Edit tour

Windows Analysis Report
aaa (3).exe

Overview

General Information

Sample name:	aaa (3).exe
Analysis ID:	1575591
MD5:	8123d15bb6100a19ac103b4ec3d592bf
SHA1:	713d2344beb28d34864768e7b2c0463044bdc014
SHA256:	68e92585378abdd8a5e6ba42c20a66558ebbcc964c08ba3ce56d020568ebf16d
Tags:	AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

aaa (3).exe (PID: 5604 cmdline: "C:\Users\user\Desktop\aaa (3).exe" MD5: 8123D15BB6100A19AC103B4EC3D592BF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "127.0.0.1,6.tcp.eu.ngrok.io", "Ports": "6606,7707,8808,8080,18274", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "q5nKxirlOU5db6lZWvxA5EhzCkTwWZr3", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQAMB4VUEBwLw5hMatf75DyTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjMwNDA4MDAxNjIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKw5GzpUyua1jPwCXXjc4uTKkAan7wbKFv++TPkmRbnRG8CJ9mYZjbHtfSY6OZ0zQxu07SQdXO7+tAkUS6c/8ttUoCBm/yOaEGJiu6o6FRugkZWJAE3xb1v7YGp9WMfWGFK0Xb5iIoqzktiph/+Xq8PKtf8WvrAjr7ShWbvBjDtzhkEeENeRgX1dQ+zq6t9yjvjN+xSqTrghh6WfYUv+A+uZBzT4Q4GTtG+srDs1YqJKOUwl/jAw21t8nzl6Z1ODxgQAN/bCy2LBajacvqGMC1rHkmvMGH6MntZVqln91UEjBrNVSRI4glX2APhfydgTgHXlNvrDHce4W1hw/lBvcwSK+4Pxe2Wu8zINSwSEU9iFwSDiwGZtrxq6BFmieh3fXoLm5zg7fZxbGHfLI1hBMoHobcYRRlRZf+6k+EtJiBqbEGoBP1phEHJP2+DQw80QSZfkI+To9au/asIGPc339k7wWUtmBSKdPXNBsGabGeiLSYiNyLXd1Ghk6Hba/LovSzWd1cvBRaillHw8yLMUuFaJOghAbHanQatEg74L5kSqQPJfFMQ4OaN+a9Fl2Z40/gUiU50kYisEXaeWAck55woCpvQTztUJKzeSmTlZbwgFuL6LWoTLp0WKRzbp/sS+ow8J1r3SpU1NJ7FGF9PDKF+bKQ3LTJzBjBNDJhq5v/0dAgMBAAGjMjAwMB0GA1UdDgQWBBTyOXQJQhADaJF5TWVumt18V9GAzTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAC8MhiJwKZAE2Fe104DudiFYG3xhrXx64qFVeHNPCmy88/lfhJpWF5Ciq7aei/O6pKLsau2/pWOhBc/0F1Cw/nBeo07ph39P/Got0YBE7fHX2koMV/iAnfP2aJHvxkZ4UwYhVzfTJXlB7lOho07+WNVvgI6eqdomQoBPaM+opGLjVSO7zlMLBOpi5P1BYTHpm5sgLma5Z1C7EN1ITDMc/V4IEe+3tBP3IvIwfDXPyN3Un1KrsXdRbZT0Ih+rli+3nMazRT3lpYOnq0tqJkowCrgI+zc3g2kfnLo2jKL9aU1QkZUlBdDSC49HJTxhqndKxz+m7ITPoZHLpNX/CwkTrLUwlSI4XY9Dsdya0Ne9tRLFA9nhvHTEWWUrDwGBmHgxyGKAfAOzR/pJDTuwOGFvMnqauiJg1zkzXNkSCSqab11IFzZZPT/kntt/gEOLrGJJv0luQbrtCjwdmxKc4KH3FMjKfqDoEG2ZtwU4uzLiUynh1D5k9iFOI+u07yKy7hbdJDQNj16LhPvmvj4w6AyvFlzkVSp1r4S0eJ7QsOIXXpeFszvjTvM21nOeWBuj5yaE5cXJFoF5nFG/YxlliPPbPf/Utj8Gxyz1Rv8wKXhX5MaFrlpwczQunNFGFbESfDJsO3FXJLBdgVDrw4qNh+1R+vBXG3aGSmeG8l/NMGfunwNw==", "ServerSignature": "VKyHr4axgOczigiAY0dv3gbuolZGrbIX+AITS7/QuyV5I3+q7ulMtc/YoAtp8wmIZh62rL+L+YhZqMBpOPn2qlIYaWIblWde7XtxPvg9ixai9nq8nlCOcz+MknZEkhYZ8dOrc4CmRMYBW4egTOKnV8+9BwOzs28B+jI9JQLnQcNdmredgx0warAJjVzkH2r0sBgTpwbvk0yGlcA4lDybvcln+yVhrl6VTSDtc0qg5akiS7yYmn/0dPRmdUn7wc2LfXzKGQhdOfKRLInYuf8NbqT5Zyq7LhEO+nOdVsPICRdbhSwJ+k54rai823Pc28gHwnWKBQzjbJEgZckT4Wsihqb+fMPdgI9kcZmTCfpDlebwkDyVDsR7wYC+ZTF84eqHKgd0nmtnBYgA6HziKygxiPkJo27QlTlEfpD8ShdiGPbN7aiic7daJN+MOZwNVPKvyHbp4CSMHOqyq0Em+Xmv9czpw8HXNcLbyXCk/4XnWxs++qREBCAU75aM2P+6ZLS1fg11kxjzpIKI3fMEGnD7zHsB9qATDtJ5XdfBA9RxxkJfz5DHD+FOm5zG6R2Jd7L/AlzGzWz4g50WV0dXmiy2+V5k8FtqYjju6Ev6jFdzqKK0++sjnU0lvqA75bmGDm/wfYL7WxwIVkj8AVVykw/hHGH2/Ug8349XSTrTFm8J/HQ=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
aaa (3).exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
aaa (3).exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
aaa (3).exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x996b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6703:$a3: get_ActivatePong 0x9b83:$a4: vmware 0x99fb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7452:$a6: get_SslClient
aaa (3).exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99fd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1533680615.0000000000682000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1533680615.0000000000682000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x97fd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: aaa (3).exe PID: 5604	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: aaa (3).exe PID: 5604	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3d0da:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.aaa (3).exe.680000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.aaa (3).exe.680000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.aaa (3).exe.680000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x996b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6703:$a3: get_ActivatePong 0x9b83:$a4: vmware 0x99fb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7452:$a6: get_SslClient
0.0.aaa (3).exe.680000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99fd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Sigma Signatures

