Edit tour

Windows Analysis Report
17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Overview

General Information

Sample name:	17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe
Analysis ID:	1578597
MD5:	9377da935ca14d91e2ebbab60876ebd1
SHA1:	83ead28c22a3147f0a3c57bf71329c08a8e298f3
SHA256:	074236faf57c0ecfc4b8034b57539a7954a5e25dd610360264f625e51e639ae7
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

AsyncRAT

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "windows11.theworkpc.com", "Ports": "2022", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "Notepad.exe", "AES_key": "0HZv2d3LYROdWuWlzoaAVEW65pMouR2t", "Mutex": "ERMEUYRgrtNTEWYRI71tetr82Djkdui\"/()EB/XTE\"o", "AntiDetection": "true", "External_config_on_Pastebin": "false", "BDOS": "null", "Startup_Delay": "3", "HWID": "9kzo13MAsoGwulLvvGLiLxBbmUj1+Y2Y5g8PiG1RdP0/Q8Rga0w541/9R+dHfdD7FhvMLkDgepwIiB4LeBAMQw==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAJX3OBU31PdGsgdievk+0zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjExMDIwMDEwNzMwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIxzTLr4hnFFaKeh1kJdDFO+XMX152Kh80UYTFrsZSUdoFYtEb250ZfMcFOlbfg14wjuBrn1kaoflXitSm/EtDRAIzTfctOf0QhvGJ7/g+aDHfKIuGsBlQzqtzO+0Ab7rCDwjtSJkGXSL/UvoTF1L8kXB7kI4veHXuRqCHgHKSUomkqbYkeXrfQZTvVBXV3EVEIbLCiAIOsXRjLtd6KuopfwinutWYntLXaN4HO9JSsSRJ/NIj7YV78VqZUIl3ykpxEKKBtAsy9hmDzNmSHckfA9xi7b8lnUm4uVGHja5nS1aPP4H6/WfJ8CqAe53jY89InBpXQpRjAMNBIn+KnVjDKXurV2I/REO0XjVp/IxSdccxx7a9LcaZuo1bYnVCS3PFt9BOGsUV/WVnH4jyD6vql3dRlJRubMlb031xrqbozcrnepI/qRJEAuIuvQat6aowf8RqoNnbtxOOGepC6Hc1QZp6L+/6b/EmbVES/mQpKNEji8NRDIHkecWfb5pOcuaTMC9TzQs//tVPtTjw2kfaiuiMy/b47hwXRw3b3Z/L5qm1GIMzqTnwSnIWwAvtcm/ZosCT6Gkp5UAQsn9BvVBsAdyaPuJ556ohjxD+ckqHVoz8wFmHzvuLrY/bR4RtqabhI1SG+GH+U8dk+RVZ19FUphuP+1pkmsDw9Hli/YtEg7AgMBAAGjMjAwMB0GA1UdDgQWBBTXtZPdF7dIGGVXoRT9D35BMUE1VDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCBk2+eHVC6WWkLCDRqfT/pD38to9JsD8Sb66jAf54zFl06Iu9RcBDWsUsrm0gEjY3mm8GWipkdGzSiZ83PIPeM6mClep7HxptnqyJeyZeI3y/JgHblmN1DN5lYv9jw9U/lW48SuQzmwNyfwlxYCZC6ZjcHGKWxTfd4d0Dsb2VLdrlPNy7E+mUQRBV+hwuBoOfYKMWkSWedLk8kIx93TWMVlyN9ifd81jdLwsmpVMiCjmq6xyGVGp8FiMfUpQ4N5Ul2/LK4Bli3eRuKh1jeb+quabsRcqvoadTDTshjCZs7iWhn