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:48.970930099 CET	15174	49781	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:50.090931892 CET	15174	49781	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:50.091051102 CET	15174	49781	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:50.091303110 CET	49781	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:55.097182989 CET	49781	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:55.098733902 CET	49797	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:55.218405008 CET	15174	49797	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:55.218508005 CET	49797	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:55.219192028 CET	49797	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:18:55.338901997 CET	15174	49797	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:56.495630026 CET	15174	49797	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:56.496102095 CET	15174	49797	3.78.28.71	192.168.2.5
Dec 16, 2024 06:18:56.496246099 CET	49797	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:01.503238916 CET	49797	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:01.504235983 CET	49813	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:01.626070023 CET	15174	49813	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:01.626323938 CET	49813	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:01.627015114 CET	49813	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:01.747160912 CET	15174	49813	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:02.901376009 CET	15174	49813	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:02.901786089 CET	15174	49813	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:02.902225971 CET	49813	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:07.909653902 CET	49813	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:07.910490036 CET	49830	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:08.030957937 CET	15174	49830	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:08.031161070 CET	49830	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:08.031980038 CET	49830	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:08.151685953 CET	15174	49830	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:09.300601006 CET	15174	49830	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:09.300720930 CET	15174	49830	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:09.300838947 CET	49830	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:14.315640926 CET	49830	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:14.316637039 CET	49846	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:14.436292887 CET	15174	49846	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:14.436398029 CET	49846	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:14.437043905 CET	49846	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:14.556668997 CET	15174	49846	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:15.710298061 CET	15174	49846	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:15.710741997 CET	15174	49846	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:15.710829020 CET	49846	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:20.721848965 CET	49846	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:20.723007917 CET	49862	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:20.842900038 CET	15174	49862	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:20.843842983 CET	49862	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:20.844615936 CET	49862	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:20.964431047 CET	15174	49862	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:22.117647886 CET	15174	49862	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:22.117686987 CET	15174	49862	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:22.117784977 CET	49862	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:27.128341913 CET	49862	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:27.129163027 CET	49879	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:27.248980999 CET	15174	49879	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:27.249079943 CET	49879	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:27.249743938 CET	49879	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:27.369494915 CET	15174	49879	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:28.523261070 CET	15174	49879	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:28.523562908 CET	15174	49879	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:28.523616076 CET	49879	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:33.547199965 CET	49879	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:33.556281090 CET	49895	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:33.676039934 CET	15174	49895	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:33.676147938 CET	49895	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:33.683141947 CET	49895	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:33.802871943 CET	15174	49895	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:34.946791887 CET	15174	49895	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:34.947520971 CET	15174	49895	3.78.28.71	192.168.2.5
Dec 16, 2024 06:19:34.947617054 CET	49895	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:39.956275940 CET	49895	15174	192.168.2.5	3.78.28.71
Dec 16, 2024 06:19:40.208208084 CET	49912	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:40.328015089 CET	15174	49912	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:40.328214884 CET	49912	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:40.328773975 CET	49912	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:40.448472977 CET	15174	49912	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:41.602981091 CET	15174	49912	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:41.603112936 CET	15174	49912	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:41.603193998 CET	49912	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:46.612688065 CET	49912	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:46.613974094 CET	49928	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:46.733665943 CET	15174	49928	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:46.733817101 CET	49928	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:46.734249115 CET	49928	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:46.853954077 CET	15174	49928	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:48.012033939 CET	15174	49928	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:48.012209892 CET	15174	49928	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:48.012326002 CET	49928	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:53.019367933 CET	49928	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:53.020468950 CET	49943	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:53.140208006 CET	15174	49943	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:53.140307903 CET	49943	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:53.140726089 CET	49943	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:53.260452032 CET	15174	49943	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:54.414944887 CET	15174	49943	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:54.414999008 CET	15174	49943	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:54.415081024 CET	49943	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:59.425117016 CET	49943	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:59.426394939 CET	49959	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:59.546082020 CET	15174	49959	18.153.198.123	192.168.2.5
Dec 16, 2024 06:19:59.546183109 CET	49959	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:59.546669960 CET	49959	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:19:59.666301012 CET	15174	49959	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:00.988323927 CET	15174	49959	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:00.988425970 CET	15174	49959	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:00.988490105 CET	49959	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:06.003616095 CET	49959	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:06.004911900 CET	49975	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:06.124593019 CET	15174	49975	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:06.124723911 CET	49975	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:06.125222921 CET	49975	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:06.244796038 CET	15174	49975	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:07.399765015 CET	15174	49975	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:07.399842024 CET	15174	49975	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:07.399904966 CET	49975	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:12.409672976 CET	49975	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:12.411464930 CET	49991	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:12.531292915 CET	15174	49991	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:12.531487942 CET	49991	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:12.532180071 CET	49991	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:12.651899099 CET	15174	49991	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:13.805824041 CET	15174	49991	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:13.806094885 CET	15174	49991	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:13.806212902 CET	49991	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:18.815699100 CET	49991	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:18.816912889 CET	50007	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:18.936620951 CET	15174	50007	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:18.936786890 CET	50007	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:18.937410116 CET	50007	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:19.057027102 CET	15174	50007	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:20.212265968 CET	15174	50007	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:20.212665081 CET	15174	50007	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:20.212718010 CET	50007	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:25.222692013 CET	50007	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:25.224154949 CET	50012	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:25.344291925 CET	15174	50012	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:25.344475985 CET	50012	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:25.345042944 CET	50012	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:25.464693069 CET	15174	50012	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:26.615567923 CET	15174	50012	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:26.615678072 CET	15174	50012	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:26.615864038 CET	50012	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:31.628366947 CET	50012	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:31.629564047 CET	50013	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:31.750422955 CET	15174	50013	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:31.750550985 CET	50013	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:31.751033068 CET	50013	15174	192.168.2.5	18.153.198.123
Dec 16, 2024 06:20:31.870733023 CET	15174	50013	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:33.021486998 CET	15174	50013	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:33.021737099 CET	15174	50013	18.153.198.123	192.168.2.5
Dec 16, 2024 06:20:33.021852970 CET	50013	15174	192.168.2.5	18.153.198.123