System Summary

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 3.68.171.119, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\aaa (3).exe, Initiated: true, ProcessId: 5604, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49781

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: aaa (3).exe

Avira: detected

Found malware configuration

Source: aaa (3).exe

Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1,6.tcp.eu.ngrok.io", "Ports": "6606,7707,8808,8080,18274", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "q5nKxirlOU5db6lZWvxA5EhzCkTwWZr3", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQAMB4VUEBwLw5hMatf75DyTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjMwNDA4MDAxNjIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKw5GzpUyua1jPwCXXjc4uTKkAan7wbKFv++TPkmRbnRG8CJ9mYZjbHtfSY6OZ0zQxu07SQdXO7+tAkUS6c/8ttUoCBm/yOaEGJiu6o6FRugkZWJAE3xb1v7YGp9WMfWGFK0Xb5iIoqzktiph/+Xq8PKtf8WvrAjr7ShWbvBjDtzhkEeENeRgX1dQ+zq6t9yjvjN+xSqTrghh6WfYUv+A+uZBzT4Q4GTtG+srDs1YqJKOUwl/jAw21t8nzl6Z1ODxgQAN/bCy2LBajacvqGMC1rHkmvMGH6MntZVqln91UEjBrNVSRI4glX2APhfydgTgHXlNvrDHce4W1hw/lBvcwSK+4Pxe2Wu8zINSwSEU9iFwSDiwGZtrxq6BFmieh3fXoLm5zg7fZxbGHfLI1hBMoHobcYRRlRZf+6k+EtJiBqbEGoBP1phEHJP2+DQw80QSZfkI+To9au/asIGPc339k7wWUtmBSKdPXNBsGabGeiLSYiNyLXd1Ghk6Hba/LovSzWd1cvBRaillHw8yLMUuFaJOghAbHanQatEg74L5kSqQPJfFMQ4OaN+a9Fl2Z40/gUiU50kYisEXaeWAck55woCpvQTztUJKzeSmTlZbwgFuL6LWoTLp0WKRzbp/sS+ow8J1r3SpU1NJ7FGF9PDKF+bKQ3LTJzBjBNDJhq5v/0dAgMBAAGjMjAwMB0GA1UdDgQWBBTyOXQJQhADaJF5TWVumt18V9GAzTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAC8MhiJwKZAE2Fe104DudiFYG3xhrXx64qFVeHNPCmy88/lfhJpWF5Ciq7aei/O6pKLsau2/pWOhBc/0F1Cw/nBeo07ph39P/Got0YBE7fHX2koMV/iAnfP2aJHvxkZ4UwYhVzfTJXlB7lOho07+WNVvgI6eqdomQoBPaM+opGLjVSO7zlMLBOpi5P1BYTHpm5sgLma5Z1C7EN1ITDMc/V4IEe+3tBP3IvIwfDXPyN3Un1KrsXdRbZT0Ih+rli+3nMazRT3lpYOnq0tqJkowCrgI+zc3g2kfnLo2jKL9aU1QkZUlBdDSC49HJTxhqndKxz+m7ITPoZHLpNX/CwkTrLUwlSI4XY9Dsdya0Ne9tRLFA9nhvHTEWWUrDwGBmHgxyGKAfAOzR/pJDTuwOGFvMnqauiJg1zkzXNkSCSqab11IFzZZPT/kntt/gEOLrGJJv0luQbrtCjwdmxKc4KH3FMjKfqDoEG2ZtwU4uzLiUynh1D5k9iFOI+u07yKy7hbdJDQNj16LhPvmvj4w6AyvFlzkVSp1r4S0eJ7QsOIXXpeFszvjTvM21nOeWBuj5yaE5cXJFoF5nFG/YxlliPPbPf/Utj8Gxyz1Rv8wKXhX5MaFrlpwczQunNFGFbESfDJsO3FXJLBdgVDrw4qNh+1R+vBXG3aGSmeG8l/NMGfunwNw==", "ServerSignature": "VKyHr4axgOczigiAY0dv3gbuolZGrbIX+AITS7/QuyV5I3+q7ulMtc/YoAtp8wmIZh62rL+L+YhZqMBpOPn2qlIYaWIblWde7XtxPvg9ixai9nq8nlCOcz+MknZEkhYZ8dOrc4CmRMYBW4egTOKnV8+9BwOzs28B+jI9JQLnQcNdmredgx0warAJjVzkH2r0sBgTpwbvk0yGlcA4lDybvcln+yVhrl6VTSDtc0qg5akiS7yYmn/0dPRmdUn7wc2LfXzKGQhdOfKRLInYuf8NbqT5Zyq7LhEO+nOdVsPICRdbhSwJ+k54rai823Pc28gHwnWKBQzjbJEgZckT4Wsihqb+fMPdgI9kcZmTCfpDlebwkDyVDsR7wYC+ZTF84eqHKgd0nmtnBYgA6HziKygxiPkJo27QlTlEfpD8ShdiGPbN7aiic7daJN+MOZwNVPKvyHbp4CSMHOqyq0Em+Xmv9czpw8HXNcLbyXCk/4XnWxs++qREBCAU75aM2P+6ZLS1fg11kxjzpIKI3fMEGnD7zHsB9qATDtJ5XdfBA9RxxkJfz5DHD+FOm5zG6R2Jd7L/AlzGzWz4g50WV0dXmiy2+V5k8FtqYjju6Ev6jFdzqKK0++sjnU0lvqA75bmGDm/wfYL7WxwIVkj8AVVykw/hHGH2/Ug8349XSTrTFm8J/HQ=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Multi AV Scanner detection for submitted file