3xPfLDeekh/8DYbbUhd2ezYlC8f0t5BwDnB+hi2WHzeKnzqYFTwW5L9FOcnNnwJMSxYcmMr5t5IB3xTIe/zbg7C7ZHcPKvaSEhrAtQme0Do6bAGEvh5NmpABvu4HHhxV9qCZKU+yc8KJVoHK/+Y+ejgC6hGE9c87f35wl/1w0Un7p6/kA5k1ZUuvPAFmKagcvCD6OG3QRSHb8c0+Cn8OkUCGUdPKFEVhLUrYAk8uFyHQeXdXn6fYPXxjhzk37Uf+VujPbAsDJCPkkAPQtnZHXwlJrdsPqqv+cu9rdgBXNEL0GWLahtuWmQTBuUtlYQZUOUMRVz8h4v2q3psLxLXHT5i9AvvS6rgRHAEazA6k1qRjBwzyJqG2F0ir34wXlg==", "ServerSignature": "BO0L4fNx0rSUa+WdjVb1UaWoHbsAEgibJkuVjAQQnUwyvPuIRPl9ysjo0kOuPDoYM0XkYkOpG2CqRtAd4eSSz7pnHaMexDYXyL69R8N7IeKX2O+1cCPMoagCz9EEZpwQWrwiAQgyWtuxZN2+vJvCHvgI0To14+wwl/5hMBmGxBT5fhkIqkyogj6hjl1qRl4ny10nz70OAxcA4HIi1Fx6XttpaUcS+RO7EdxTqrq+7kabFj95xsx+nyBFw6+caBs4V8amUAyzs7cutJsIEY+H2Od81N6SVNOxFcebEwRpIgIgUTxRGakVnq1bHxRWQ84UyJPb8nXT+iwsHm/f7kusSigQJt2UPecDxEtoi0RyJaSfaacFV4FO3K6dIeeOnj6OfS5UaGN4TQJk5v68DFpqkLfw+zjO+4mTz9eH6C/esDlJysIERz5Buc7ikKHqkllSrEMA8P4JenDDmvPv4WIbCXXtm/outPWavQAmHLRtdYqsm27kNrxNGL3HnBNmZlDzE8eNxUMJjl06F7IjXo2fILf3U5CSBtJ/s/632Wf6LuHjL3IhyCmhQB3bKKLn1v4FVbAkhd3VB2qdckfMPQgR25N7QRhcfZX2ROh8xG+WkmNhzjN6uLPingsLxCQOyEaX/JQHNHnLTRYx1z3inU9KjJpeEISCHpUR2x5fQSF3g6Y=", "Group": "12+1_Fuck"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd513:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10386:$a2: Stub.exe 0x10416:$a2: Stub.exe 0x9bd3:$a3: get_ActivatePong 0xd72e:$a4: vmware 0xd5a3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xac3e:$a6: get_SslClient
17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd5a5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Malware Configuration Extractor: AsyncRAT {"Server": "windows11.theworkpc.com", "Ports": "2022", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "Notepad.exe", "AES_key": "0HZv2d3LYROdWuWlzoaAVEW65pMouR2t", "Mutex": "ERMEUYRgrtNTEWYRI71tetr82Djkdui\"/()EB/XTE\"o", "AntiDetection": "true", "External_config_on_Pastebin": "false", "BDOS": "null", "Startup_Delay": "3", "HWID": "9kzo13MAsoGwulLvvGLiLxBbmUj1+Y2Y5g8PiG1RdP0/Q8Rga0w541/9R+dHfdD7FhvMLkDgepwIiB4LeBAMQw==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAJX3OBU31PdGsgdievk+0zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjExMDIwMDEwNzMwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIxzTLr4hnFFaKeh1kJdDFO+XMX152Kh80UYTFrsZSUdoFYtEb250ZfMcFOlbfg14wjuBrn1kaoflXitSm/EtDRAIzTfctOf0QhvGJ7/g+aDHfKIuGsBlQzqtzO+0Ab7rCDwjtSJkGXSL/UvoTF1L8kXB7kI4veHXuRqCHgHKSUomkqbYkeXrfQZTvVBXV3EVEIbLCiAIOsXRjLtd6KuopfwinutWYntLXaN4HO9JSsSRJ/NIj7YV78VqZUIl3ykpxEKKBtAsy9hmDzNmSHckfA9xi7b8lnUm4uVGHja5nS1aPP4H6/WfJ8CqAe53jY89InBpXQpRjAMNBIn+KnVjDKXurV2I/REO0XjVp/IxSdccxx7a9LcaZuo1bYnVCS3PFt9BOGsUV/WVnH4jyD6vql3dRlJRubMlb031xrqbozcrnepI/qRJEAuIuvQat6aowf8RqoNnbtxOOGepC6Hc1QZp6L+/6b/EmbVES/mQpKNEji8NRDIHkecWfb5pOcuaTMC9TzQs//tVPtTjw2kfaiuiMy/b47hwXRw3b3Z/L5qm1GIMzqTnwSnIWwAvtcm/ZosCT6Gkp5UAQsn9BvVBsAdyaPuJ556ohjxD+ckqHVoz8wFmHzvuLrY/bR4RtqabhI1SG+GH+U8dk+RVZ19FUphuP+1pkmsDw9Hli/YtEg7AgMBAAGjMjAwMB0GA1UdDgQWBBTXtZPdF7dIGGVXoRT9D35BMUE1VDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCBk2+eHVC6WWkLCDRqfT/pD38to9JsD8Sb66jAf54zFl06Iu9RcBDWsUsrm0gEjY3mm8GWipkdGzSiZ83PIPeM6mClep7HxptnqyJeyZeI3y/JgHblmN1DN5lYv9jw9U/lW48SuQzmwNyfwlxYCZC6ZjcHGKWxTfd4d0Dsb2VLdrlPNy7E+mUQRBV+hwuBoOfYKMWkSWedLk8kIx93TWMVlyN9ifd81jdLwsmpVMiCjmq6xyGVGp8FiMfUpQ4N5Ul2/LK4Bli3eRuKh1jeb+quabsRcqvoadTDTshjCZs7iWhn3xPfLDeekh/8DYbbUhd2ezYlC8f0t5BwDnB+hi2WHzeKnzqYFTwW5L9FOcnNnwJMSxYcmMr5t5IB3xTIe/zbg7C7ZHcPKvaSEhrAtQme0Do6bAGEvh5NmpABvu4HHhxV9qCZKU+yc8KJVoHK/+Y+ejgC6hGE9c87f35wl/1w0Un7p6/kA5k1ZUuvPAFmKagcvCD6OG3QRSHb8c0+Cn8OkUCGUdPKFEVhLUrYAk8uFyHQeXdXn6fYPXxjhzk37Uf+VujPbAsDJCPkkAPQtnZHXwlJrdsPqqv+cu9rdgBXNEL0GWLahtuWmQTBuUtlYQZUOUMRVz8h4v2q3psLxLXHT5i9AvvS6rgRHAEazA6k1qRjBwzyJqG2F0ir34wXlg==", "ServerSignature": "BO0L4fNx0rSUa+WdjVb1UaWoHbsAEgibJkuVjAQQnUwyvPuIRPl9ysjo0kOuPDoYM0XkYkOpG2CqRtAd4eSSz7pnHaMexDYXyL69R8N7IeKX2O+1cCPMoagCz9EEZpwQWrwiAQgyWtuxZN2+vJvCHvgI0To14+wwl/5hMBmGxBT5fhkIqkyogj6hjl1qRl4ny10nz70OAxcA4HIi1Fx6XttpaUcS+RO7EdxTqrq+7kabFj95xsx+nyBFw6+caBs4V8amUAyzs7cutJsIEY+H2Od81N6SVNOxFcebEwRpIgIgUTxRGakVnq1bHxRWQ84UyJPb8nXT+iwsHm/f7kusSigQJt2UPecDxEtoi0RyJaSfaacFV4FO3K6dIeeOnj6OfS5UaGN4TQJk5v68DFpqkLfw+zjO+4mTz9eH6C/esDlJysIERz5Buc7ikKHqkllSrEMA8P4JenDDmvPv4WIbCXXtm/outPWavQAmHLRtdYqsm27kNrxNGL3HnBNmZlDzE8eNxUMJjl06F7IjXo2fILf3U5CSBtJ/s/632Wf6LuHjL3IhyCmhQB3bKKLn1v4FVbAkhd3VB2qdckfMPQgR25N7QRhcfZX2ROh8xG+WkmNhzjN6uLPingsLxCQOyEaX/JQHNHnLTRYx1z3inU9KjJpeEISCHpUR2x5fQSF3g6Y=", "Group": "12+1_Fuck"}

