Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe

Overview

General Information

Sample name:1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe
Analysis ID:1578600
MD5:15c0e802a7c4df842a25733804d8a0ba
SHA1:294a3e89a445bf2d27f242c14fea323c34d55585
SHA256:a9e62ae675e9d0db930a35c24857f2e102d609a49425e7e2c97a7b1b2555e669
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

AsyncRAT
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
PE file does not import any functions
PE file overlay found
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
{"Server": "windows11.theworkpc.com", "Ports": "2022", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "true", "Install_Folder": "%Temp%", "Install_File": "DMIDE45.tmp.exe", "AES_key": "0jqHD5VN3sjRqjZnn65GnT60RYcJixeW", "Mutex": "ERMEUDsX4nzWMHDjtnG5JA5/XTE\"o", "AntiDetection": "true", "External_config_on_Pastebin": "false", "BDOS": "null", "Startup_Delay": "3", "HWID": "Snqt7qAgsbneLLviMomu0zxihJWEPbmCht8wZWVOJAQNlnyTspAJVpkisyFdLX5JLb5jABaPfLCAYuJStI+bgQ==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAJX3OBU31PdGsgdievk+0zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjExMDIwMDEwNzMwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIxzTLr4hnFFaKeh1kJdDFO+XMX152Kh80UYTFrsZSUdoFYtEb250ZfMcFOlbfg14wjuBrn1kaoflXitSm/EtDRAIzTfctOf0QhvGJ7/g+aDHfKIuGsBlQzqtzO+0Ab7rCDwjtSJkGXSL/UvoTF1L8kXB7kI4veHXuRqCHgHKSUomkqbYkeXrfQZTvVBXV3EVEIbLCiAIOsXRjLtd6KuopfwinutWYntLXaN4HO9JSsSRJ/NIj7YV78VqZUIl3ykpxEKKBtAsy9hmDzNmSHckfA9xi7b8lnUm4uVGHja5nS1aPP4H6/WfJ8CqAe53jY89InBpXQpRjAMNBIn+KnVjDKXurV2I/REO0XjVp/IxSdccxx7a9LcaZuo1bYnVCS3PFt9BOGsUV/WVnH4jyD6vql3dRlJRubMlb031xrqbozcrnepI/qRJEAuIuvQat6aowf8RqoNnbtxOOGepC6Hc1QZp6L+/6b/EmbVES/mQpKNEji8NRDIHkecWfb5pOcuaTMC9TzQs//tVPtTjw2kfaiuiMy/b47hwXRw3b3Z/L5qm1GIMzqTnwSnIWwAvtcm/ZosCT6Gkp5UAQsn9BvVBsAdyaPuJ556ohjxD+ckqHVoz8wFmHzvuLrY/bR4RtqabhI1SG+GH+U8dk+RVZ19FUphuP+1pkmsDw9Hli/YtEg7AgMBAAGjMjAwMB0GA1UdDgQWBBTXtZPdF7dIGGVXoRT9D35BMUE1VDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCBk2+eHVC6WWkLCDRqfT/pD38to9JsD8Sb66jAf54zFl06Iu9RcBDWsUsrm0gEjY3mm8GWipkdGzSiZ83PIPeM6mClep7HxptnqyJeyZeI3y/JgHblmN1DN5lYv9jw9U/lW48SuQzmwNyfwlxYCZC6ZjcHGKWxTfd4d0Dsb2VLdrlPNy7E+mUQRBV+hwuBoOfYKMWkSWedLk8kIx93TWMVlyN9ifd81jdLwsmpVMiCjmq6xyGVGp8FiMfUpQ4N5Ul2/LK4Bli3eRuKh1jeb+quabsRcqvoadTDTshjCZs7iWhn3xPfLDeekh/8DYbbUhd2ezYlC8f0t5BwDnB+hi2WHzeKnzqYFTwW5L9FOcnNnwJMSxYcmMr5t5IB3xTIe/zbg7C7ZHcPKvaSEhrAtQme0Do6bAGEvh5NmpABvu4HHhxV9qCZKU+yc8KJVoHK/+Y+ejgC6hGE9c87f35wl/1w0Un7p6/kA5k1ZUuvPAFmKagcvCD6OG3QRSHb8c0+Cn8OkUCGUdPKFEVhLUrYAk8uFyHQeXdXn6fYPXxjhzk37Uf+VujPbAsDJCPkkAPQtnZHXwlJrdsPqqv+cu9rdgBXNEL0GWLahtuWmQTBuUtlYQZUOUMRVz8h4v2q3psLxLXHT5i9AvvS6rgRHAEazA6k1qRjBwzyJqG2F0ir34wXlg==", "ServerSignature": "GllkWVfYDosX3UjXL8lo6lEgsmnc4OPUb3b1Xg0SUTkDkC34oEHJyBVfJtXGMfQY6cfGQM50r9SZeGgcdwFzQwFmIJfLFjSp+5FS888txCqpGSdjsSmQc2/4gGd198ccF03NAYPCMEzjejLcM5W1jLFxGMfnNmJM4F5FGVa3RARJlGI8SuzxGxBTYBdEMf1WhMOxEntoG7spd/QJ8a0pTGbsaTGA+wpupS2JmnBQ09Fu8EnEXyDAfJPhJ8f1z5mL+FulBrKOt0074icNbS71t7QcbkFWwijpNd2dhhZR3Y/ygmN4tUPasmWmS/lmkeZmXlkpurAQxUWT9BZSb/Lp5x3EIV4XRCQBMkG6TaiidkONikGLhrYEB5pEXqwCfBzs8COgzSMa6k7ME6RRw/4sGNMD0x+tziMFFLM3apNihu1l66bdM7dkJh1oV/P1e37Lgqb10F98g9YD6MxGXGFHVU40BIOHyQlSRMPGVcN2xZqt5GIrNNcZ5UkfXlYg2tCzXtQzZjgodxdEytbWJGX2AhIqpwVVrynT2Y6pUGk6hABojpzVQaaPJ80QaBZCv7RWZ55yROOK8GSrLuGKu8mUY/1bEqv5yzeONXhGroEGXCfNORyxkHFqx4SK1+WkCdGiaQ8myOOdyB6qLPmDAqxLyBcxhcjYCQFicwjcBsF2BkY=", "Group": "17+1_Fuck"}
SourceRuleDescriptionAuthorStrings
1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
    • 0xc92e:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
    • 0xf7cb:$a2: Stub.exe
    • 0xf85b:$a2: Stub.exe
    • 0x9376:$a3: get_ActivatePong
    • 0xcb49:$a4: vmware
    • 0xc9be:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
    • 0xa271:$a6: get_SslClient
    1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xc9c0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    No Sigma rule has matched
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeMalware Configuration Extractor: AsyncRAT {"Server": "windows11.theworkpc.com", "Ports": "2022", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "true", "Install_Folder": "%Temp%", "Install_File": "DMIDE45.tmp.exe", "AES_key": "0jqHD5VN3sjRqjZnn65GnT60RYcJixeW", "Mutex": "ERMEUDsX4nzWMHDjtnG5JA5/XTE\"o", "AntiDetection": "true", "External_config_on_Pastebin": "false", "BDOS": "null", "Startup_Delay": "3", "HWID": "Snqt7qAgsbneLLviMomu0zxihJWEPbmCht8wZWVOJAQNlnyTspAJVpkisyFdLX5JLb5jABaPfLCAYuJStI+bgQ==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAJX3OBU31PdGsgdievk+0zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjExMDIwMDEwNzMwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIxzTLr4hnFFaKeh1kJdDFO+XMX152Kh80UYTFrsZSUdoFYtEb250ZfMcFOlbfg14wjuBrn1kaoflXitSm/EtDRAIzTfctOf0QhvGJ7/g+aDHfKIuGsBlQzqtzO+0Ab7rCDwjtSJkGXSL/UvoTF1L8kXB7kI4veHXuRqCHgHKSUomkqbYkeXrfQZTvVBXV3EVEIbLCiAIOsXRjLtd6KuopfwinutWYntLXaN4HO9JSsSRJ/NIj7YV78VqZUIl3ykpxEKKBtAsy9hmDzNmSHckfA9xi7b8lnUm4uVGHja5nS1aPP4H6/WfJ8CqAe53jY89InBpXQpRjAMNBIn+KnVjDKXurV2I/REO0XjVp/IxSdccxx7a9LcaZuo1bYnVCS3PFt9BOGsUV/WVnH4jyD6vql3dRlJRubMlb031xrqbozcrnepI/qRJEAuIuvQat6aowf8RqoNnbtxOOGepC6Hc1QZp6L+/6b/EmbVES/mQpKNEji8NRDIHkecWfb5pOcuaTMC9TzQs//tVPtTjw2kfaiuiMy/b47hwXRw3b3Z/L5qm1GIMzqTnwSnIWwAvtcm/ZosCT6Gkp5UAQsn9BvVBsAdyaPuJ556ohjxD+ckqHVoz8wFmHzvuLrY/bR4RtqabhI1SG+GH+U8dk+RVZ19FUphuP+1pkmsDw9Hli/YtEg7AgMBAAGjMjAwMB0GA1UdDgQWBBTXtZPdF7dIGGVXoRT9D35BMUE1VDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCBk2+eHVC6WWkLCDRqfT/pD38to9JsD8Sb66jAf54zFl06Iu9RcBDWsUsrm0gEjY3mm8GWipkdGzSiZ83PIPeM6mClep7HxptnqyJeyZeI3y/JgHblmN1DN5lYv9jw9U/lW48SuQzmwNyfwlxYCZC6ZjcHGKWxTfd4d0Dsb2VLdrlPNy7E+mUQRBV+hwuBoOfYKMWkSWedLk8kIx93TWMVlyN9ifd81jdLwsmpVMiCjmq6xyGVGp8FiMfUpQ4N5Ul2/LK4Bli3eRuKh1jeb+quabsRcqvoadTDTshjCZs7iWhn3xPfLDeekh/8DYbbUhd2ezYlC8f0t5BwDnB+hi2WHzeKnzqYFTwW5L9FOcnNnwJMSxYcmMr5t5IB3xTIe/zbg7C7ZHcPKvaSEhrAtQme0Do6bAGEvh5NmpABvu4HHhxV9qCZKU+yc8KJVoHK/+Y+ejgC6hGE9c87f35wl/1w0Un7p6/kA5k1ZUuvPAFmKagcvCD6OG3QRSHb8c0+Cn8OkUCGUdPKFEVhLUrYAk8uFyHQeXdXn6fYPXxjhzk37Uf+VujPbAsDJCPkkAPQtnZHXwlJrdsPqqv+cu9rdgBXNEL0GWLahtuWmQTBuUtlYQZUOUMRVz8h4v2q3psLxLXHT5i9AvvS6rgRHAEazA6k1qRjBwzyJqG2F0ir34wXlg==", "ServerSignature": "GllkWVfYDosX3UjXL8lo6lEgsmnc4OPUb3b1Xg0SUTkDkC34oEHJyBVfJtXGMfQY6cfGQM50r9SZeGgcdwFzQwFmIJfLFjSp+5FS888txCqpGSdjsSmQc2/4gGd198ccF03NAYPCMEzjejLcM5W1jLFxGMfnNmJM4F5FGVa3RARJlGI8SuzxGxBTYBdEMf1WhMOxEntoG7spd/QJ8a0pTGbsaTGA+wpupS2JmnBQ09Fu8EnEXyDAfJPhJ8f1z5mL+FulBrKOt0074icNbS71t7QcbkFWwijpNd2dhhZR3Y/ygmN4tUPasmWmS/lmkeZmXlkpurAQxUWT9BZSb/Lp5x3EIV4XRCQBMkG6TaiidkONikGLhrYEB5pEXqwCfBzs8COgzSMa6k7ME6RRw/4sGNMD0x+tziMFFLM3apNihu1l66bdM7dkJh1oV/P1e37Lgqb10F98g9YD6MxGXGFHVU40BIOHyQlSRMPGVcN2xZqt5GIrNNcZ5UkfXlYg2tCzXtQzZjgodxdEytbWJGX2AhIqpwVVrynT2Y6pUGk6hABojpzVQaaPJ80QaBZCv7RWZ55yROOK8GSrLuGKu8mUY/1bEqv5yzeONXhGroEGXCfNORyxkHFqx4SK1+WkCdGiaQ8myOOdyB6qLPmDAqxLyBcxhcjYCQFicwjcBsF2BkY=", "Group": "17+1_Fuck"}
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeReversingLabs: Detection: 47%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeJoe Sandbox ML: detected
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Networking