Source: aaa (3).exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: aaa (3).exe

Joe Sandbox ML: detected

Source: aaa (3).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: aaa (3).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 6.tcp.eu.ngrok.io

Yara detected Generic Downloader

Source: Yara match	File source: aaa (3).exe, type: SAMPLE
Source: Yara match	File source: 0.0.aaa (3).exe.680000.0.unpack, type: UNPACKEDPE

Source: global traffic	TCP traffic: 192.168.2.11:49701 -> 3.66.38.117:8808
Source: global traffic	TCP traffic: 192.168.2.11:49721 -> 3.68.171.119:8808

Source: Joe Sandbox View	IP Address: 3.66.38.117 3.66.38.117
Source: Joe Sandbox View	IP Address: 3.68.171.119 3.68.171.119

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 6.tcp.eu.ngrok.io

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: aaa (3).exe, type: SAMPLE
Source: Yara match	File source: 0.0.aaa (3).exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1533680615.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aaa (3).exe PID: 5604, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: aaa (3).exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: aaa (3).exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.aaa (3).exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.aaa (3).exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1533680615.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: aaa (3).exe PID: 5604, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: aaa (3).exe, 00000000.00000000.1533698780.000000000068E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs aaa (3).exe
Source: aaa (3).exe	Binary or memory string: OriginalFilenameStub.exe" vs aaa (3).exe

Source: aaa (3).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: aaa (3).exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: aaa (3).exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.aaa (3).exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.aaa (3).exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1533680615.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: aaa (3).exe PID: 5604, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: aaa (3).exe, Settings.cs