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 06:18:34.980418921 CET	63144	53	192.168.2.5	1.1.1.1
Dec 16, 2024 06:18:35.829479933 CET	53	63144	1.1.1.1	192.168.2.5
Dec 16, 2024 06:19:39.957062006 CET	64023	53	192.168.2.5	1.1.1.1
Dec 16, 2024 06:19:40.207384109 CET	53	64023	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 06:18:34.980418921 CET	192.168.2.5	1.1.1.1	0x3b1e	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 16, 2024 06:19:39.957062006 CET	192.168.2.5	1.1.1.1	0x3b1	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 06:18:23.246635914 CET	1.1.1.1	192.168.2.5	0xf69f	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 06:18:23.246635914 CET	1.1.1.1	192.168.2.5	0xf69f	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 16, 2024 06:18:35.829479933 CET	1.1.1.1	192.168.2.5	0x3b1e	No error (0)	0.tcp.eu.ngrok.io		3.78.28.71	A (IP address)	IN (0x0001)	false
Dec 16, 2024 06:19:40.207384109 CET	1.1.1.1	192.168.2.5	0x3b1	No error (0)	0.tcp.eu.ngrok.io		18.153.198.123	A (IP address)	IN (0x0001)	false

Target ID:	2
Start time:	00:18:29
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\CrSpoofer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CrSpoofer.exe"
Imagebase:	0xa50000
File size:	319'488 bytes
MD5 hash:	2E87D4E593DA9635C26553F5D5AF389A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000000.2298492071.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000000.2298492071.0000000000A52000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 02C81727 Relevance: 5.4, Strings: 4, Instructions: 444COMMON

Download Yara Rule

Strings

acq, xrefs: 02C81CDF
acq, xrefs: 02C81D3C
xgq, xrefs: 02C81D76
,, xrefs: 02C81870

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID: acq$ acq$,$xgq
API String ID: 0-3878074385
Opcode ID: da2f56d2f9d9ce663895e8d377269c4a088ff8c43acdcd7679c9a225c5db462f
Instruction ID: 0025e8d1ba502fdf2f12358e2756137edb35171dd73656890008db9331737e4e
Opcode Fuzzy Hash: da2f56d2f9d9ce663895e8d377269c4a088ff8c43acdcd7679c9a225c5db462f
Instruction Fuzzy Hash: 8802CF707002059FDB15FF29D458B6E7BE2BF84308F248A29E4059B399DFB5AD46CB81

Function 02C81962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

acq, xrefs: 02C81CDF
acq, xrefs: 02C81D3C
xgq, xrefs: 02C81D76

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID: acq$ acq$xgq
API String ID: 0-3257647305
Opcode ID: e7beae2ad4ccc0b305e5032c040fdd4fc67fcf682a0487118506016202016bab
Instruction ID: 5cc8b45885fbd2b46e54f04d4b3a7cff9d6e17f9305848c7155cc2b275a13000
Opcode Fuzzy Hash: e7beae2ad4ccc0b305e5032c040fdd4fc67fcf682a0487118506016202016bab
Instruction Fuzzy Hash: 216199B47002049FD715BF29E848B5A7BE2FF84308F648929E5069B395DBB5AD498F80