    barindex
    Source: Malware configuration extractorURLs: windows11.theworkpc.com

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Source: Yara matchFile source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe, type: SAMPLE

    System Summary

    barindex
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeStatic PE information: No import functions for PE file found
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeStatic PE information: Data appended to the last section found
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeBinary or memory string: OriginalFilenameStub.exe" vs 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
    Source: classification engineClassification label: mal88.troj.evad.winEXE@0/0@0/0
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeReversingLabs: Detection: 47%
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Boot Survival

    barindex
    Source: Yara matchFile source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe, type: SAMPLE

    Malware Analysis System Evasion

    barindex
    Source: Yara matchFile source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe, type: SAMPLE
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeBinary or memory string: SBIEDLL.DLL
    Source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeBinary or memory string: vmware

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Source: Yara matchFile source: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe, type: SAMPLE
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Scheduled Task/Job
    1
    Scheduled Task/Job
    1
    Scheduled Task/Job
    1
    Obfuscated Files or Information
    OS Credential Dumping11
    Security Software Discovery
    Remote ServicesData from Local System1
    Application Layer Protocol
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe47%ReversingLabs
    1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe100%Joe Sandbox ML
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    NameIPActiveMaliciousAntivirus DetectionReputation
    s-part-0035.t-0009.t-msedge.net
    13.107.246.63
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      windows11.theworkpc.comtrue
        unknown
        No contacted IP infos
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1578600
        Start date and time:2024-12-19 23:28:47 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 37s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:1
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe
        Detection:MAL
        Classification:mal88.troj.evad.winEXE@0/0@0/0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Unable to launch sample, stop analysis
        • No process behavior to analyse as no analysis process or sample was found
        • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.63
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
        • VT rate limit hit for: 1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe
        No simulations
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        s-part-0035.t-0009.t-msedge.net17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
        • 13.107.246.63
        1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeGet hashmaliciousQuasarBrowse
        • 13.107.246.63
        file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
        • 13.107.246.63
        Gioia Faggioli-End Of Year-Bonus.docxGet hashmaliciousUnknownBrowse
        • 13.107.246.63
        dz6dQWx0DD.dllGet hashmaliciousNitolBrowse
        • 13.107.246.63
        Eallentoff_401k_1484013830.htmlGet hashmaliciousHTMLPhisherBrowse
        • 13.107.246.63
        INVOICE-0098.pdf ... .lnk.lnk.d.lnkGet hashmaliciousUnknownBrowse
        • 13.107.246.63
        hnghksdjfhs19De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
        • 13.107.246.63
        CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
        • 13.107.246.63
        LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
        • 13.107.246.63