Base64 encoded string: 'hYunAPXrkTu5+wdf0DlwpTy7ZtzMzD8IKDX744MWEzhwMdTIDmP7dLB4uSAcJUeZbvQH2PY1lcoA//wfX6vlO80/Y50WtKP14mYjat30Y8Y=', 'YXwRAwD2GC8wjeM/C0XctvHFErOKIJmiMKDU2I0nAHK0Zrf54mL91j+/YH8ovWDRVwQQU7sM3fxnvGu1hbohGw==', 'IN/35Z4+SQgGcNnVxVvHcKekiyGB1sGo7JJTVpBD+F42gGDzlXYdJpSsmyYJXp5pooE014zzDPiyXVNHhBhkd3v0kc7l76tauIe5GbM6CLy7LlfopXQh/Iohyb+I8bKK5rYw9QHbbug6Jk1E+AsNCy0hkNJFS3RlkAQgtEmprShGcRZiWxpR6A9z+LnQNAqvDB/24m+FDrOxQGaxlNQbZSLR9MbWSNVtemWEMDbaFiqLpcfxTYSP7uw+cRB0dVwxnhJUQUfMaavYJ6Om9+yFf70z5fhaRY30xIa6605o6OFq2uNPqX6C+AIsqIDUDTZ2UVun5rEqNPnxeF685oFEL0+Y7PO7f0eUwlvnmoyTY4ERIrL5dDWDWFDXiUeh9Uy2di4oRH/tDzrkpgyqYvEZIMcyniDJSElFkFJG7L33UQVe7f+7rI9K75+BT51RLI2rhcSWPpZxyAtTV5A5eeJ9AvFkRT4Q68DQov5aZY+iBV0nz4utWHw5MsLSQSUbpTGHDJOFoUxNKScCOwNCb+SI0x+xARMcr0SGHQeLE+hM9vF4fftPJ50WhNkfMkxMuVAQGejuhka1L3RTZY+sLw/jXJkb6p5XJiYQyWLmSccpBbEshhEyXcZib29p7Y4gRJ4nqB+6WE6LHWRsmUTnp9R6pmG/AwwYVkM1PJBhng9R6btpW49haDosCE5Z3qTdh1CuM7ZMl6UQI43hFjC/t1kafSMtQGsyIBMEXYpIpT7Wp7Z3JcGXDtADJ5ITV2Jf/UhMlDEKoyflu9BYzwtTDqnkBatuyn2uIdvmkYY2oWSQ00FJSzb8JcrzrOBArrZTUEOcjTFnPzPf/3iVaAWj7+HVKMy2XyyfX32Pjaz3ZzP8fBD9OcsJBqFTHarSQerm6d9r4cWKa+KBp29l8XjD5M4E+fdRTCYSqOCwWEn9vpD2Yu2QKCbGNpg7m/M5ubhmRopJ064k21vSKkZvJH2vJgmU4ALCiAEn1Ssh/hjqFB3Ua+wCOtBWyaCjNlZi3ZHVht9iXAEjSIQzqrEs6wNBmeittHNPqcFrShWT1qspsx9yuxhBtWecJGwDqB83UqZC8so7tFQo6B7hzsXHleaUjImqwt8KdHG1xKt1OB9DrCtf2hDgC9PQIJ1XiZTcDh9LBJpzcx86wvIzw6cT2hj6bbXh+E1uBanNRoeFjb+vyV4zQn7gfgZePIXUE4vspQ6fNgYeMnjBhN119V7UaHVOunHzkohXpFpfjYG30Xsl4z0n8PbPp7I4ZRgF3UiKt1elkJPbpR1Xqa2ukGdhg9UYxda0C09JI4PFbh9Z4jXelTiB4Av24nkB7c0lh59bXB8PWWxqtA+8cqeY0wlcIu+i+OB31LXRmlFKd1eevP83jE1UBa3ZohqxZT1YPzJdZNqanwN5stjjHr9MsVJJpZm2iT81mPMUIbYFZnAH6oXaLRTQL403LwihiqTYjGq2378wLnftxCUMDGQKKpFX4JDBEqEOJJ/s6CJdSwclNlHZrsmnIPJhqTkXPOL3bFHgE20Yyy/JAJ+Qkt9nIxCAdh8XQ/4XZhp4aGdU5CfVQ1PSCuYyTV4m9Ke+k4pvVFdjdJA9iTjEb77jOiUWYyB2AO7yHlmCzpAEb56hv97OW36AdADRVWxSU+JMOAd0y2m/iwRyBKwR+ukRbLvlW4gxIqSsjeKoyt57aZ6Qb84LLdZ8S1ZAANVdddxWBqqU+bW+wNlDIB7aqoPXIdX7uRzJO+RSerAnafg7ju1s57sJWrkMkmQlfFK72l/tb2rpHvTUpjCIXFu9+3TJefqCxPfw+eNlwE8RtKsMY0r62CInRsFoSowQW6UpmEe7yDPuXeHVSWzdT0ujQajMszdlefuaRfvYCmWLT2GOBZb/a++JZ94+MkemgUGteyvw/9Pw6bfdiDIXIuYvKpO99v9Pf29r/KWJFlmV4Svt4vJxv/mJGz/RbMPhKjq/y9B5RCZZyKxmfTESqnTGQwQ4hobNIXhFCsGNgIoDhJON/LtFs6vdUW+ZhjSwZ3V1kXvA7eRHN56CpLcscfBbN1XPe/pfRRGRiKNdn/2i/UIMv6UnTOm6XEPYysz0Ph6N7ahRCI84gYKKElthhfsUCx6GBjzBYy0o0o3WVcWY8C8vBwELTvwTrSZtYcR/mFRU/dXWaLxZBXoJx+7/3oLMNEXi/n5vuNSVuGggw4sfeOopfAzoxUhQXaNU586eng5OBcUA+kyL2nitz8H8lnAPdrX6D4Nb7oxTi/8113bcwNVoODYGTi3+uyi4TTylmfNVLyvMeRRcvwekiBEYKlKweWFXc00Zm4wUrv/ziVx5XbJfbk/wAbF+S1KjcCBypz8=', 'Sy0kuJLUPb9HM7a7fBm84eUeEBO51ZJVPcXlUHOrSCHdrQt++FwRaDLGGDMHXVWEAMqQKoUdGihIKlIIPj32DETM0Dcz6CToOt4uxFnp9v7zd939SmF7ijKub77n9BZw/Aceb+WtSHB5+k/Q1134D4c01exmk281i2DExtudVt3eYGoPybrKqdYxjGETrRoDjtBHSHtHM8e9ohYTeL8+FZRX85TOAdvXeZismDRBYGjZftZwkVq8Wo7Bc5Ps4v0FLxG0zsK2XCfjYqk03D5w8VkwOAoGH8SlOlAj7dVjz5S/M/RRWLA8Xogc0fXIMltbCkJ2N2l3d3llxKeeBcgsshYsSvxk9/ivpgr95MBnrDJfFN+0AYGwprZjKYXphayKMURWwSEFrG3cnIUg54k5IaAHv/c/RuLZBFIVf3qDtU6gw8UuDZyIMMZLWN3

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/3

Source: C:\Users\user\Desktop\aaa (3).exe	Mutant created: NULL
Source: C:\Users\user\Desktop\aaa (3).exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk

Source: aaa (3).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: aaa (3).exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\aaa (3).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aaa (3).exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Section loaded: schannel.dll	Jump to behavior

Source: aaa (3).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: aaa (3).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: aaa (3).exe, type: SAMPLE
Source: Yara match	File source: 0.0.aaa (3).exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1533680615.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aaa (3).exe PID: 5604, type: MEMORYSTR

Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: aaa (3).exe, type: SAMPLE
Source: Yara match	File source: 0.0.aaa (3).exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1533680615.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aaa (3).exe PID: 5604, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: aaa (3).exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\aaa (3).exe	Memory allocated: 2920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\aaa (3).exe	Memory allocated: 4A70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\aaa (3).exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\aaa (3).exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: aaa (3).exe	Binary or memory string: vmware
Source: aaa (3).exe, 00000000.00000002.2777681954.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\aaa (3).exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\aaa (3).exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\aaa (3).exe