Function 02C80EBA Relevance: 3.9, Strings: 3, Instructions: 161COMMON

Download Yara Rule

Strings

dp, xrefs: 02C80F05
(gq, xrefs: 02C81192
Tecq, xrefs: 02C80EED

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID: (gq$Tecq$dp
API String ID: 0-1580151992
Opcode ID: d822a02d4d735c5a6ddab09747ff81773540df7a5fd9d07eacef7001075b172d
Instruction ID: 20140812ccab345466b7bd39ba3336c518bfd087709ca44599c04a38bc0efd5f
Opcode Fuzzy Hash: d822a02d4d735c5a6ddab09747ff81773540df7a5fd9d07eacef7001075b172d
Instruction Fuzzy Hash: FF518C30B101049FCB44EF69C458A6EBBF6EF89714F2581A9E806DB3A5CA75ED01CB90

Function 02C80D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

dLiq, xrefs: 02C80D5B
Hgq, xrefs: 02C80E40

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID: Hgq$dLiq
API String ID: 0-4280054783
Opcode ID: b3aff58dd7e31fcaa35cbd33d8a76d256da6ef5396174b652db67f53ff1e1c68
Instruction ID: fb6649beab04be3821a7e10b7e4cab4c9fe320d59baaa2bda6f6015ffde28558
Opcode Fuzzy Hash: b3aff58dd7e31fcaa35cbd33d8a76d256da6ef5396174b652db67f53ff1e1c68
Instruction Fuzzy Hash: 2D41F3317042449FCB15EF79D458AAEBBF6EF89304F1484AAE445DB3A2CB35AD05CB90

Function 02C81339 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRcq, xrefs: 02C8138B

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: aba32e3b8955651ce203b9226e927806aa4f45baeb05cc6cda82e094b431abfe
Instruction ID: 9cc817a8c015c8e0a36831ddc7087d71b0dc9a5238549cc6111513ea4a7f8c3d
Opcode Fuzzy Hash: aba32e3b8955651ce203b9226e927806aa4f45baeb05cc6cda82e094b431abfe
Instruction Fuzzy Hash: 6831F471F002168FCB04AB79C554A6E7BF2BFC9204B188469E14DDB365DE70DD02C791

Function 02C80D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

dLiq, xrefs: 02C80D5B

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID: dLiq
API String ID: 0-2143115944
Opcode ID: 180ae0349074474b2cae4accbec005003bd9095f6e15099cadfbca3cc807565c
Instruction ID: aef751873030731c9272ed566f330120e3ba97b713643d0491ae8c16bb66ced0
Opcode Fuzzy Hash: 180ae0349074474b2cae4accbec005003bd9095f6e15099cadfbca3cc807565c
Instruction Fuzzy Hash: 8231A271A042049FDB15DF69C458BAEBBF2FF88304F1485AAE441AB361CB75ED44CB91

Function 02C80E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Hgq, xrefs: 02C80E40

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID: Hgq
API String ID: 0-2103768809
Opcode ID: 81f086c3052880730525d48175207055d15eabb99d116f83468ec560b376959a
Instruction ID: 6c49b065c92bf066ab58ac06d0c845ea7a93e21d99c377767b96873c27b555d7
Opcode Fuzzy Hash: 81f086c3052880730525d48175207055d15eabb99d116f83468ec560b376959a
Instruction Fuzzy Hash: 73F0CD217082805FC347673D582446E7FA79FCB15479948F6E185CF397DD259D058351

Function 02C80AA0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d6d86bcfe5778f6b4f470d34a913de21e5c9ff36e2795f74ba2e67de9a600e
Instruction ID: df96c542c574f82cb4f930479bb31d2bcf9f1e2e73a93f4b00b28f0b9cfc63e0
Opcode Fuzzy Hash: 47d6d86bcfe5778f6b4f470d34a913de21e5c9ff36e2795f74ba2e67de9a600e
Instruction Fuzzy Hash: 1051A878600229AFCB17EB39F44C95A7763FF853057A08A68E841CB25DEB35A945DF80

Function 02C811D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c209ffcd3127503670c4e0e35234d2583df509b481fa53ab53f8ae34602de9b8
Instruction ID: e24a1ea5e94935b82db00e8b6296c6a991f698efc19b8d84fc3def063a683043
Opcode Fuzzy Hash: c209ffcd3127503670c4e0e35234d2583df509b481fa53ab53f8ae34602de9b8
Instruction Fuzzy Hash: 3D418FB0E00209AFCB04EFB9C85466EBBFAFF88314F24C569D449D7345DA34A9428B91