        No context
        No context
        No context
        No created / dropped files found
        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):5.444320067160353
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
        • Win32 Executable (generic) a (10002005/4) 49.97%
        • Generic Win/DOS Executable (2004/3) 0.01%
        • DOS Executable Generic (2002/1) 0.01%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exe
        File size:65'457 bytes
        MD5:15c0e802a7c4df842a25733804d8a0ba
        SHA1:294a3e89a445bf2d27f242c14fea323c34d55585
        SHA256:a9e62ae675e9d0db930a35c24857f2e102d609a49425e7e2c97a7b1b2555e669
        SHA512:f7c2a7a6f90b39e383b5cce78a5cbdbdd5bd3dae641bd4d566c4f9a0e288892e55afdf3a236601aecbe3c05e8f1d108cb01a38456e50ddd4eb8228c1f2288b30
        SSDEEP:1536:mMNhAoa1YtmkscJsMKUeRauCY0b9APLlahEszOrITGpn:mM7ArYYkDsMKUeRX0b91EszOOyn
        TLSH:97530A053BE8911AF3BE8F749DF6654106F9F4AB2D12C55D0C8C05CE0663B86AA41BFB
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.4d................................. ... ....@.. .......................`............`................................
        Icon Hash:90cececece8e8eb0
        Entrypoint:0x410ece
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Time Stamp:0x64348F75 [Mon Apr 10 22:36:37 2023 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:
        Instruction
        adc byte ptr [eax], dl
        add dword ptr [ecx], eax
        adc eax, 1E015112h
        add byte ptr [01FD8112h], dl
        push ds
        add byte ptr [edx+ecx], al
        add dword ptr [edx], edx
        je 00007FBE4D99766Bh
        and byte ptr [eax], al
        adc eax, 01F58111h
        adc eax, dword ptr [eax]
        pop es
        adc eax, 01F58111h
        adc dh, byte ptr [esp+eax+20h]
        add byte ptr [ebx], dl
        add byte ptr [13020120h], al
        add byte ptr [esi], al
        and byte ptr [ecx], al
        add dword ptr [ecx], edx
        add byte ptr [ecx], 00000002h
        sbb eax, 0100071Ch
        adc al, byte ptr [edx+06051D05h]
        and byte ptr [ecx], al
        adc al, byte ptr [edx+200D0E09h]
        add eax, 82110E1Ch
        or eax, 1C118212h
        sbb eax, 0100061Ch
        adc al, byte ptr [ecx+00050E4Dh]
        add al, byte ptr [ecx]
        push cs
        push cs
        push es
        add byte ptr [ebx], al
        add dword ptr [esi], ecx
        push cs
        add al, byte ptr [ebx]
        pop es
        add dword ptr [82120000h+eax], ebx
        adc eax, 12012007h
        add byte ptr [0006051Dh], 00000001h
        sbb al, 12h
        or byte ptr [ecx], 00000008h
        add byte ptr [ecx], al
        adc al, byte ptr [edx+1D821109h]
        or dword ptr [eax], eax
        add dl, byte ptr [edx]
        and byte ptr [ecx], 00000011h
        and byte ptr [05001C0Eh], 00000012h
        sub byte ptr [0E318211h], 00000015h
        adc al, byte ptr [ecx-7DEDFE03h]
        or dword ptr [edx], edx
        or byte ptr [ecx], 00000015h
        adc al, byte ptr [ecx-7DEDFE03h]
        and dword ptr [edi], edx
        adc eax, 15015912h
        adc bl, byte ptr [ebp+0Ah]
        adc ah, byte ptr [ecx+1Ch]
        adc cl, byte ptr [000E0912h]
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x10e780x53.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x7ff.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000xeed40xf00034a61d754976345448b0264f0a5ba7ecFalse0.45525716145833334data5.488562831396003IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rsrc0x120000x7ff0x800994e2111ace8e648c69c023b58e0232cFalse0.43994140625data4.168730765045266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x140000xc0x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Dec 19, 2024 23:29:41.981734037 CET1.1.1.1192.168.2.100xd012No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
        Dec 19, 2024 23:29:41.981734037 CET1.1.1.1192.168.2.100xd012No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
        No statistics
        No system behavior
        No disassembly