Queries volume information: C:\Users\user\Desktop\aaa (3).exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\aaa (3).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: aaa (3).exe, type: SAMPLE
Source: Yara match	File source: 0.0.aaa (3).exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1533680615.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aaa (3).exe PID: 5604, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
aaa (3).exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
aaa (3).exe	100%	Avira	TR/Dropper.Gen
aaa (3).exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
6.tcp.eu.ngrok.io	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
6.tcp.eu.ngrok.io	3.66.38.117	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
6.tcp.eu.ngrok.io	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.66.38.117	6.tcp.eu.ngrok.io	United States		16509	AMAZON-02US	true
3.68.171.119	unknown	United States		16509	AMAZON-02US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575591
Start date and time:	2024-12-16 06:17:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aaa (3).exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@2/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 19 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target aaa (3).exe, PID 5604 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: aaa (3).exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
3.66.38.117	NYQbqD59m8.exe	Get hash	malicious	Nanocore	Browse
	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse
	mhYCwt8wBz.exe	Get hash	malicious	Njrat	Browse
	592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exe	Get hash	malicious	Njrat	Browse
	U22p1GcCSb.exe	Get hash	malicious	Njrat	Browse
	NfJ0jC2dPr.exe	Get hash	malicious	Njrat	Browse
	ziTLBa3N50.exe	Get hash	malicious	Njrat	Browse
	1.exe	Get hash	malicious	Njrat	Browse
	226dVJ2zRZ.exe	Get hash	malicious	Njrat	Browse
	IsJb5hB84q.exe	Get hash	malicious	Njrat	Browse
3.68.171.119	NYQbqD59m8.exe	Get hash	malicious	Nanocore	Browse
	1iZH7aeO5F.exe	Get hash	malicious	Njrat	Browse
	mhYCwt8wBz.exe	Get hash	malicious	Njrat	Browse
	592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exe	Get hash	malicious	Njrat	Browse
	U22p1GcCSb.exe	Get hash	malicious	Njrat	Browse
	M5vARlA2c4.exe	Get hash	malicious	Njrat	Browse
	YTYyFVemXR.exe	Get hash	malicious	Njrat	Browse
	zyx3qItgQK.exe	Get hash	malicious	Njrat	Browse
	NfJ0jC2dPr.exe	Get hash	malicious	Njrat	Browse
	226dVJ2zRZ.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6.tcp.eu.ngrok.io	NYQbqD59m8.exe	Get hash	malicious	Nanocore	Browse	3.69.115.178
	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	3.69.115.178
	1iZH7aeO5F.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	mhYCwt8wBz.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	U22p1GcCSb.exe	Get hash	malicious	Njrat	Browse	3.66.38.117
	Client.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	3.69.157.220
	M5vARlA2c4.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	YTYyFVemXR.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	zyx3qItgQK.exe	Get hash	malicious	Njrat	Browse	3.69.115.178

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	CrSpoofer.exe	Get hash	malicious	AsyncRAT	Browse	18.153.198.123
	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	18.224.21.137
	arm5.elf	Get hash	malicious	Unknown	Browse	35.164.31.57
	arm.elf	Get hash	malicious	Unknown	Browse	18.146.49.140
	sh4.elf	Get hash	malicious	Unknown	Browse	54.104.203.158
	ppc.elf	Get hash	malicious	Unknown	Browse	3.3.247.98
	mips.elf	Get hash	malicious	Unknown	Browse	18.202.125.197
	arm6.elf	Get hash	malicious	Unknown	Browse	18.253.84.76
	x86.elf	Get hash	malicious	Unknown	Browse	15.184.158.117
	hmips.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
AMAZON-02US	CrSpoofer.exe	Get hash	malicious	AsyncRAT	Browse	18.153.198.123
	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	18.224.21.137
	arm5.elf	Get hash	malicious	Unknown	Browse	35.164.31.57
	arm.elf	Get hash	malicious	Unknown	Browse	18.146.49.140
	sh4.elf	Get hash	malicious	Unknown	Browse	54.104.203.158
	ppc.elf	Get hash	malicious	Unknown	Browse	3.3.247.98
	mips.elf	Get hash	malicious	Unknown	Browse	18.202.125.197
	arm6.elf	Get hash	malicious	Unknown	Browse	18.253.84.76
	x86.elf	Get hash	malicious	Unknown	Browse	15.184.158.117
	hmips.elf	Get hash	malicious	Unknown	Browse	34.249.145.219