Function 02C81030 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f249cab22fa414e4bf34e67720d823a934692be73313e90c6192d931519a6b3b
Instruction ID: 82f07e8da5ba2e9e9fa509e40ef2e7c14add44baff9e23d0008645a1888156d2
Opcode Fuzzy Hash: f249cab22fa414e4bf34e67720d823a934692be73313e90c6192d931519a6b3b
Instruction Fuzzy Hash: 21215C74B001049FE714EB69C995BAE7BF2BF88724F248065E805AB3A5CBB19D01CF80

Function 02C80998 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeeba1a01ea077d668cfe0739215f06bb6290338cc578f6dbd161c1c4502eccb
Instruction ID: b4067387d3c3bbe0d81ea1c873962602ffb0b92089c40b0352483ab5510577f8
Opcode Fuzzy Hash: eeeba1a01ea077d668cfe0739215f06bb6290338cc578f6dbd161c1c4502eccb
Instruction Fuzzy Hash: 1E21A931780246EFDB69BF76E81C6BE3BA4AF85209F40C56DE807C6144EB30DA48CB51

Function 02C809A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b80c4409fc1cad7604b1931b7a1970851d53a7d15e7cf8fc234ad4789d9154
Instruction ID: bf63fc6780a872d3e1f0945301fddbe6e171f4f90de2e315b96406694491d53e
Opcode Fuzzy Hash: 15b80c4409fc1cad7604b1931b7a1970851d53a7d15e7cf8fc234ad4789d9154
Instruction Fuzzy Hash: 60215E317902179FDF64BB76F51C6BF7AA4AF85609F40952DD807C2148EB30C648CB62

Function 02C81431 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7eafd71f3285bbd20d9bf67331ab38aaf2e293d7c86c6dfdff6179268284fb
Instruction ID: 3a6627ab4ce3bb1d6454cb277bd0b07cd9ed007bdfed59071f63763ac7dd9840
Opcode Fuzzy Hash: 7c7eafd71f3285bbd20d9bf67331ab38aaf2e293d7c86c6dfdff6179268284fb
Instruction Fuzzy Hash: 5211C634A00255DFCB55EB79D4186697BF5EFC920571849BCC445CB325EA31DD42CB80

Function 02C81440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ac284c23cf5ff35091fe1d9382789ce810ab48e6719041b399ebfd93a04fd8
Instruction ID: a6838fb6a82029db7d546a6458a2ff06ea863dad32c9c3f7966b54ef104f77c8
Opcode Fuzzy Hash: 99ac284c23cf5ff35091fe1d9382789ce810ab48e6719041b399ebfd93a04fd8
Instruction Fuzzy Hash: CB11AD70B00219DFCB54EBBAD508A6A7BE6BFC82057244878D40ADB358EB31DD42CB90

Function 02C816A0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d9b30a00b1a7af0a8df6f54587cb0920c61840f880c8c344dd77cc6be01814
Instruction ID: 4d8faeed0aa2f80b7b3b484dbca00f7136f207f13469e6714dc8cb55cc5dc68a
Opcode Fuzzy Hash: 73d9b30a00b1a7af0a8df6f54587cb0920c61840f880c8c344dd77cc6be01814
Instruction Fuzzy Hash: 0901DF74B012149FCF58FB69D469BBE77F4EF84609F0C806DC80AD7240DB609902CB92

Function 02C80A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f944154753c5791d9c86a89cb6eb88915b68a234d337447cecd9a9a9d2c9b87f
Instruction ID: 06b3f77c5b4a8cf5d321a1b3aa242fd84d847633bb20375803270b81fc9d462b
Opcode Fuzzy Hash: f944154753c5791d9c86a89cb6eb88915b68a234d337447cecd9a9a9d2c9b87f
Instruction Fuzzy Hash: 65C08C22194247CFD33033A0F40C3EC3E10AB8130AF808106F843040858E7015088717

Function 02C80A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3541747447.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c80000_CrSpoofer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd2ea1408fff9f4bb601c8776f711cdb9437df744784ab261e7b7f23340c924
Instruction ID: 269ade28ef92e12d6b45226d579990dbaa462338538398e17eb0628cc6459751
Opcode Fuzzy Hash: dfd2ea1408fff9f4bb601c8776f711cdb9437df744784ab261e7b7f23340c924
Instruction Fuzzy Hash: B5C08C2219468BCFD7303360F40C3EC3E10AB8130AF80810AF443040858E701508CB17

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CrSpoofer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
CrSpoofer.exe