Multi AV Scanner detection for submitted file

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Machine Learning detection for sample

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Joe Sandbox ML: detected

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: windows11.theworkpc.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match

File source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe, type: SAMPLE

System Summary

Malicious sample detected (through community Yara rule)

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Static PE information: No import functions for PE file found

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Binary or memory string: OriginalFilenameStub.exe" vs 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Static PE information: Section .text

Source: classification engine

Classification label: mal88.troj.evad.winEXE@0/0@0/0

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

ReversingLabs: Detection: 44%

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Boot Survival

Yara detected AsyncRAT

Source: Yara match

File source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe, type: SAMPLE

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match

File source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe, type: SAMPLE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Binary or memory string: SBIEDLL.DLL

Source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Binary or memory string: vmware

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match

File source: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Obfuscated Files or Information	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe	45%	ReversingLabs	Win32.Spyware.AsyncRAT
17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
windows11.theworkpc.com	true		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578597
Start date and time:	2024-12-19 23:28:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
VT rate limit hit for: 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe	Get hash	malicious	Quasar	Browse	13.107.246.63
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	13.107.246.63
	Gioia Faggioli-End Of Year-Bonus.docx	Get hash	malicious	Unknown	Browse	13.107.246.63
	dz6dQWx0DD.dll	Get hash	malicious	Nitol	Browse	13.107.246.63
	Eallentoff_401k_1484013830.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	INVOICE-0098.pdf ... .lnk.lnk.d.lnk	Get hash	malicious	Unknown	Browse	13.107.246.63
	hnghksdjfhs19De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	13.107.246.63
	CNUXJvLcgw.lnk	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	LbtytfWpvx.vbs	Get hash	malicious	Remcos	Browse	13.107.246.63
	H2PspQWoHE.ps1	Get hash	malicious	Unknown	Browse	13.107.246.63

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.56637591773199
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe
File size:	68'460 bytes
MD5:	9377da935ca14d91e2ebbab60876ebd1
SHA1:	83ead28c22a3147f0a3c57bf71329c08a8e298f3
SHA256:	074236faf57c0ecfc4b8034b57539a7954a5e25dd610360264f625e51e639ae7
SHA512:	2e085f360fbadfbb14360bf26fca52d0268b9a8c2f4b0dbba64dc77a4dd13a3c17896c473757310521fbc0aab5a0b31e9a127f9907e07810e9c5d8383755291c
SSDEEP:	1536:rgYTxP865WkXA1gVsMuUeRjP/pP3kkJbh788WBWvArQTGxn:rgQxU6kkNsMuUeRb/pPbJbhGpGCn
TLSH:	9A6309053BE8901AF2BECF7459F6368546B9F46B2E02D55D0CC811CE0672B86B941BFB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.4d................................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x411afe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64348F75 [Mon Apr 10 22:36:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
or byte ptr [ecx], 0000000Eh
or eax, 0E1C0520h
adc dword ptr [edx+1182120Dh], eax
sbb al, 1Dh
sbb al, 06h
add byte ptr [ecx], al
adc al, byte ptr [ecx+00050E4Dh]
add al, byte ptr [ecx]
push cs
push cs
push es
add byte ptr [ebx], al
add dword ptr [esi], ecx
push cs
add al, byte ptr [ebx]
pop es
add dword ptr [82120000h+eax], ebx
adc eax, 12012007h
add byte ptr [0006051Dh], 00000001h
sbb al, 12h
or byte ptr [ecx], 00000008h
add byte ptr [ecx], al
adc al, byte ptr [edx+1D821109h]
or dword ptr [eax], eax
add dl, byte ptr [edx]
and byte ptr [ecx], 00000011h
and byte ptr [05001C0Eh], 00000012h
sub byte ptr [0E318211h], 00000015h
adc al, byte ptr [ecx-7DEDFE03h]
or dword ptr [edx], edx
or byte ptr [ecx], 00000015h
adc al, byte ptr [ecx-7DEDFE03h]
and dword ptr [edi], edx
adc eax, 15015912h
adc bl, byte ptr [ebp+0Ah]
adc ah, byte ptr [ecx+1Ch]
adc cl, byte ptr [1D0E0912h]
add eax, 0E0E4512h
push cs
or eax, dword ptr [eax]
add dword ptr [13015912h], edx
add byte ptr [edx], dl
sub byte ptr [00130603h], 00000013h
adc eax, 120A5D12h
popad
sbb al, 12h
or eax, 1D0E0912h
add eax, 0E0E4512h
push cs
pop ss
and byte ptr [edx], cl
add dword ptr [ebx], edx
add byte ptr [ebx], dl
add dword ptr [ebx], edx
add dl, byte ptr [ebx]
add edx, dword ptr [ebx]
add al, 13h
add eax, 07130613h
adc ecx, dword ptr [eax]
adc ecx, dword ptr [ecx]
push cs
pop es
push es
sbb eax, 00008112h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11aa4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x7ff
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfb04	0xfc00	3f922031a86033243fd356c298db0247	False	0.49714781746031744	data	5.611820904170509	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 23:29:26.888180017 CET	1.1.1.1	192.168.2.6	0x56bd	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 23:29:26.888180017 CET	1.1.1.1	192.168.2.6	0x56bd	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Boot Survival

Malware Analysis System Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

DNS Answers

Statistics

System Behavior

Disassembly

Windows Analysis Report
17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exe