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.464181855078036
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	aaa (3).exe
File size:	46'080 bytes
MD5:	8123d15bb6100a19ac103b4ec3d592bf
SHA1:	713d2344beb28d34864768e7b2c0463044bdc014
SHA256:	68e92585378abdd8a5e6ba42c20a66558ebbcc964c08ba3ce56d020568ebf16d
SHA512:	ca048fc1aa53af7b517c2b894e038ed7e413690f2a9e9838c0a5624f9530b20ec8ca22c8d99b8b7ed1e049753970880ee047de984557e2e6c28a55ba2c974351
SSDEEP:	768:7uScq5TAYGTqWU8j+zmo2qLrw1xxYwG8PPI2ajbXgX3ikR5i9fAEPr1BDZLx:7uScq5TA5c2owEl22bwXSkRUvdLx
TLSH:	D4231B003BD9812BF2BE4F78A9F26145867AB2637603D5892CC411DB5713FC6DA426EE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^............................^.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40c75e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5EB79023 [Sun May 10 05:24:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc704	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa764	0xa800	a8983937d6b7f093330a78b8c898d173	False	0.49979073660714285	data	5.520124804729585	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x7ff	0x800	0f68ce4dd77ed0bb9c1e6b31f6995d94	False	0.41748046875	data	4.88506844918463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	8e16fb7354c6a0174ffc8ab8c8a535a9	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0xe36c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 06:18:58.398709059 CET	49701	8808	192.168.2.11	3.66.38.117
Dec 16, 2024 06:18:58.518909931 CET	8808	49701	3.66.38.117	192.168.2.11
Dec 16, 2024 06:18:58.519087076 CET	49701	8808	192.168.2.11	3.66.38.117
Dec 16, 2024 06:18:58.640564919 CET	49701	8808	192.168.2.11	3.66.38.117
Dec 16, 2024 06:18:58.760463953 CET	8808	49701	3.66.38.117	192.168.2.11
Dec 16, 2024 06:19:20.433608055 CET	8808	49701	3.66.38.117	192.168.2.11
Dec 16, 2024 06:19:20.433754921 CET	49701	8808	192.168.2.11	3.66.38.117
Dec 16, 2024 06:19:25.464526892 CET	49701	8808	192.168.2.11	3.66.38.117
Dec 16, 2024 06:19:25.465364933 CET	49706	8808	192.168.2.11	3.66.38.117
Dec 16, 2024 06:19:25.584496021 CET	8808	49701	3.66.38.117	192.168.2.11
Dec 16, 2024 06:19:25.585155964 CET	8808	49706	3.66.38.117	192.168.2.11
Dec 16, 2024 06:19:25.585299969 CET	49706	8808	192.168.2.11	3.66.38.117
Dec 16, 2024 06:19:25.585737944 CET	49706	8808	192.168.2.11	3.66.38.117
Dec 16, 2024 06:19:25.705521107 CET	8808	49706	3.66.38.117	192.168.2.11
Dec 16, 2024 06:19:47.480684042 CET	8808	49706	3.66.38.117	192.168.2.11
Dec 16, 2024 06:19:47.480802059 CET	49706	8808	192.168.2.11	3.66.38.117
Dec 16, 2024 06:19:52.493752003 CET	49706	8808	192.168.2.11	3.66.38.117
Dec 16, 2024 06:19:52.613459110 CET	8808	49706	3.66.38.117	192.168.2.11
Dec 16, 2024 06:20:06.860901117 CET	49721	8808	192.168.2.11	3.68.171.119
Dec 16, 2024 06:20:06.980622053 CET	8808	49721	3.68.171.119	192.168.2.11
Dec 16, 2024 06:20:06.980711937 CET	49721	8808	192.168.2.11	3.68.171.119
Dec 16, 2024 06:20:06.981081009 CET	49721	8808	192.168.2.11	3.68.171.119
Dec 16, 2024 06:20:07.100774050 CET	8808	49721	3.68.171.119	192.168.2.11
Dec 16, 2024 06:20:28.872219086 CET	8808	49721	3.68.171.119	192.168.2.11
Dec 16, 2024 06:20:28.876055956 CET	49721	8808	192.168.2.11	3.68.171.119
Dec 16, 2024 06:20:33.884602070 CET	49721	8808	192.168.2.11	3.68.171.119
Dec 16, 2024 06:20:33.885641098 CET	49781	8080	192.168.2.11	3.68.171.119
Dec 16, 2024 06:20:34.004245996 CET	8808	49721	3.68.171.119	192.168.2.11
Dec 16, 2024 06:20:34.005337954 CET	8080	49781	3.68.171.119	192.168.2.11
Dec 16, 2024 06:20:34.005461931 CET	49781	8080	192.168.2.11	3.68.171.119
Dec 16, 2024 06:20:34.005822897 CET	49781	8080	192.168.2.11	3.68.171.119
Dec 16, 2024 06:20:34.125452995 CET	8080	49781	3.68.171.119	192.168.2.11
Dec 16, 2024 06:20:55.904230118 CET	8080	49781	3.68.171.119	192.168.2.11
Dec 16, 2024 06:20:55.904352903 CET	49781	8080	192.168.2.11	3.68.171.119

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 06:18:58.157742977 CET	51984	53	192.168.2.11	1.1.1.1
Dec 16, 2024 06:18:58.396682024 CET	53	51984	1.1.1.1	192.168.2.11
Dec 16, 2024 06:20:06.619663000 CET	51802	53	192.168.2.11	1.1.1.1
Dec 16, 2024 06:20:06.860007048 CET	53	51802	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 06:18:58.157742977 CET	192.168.2.11	1.1.1.1	0xed56	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 16, 2024 06:20:06.619663000 CET	192.168.2.11	1.1.1.1	0x482f	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 06:18:58.396682024 CET	1.1.1.1	192.168.2.11	0xed56	No error (0)	6.tcp.eu.ngrok.io		3.66.38.117	A (IP address)	IN (0x0001)	false
Dec 16, 2024 06:20:06.860007048 CET	1.1.1.1	192.168.2.11	0x482f	No error (0)	6.tcp.eu.ngrok.io		3.68.171.119	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:18:53
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\aaa (3).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aaa (3).exe"
Imagebase:	0x680000
File size:	46'080 bytes
MD5 hash:	8123D15BB6100A19AC103B4EC3D592BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1533680615.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1533680615.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 04F51727 Relevance: 5.4, Strings: 4, Instructions: 444COMMON

Download Yara Rule

Strings

agq, xrefs: 04F51CDF
xkq, xrefs: 04F51D76
,, xrefs: 04F51870
agq, xrefs: 04F51D3C

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID: agq$ agq$,$xkq
API String ID: 0-796641304
Opcode ID: 69ccc0f645831cecfbc924f654272c14e1cefff0a56ab283759057b9babf9bb9
Instruction ID: 8b8dda5948adc711c996bf30c3bbcae8782e32b3234be9c3ae4bdee1bb0cd658
Opcode Fuzzy Hash: 69ccc0f645831cecfbc924f654272c14e1cefff0a56ab283759057b9babf9bb9
Instruction Fuzzy Hash: 84028F79B002019FDB15EB29D994B6E7BE2FB84304F148959E9029F3E5DF71AC42CB81

Function 04F51962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

agq, xrefs: 04F51CDF
xkq, xrefs: 04F51D76
agq, xrefs: 04F51D3C

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID: agq$ agq$xkq
API String ID: 0-719213010
Opcode ID: d53db9cced79af87fc8b0c1bdaa00dcd8c6a42f2cc43dd3cb8fbd9f2d4e1e93f
Instruction ID: b67680ed58109d1e9855641eff67aa4bddf0be24e1a3e35b65c3e93a7c465881
Opcode Fuzzy Hash: d53db9cced79af87fc8b0c1bdaa00dcd8c6a42f2cc43dd3cb8fbd9f2d4e1e93f
Instruction Fuzzy Hash: 86617CB9B402008FD711DF29D844B5E7BE2FB88304F118969D5069F3E5DB71EC468B82

Function 04F50EBB Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

Tegq, xrefs: 04F50EED
(kq, xrefs: 04F51192
d@p, xrefs: 04F50F05

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID: (kq$Tegq$d@p
API String ID: 0-703239973
Opcode ID: 38ae9c84b23834d99eb10511e31cfe82eeb5bfa1a9d31f8657280a1f82a82425
Instruction ID: 6e06d7c3461c1704a84bc739c08be94041149a5aa517aefd19f82a754f7eb640
Opcode Fuzzy Hash: 38ae9c84b23834d99eb10511e31cfe82eeb5bfa1a9d31f8657280a1f82a82425
Instruction Fuzzy Hash: 23518D38B001149FC754DF6DC458A6EBBF6EF89710F2580A9E906EB3A5CA75EC01CB91

Function 04F50D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

dLmq, xrefs: 04F50D5B
Hkq, xrefs: 04F50E40

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID: Hkq$dLmq
API String ID: 0-1557191823
Opcode ID: 93839b238138cfcf6ba321830b4d2653736766f62f99684604c292ca73dc89cc
Instruction ID: a87ce54df7d3b74e428f68cd88b2d3dda1565a9fbc7b4fca0523f89d40a83d72
Opcode Fuzzy Hash: 93839b238138cfcf6ba321830b4d2653736766f62f99684604c292ca73dc89cc
Instruction Fuzzy Hash: 6341E135B042448FCB15DF6DD454A9EBBF6AF89300F1444AAE505EB3A2CE74EC05CBA1

Function 04F51339 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

LRgq, xrefs: 04F5138B

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID: LRgq
API String ID: 0-2449505933
Opcode ID: 1c8c7e1ab12ed535c667f49bf97f844bb75a0c32a9aa59ddf225209c9e3c1f03
Instruction ID: 58c58adb0d3b6af30f2b21788292b347721fcba4098a5983fdda019fad8af7ae
Opcode Fuzzy Hash: 1c8c7e1ab12ed535c667f49bf97f844bb75a0c32a9aa59ddf225209c9e3c1f03
Instruction Fuzzy Hash: B831BF74F002168FCB45AB788560ABEBBF2FFC9200B1441A9E545DB3A5DE30EC02CB91

Function 04F50D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

dLmq, xrefs: 04F50D5B

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID: dLmq
API String ID: 0-466722732
Opcode ID: bce0c2b3c027553aef3aa39db8f47a277a16da94e62f4cc514dd93c8774caafe
Instruction ID: ea6e4035ba0d3be4997aa267be92849c8ff661412dc0e67839649a30b51435a3
Opcode Fuzzy Hash: bce0c2b3c027553aef3aa39db8f47a277a16da94e62f4cc514dd93c8774caafe
Instruction Fuzzy Hash: BB318F75A00205CFCB15DF69C448B9EBBF2AF49300F1485AAE901AB3B1DB74ED45CB91

Function 04F50E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Hkq, xrefs: 04F50E40

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID: Hkq
API String ID: 0-3520182757
Opcode ID: 9cecc7f7823370c4ae74daeaf24273b0a280c5dfc8f174d5e8e2e2c71b77af60
Instruction ID: eaecbafecc9b5009f7994fa100c53e131eb91c4fa31c7ff8a3cd170d505b697b
Opcode Fuzzy Hash: 9cecc7f7823370c4ae74daeaf24273b0a280c5dfc8f174d5e8e2e2c71b77af60
Instruction Fuzzy Hash: 26F0A4257093805FC356673D685442E7FE79FC725036904E6E545CB3A7CD188C0583A6

Function 04F50AA0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf4d3bb09fdec2f71280cf2d13e05d37cc11ff8a2ed17461b5c9d1eb449a895
Instruction ID: 52867c3c690546f9038f92aeebc939f5835c2b2f4e6709cd23177592f861696e
Opcode Fuzzy Hash: fbf4d3bb09fdec2f71280cf2d13e05d37cc11ff8a2ed17461b5c9d1eb449a895
Instruction Fuzzy Hash: BF510C78640202CFCB06FB39ECD454A7B72FB883457528A68D4028B399EB759847EFC1

Function 04F511D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6947c4c8932d87b1670d4ba22829b215130689636ecb75b0395a7b2f01bd68
Instruction ID: 50c57fc9d3e852523b55d87b1dc8e1d0ab027ab003c02324b3d2bdc0a27a64aa
Opcode Fuzzy Hash: ad6947c4c8932d87b1670d4ba22829b215130689636ecb75b0395a7b2f01bd68
Instruction Fuzzy Hash: 1541B474F00208AFCB44EFBDC55466EBBFAEF88300F1085A9D949D7355DA34A9428B91

Function 04F51030 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591929f9f0d9fba5967a1c80c4a311590c8eac800349b9ec4f690819e29092a2
Instruction ID: 9c2f616b20cd5439250798411e10b078479496ce9157760ffbfe97eac5a076d5
Opcode Fuzzy Hash: 591929f9f0d9fba5967a1c80c4a311590c8eac800349b9ec4f690819e29092a2
Instruction Fuzzy Hash: F8211979B001549FE714DB68CA54BAE7BE6BF88710F248194E901AB3A5DA71AC01CB81

Function 0287D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2778554580.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_287d000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad512633962c96cba424be6fef6277dea5e28c904ed964022838f97166d0d7d
Instruction ID: b2414d2d7836090d1b6faf7ec06a1e23ec9b03a453fa9ddfdb4ea978b9388273
Opcode Fuzzy Hash: cad512633962c96cba424be6fef6277dea5e28c904ed964022838f97166d0d7d
Instruction Fuzzy Hash: F92145BA504204DFDB05DF04D9C0B26BFA5FF88328F24C568E90A8B256C336D406CBA2

Function 04F50998 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7136097ffc773bcb41ec8dbeb5f8c4787b79bab317ba086f81cfb99302512084
Instruction ID: f9553acaa35bd3203592364edcb0f6f324d00073dcee8182753bb73acd6b25df
Opcode Fuzzy Hash: 7136097ffc773bcb41ec8dbeb5f8c4787b79bab317ba086f81cfb99302512084
Instruction Fuzzy Hash: A521A934F402438FEB69AF78D95826E3BE4AF01341B41482DDE07C22A4EF24A502DB92

Function 04F509A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef1058625c44a557a0341583c5fc80fe52e1c4bfa0286a7da536aa4c0e0a77b
Instruction ID: 8464d77a37920803285ff0a49274978e1d465b3af720e6ff2f282254cab9e527
Opcode Fuzzy Hash: 3ef1058625c44a557a0341583c5fc80fe52e1c4bfa0286a7da536aa4c0e0a77b
Instruction Fuzzy Hash: 53214F35F502039FDF54AF79DA5826E3BE4AF05341B51482DDE06C21A4FF24A5039BA2

Function 04F51431 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c6944dcea9e033c9e40dce9eabac00ed1489501eb2aab9f6cdfe59fe6f45e3
Instruction ID: 2cd16ca0d355aa7d87134f8c14a854e6a48137634e37cc7c801fc975073d836e
Opcode Fuzzy Hash: 39c6944dcea9e033c9e40dce9eabac00ed1489501eb2aab9f6cdfe59fe6f45e3
Instruction Fuzzy Hash: 7D11AC34A01342DFCB45EFB8D94466A7BF6EF8A24071504B9D506CB365EA30D942CB90

Function 0287D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2778554580.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_287d000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction ID: a28d026746b87cada9c27f79846f77f83489508d54cef5a08823d2cc8a69bced
Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction Fuzzy Hash: 2111937A504280DFDB16CF14D5C4B16BF72FF84324F28C6A9D9094B656C33AD45ACBA2

Function 04F51440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf96f3fdf723234341d77d50d426ccd5876d496d69ec8574845cac9c610f0aa
Instruction ID: 5ada6a14a4d30ed0d12db5a87e924352915b192b9f6bc166cc84204dbcaa50cd
Opcode Fuzzy Hash: 6cf96f3fdf723234341d77d50d426ccd5876d496d69ec8574845cac9c610f0aa
Instruction Fuzzy Hash: BA11AD74F00205DFCB54EFB9CA4462B7BE6EF8924072104B8D506DB368EA31EC42CB90

Function 04F516A0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96c660d16c033d0efdc267329139945d2df49d8782a25089daf862b85ea254e
Instruction ID: 0738ebd13f7e98e86ce8298269fb5ba2030c983f923e844c6a971890540d9d5f
Opcode Fuzzy Hash: e96c660d16c033d0efdc267329139945d2df49d8782a25089daf862b85ea254e
Instruction Fuzzy Hash: 1E017C35E412158FEF09EB68D9917AE77B4EF04714B05006DCA05DB6A5DB34BD03CB91

Function 04F50A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929165c675aa629f357e34940aab4dce8ed336c350c8b21ce2cee97595d4bca6
Instruction ID: c928657ab6c152a599271561fa70883325445cde433f7897c66e4bab4199bc83
Opcode Fuzzy Hash: 929165c675aa629f357e34940aab4dce8ed336c350c8b21ce2cee97595d4bca6
Instruction Fuzzy Hash: 67C08C79E85207CFD3102BB8D80862C3DD0AB86302F840C05AE02C50E1AF3825225317

Function 04F50A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2779659048.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_aaa (3).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e219d46b4c3c9776d05d6bdd9bd8aeb9dc09f1dd0a7fe01b3e3df12530a0e4
Instruction ID: 996fbbb581ce0193ae0080032389c56a05d6c1faeece0cd90276716888da5944
Opcode Fuzzy Hash: 35e219d46b4c3c9776d05d6bdd9bd8aeb9dc09f1dd0a7fe01b3e3df12530a0e4
Instruction Fuzzy Hash: 0BC08C79E8524BCFD7101B78D80862C3ED0A786302F840C0AAA02C40E1AF3825229717

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aaa (3).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
aaa (3).exe