Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe

Overview

General Information

Sample name:1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe
Analysis ID:1578608
MD5:3396089e42b45faa5a8edeb249ec6ccd
SHA1:7c20a1d5502ed2c0c94c34799bac5203a504d851
SHA256:97fb0982a2e2177491ff62cb07c49c895cd761aec81da722ed18c13cdf578984
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

AsyncRAT
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
PE file does not import any functions
PE file overlay found
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "windows11.theworkpc.com", "Ports": "2022", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "DMIDE45.tmp.exe", "AES_key": "hgBtGlNaJurG4RGwPTntsZEFA7zQY5jY", "Mutex": "ERMEUDsX4nzWMHDjtnG5JA5/XTE\"o", "AntiDetection": "false", "External_config_on_Pastebin": "false", "BDOS": "null", "Startup_Delay": "3", "HWID": "3po4CbzHv1StRy4BESbe+1+gZlZ96iuXSEpNkXYCxYVjs0LCNa1n9heVp1Z7lpPzK3lpDDS/ghrI9VQ9tjNHsQ==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAJX3OBU31PdGsgdievk+0zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjExMDIwMDEwNzMwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIxzTLr4hnFFaKeh1kJdDFO+XMX152Kh80UYTFrsZSUdoFYtEb250ZfMcFOlbfg14wjuBrn1kaoflXitSm/EtDRAIzTfctOf0QhvGJ7/g+aDHfKIuGsBlQzqtzO+0Ab7rCDwjtSJkGXSL/UvoTF1L8kXB7kI4veHXuRqCHgHKSUomkqbYkeXrfQZTvVBXV3EVEIbLCiAIOsXRjLtd6KuopfwinutWYntLXaN4HO9JSsSRJ/NIj7YV78VqZUIl3ykpxEKKBtAsy9hmDzNmSHckfA9xi7b8lnUm4uVGHja5nS1aPP4H6/WfJ8CqAe53jY89InBpXQpRjAMNBIn+KnVjDKXurV2I/REO0XjVp/IxSdccxx7a9LcaZuo1bYnVCS3PFt9BOGsUV/WVnH4jyD6vql3dRlJRubMlb031xrqbozcrnepI/qRJEAuIuvQat6aowf8RqoNnbtxOOGepC6Hc1QZp6L+/6b/EmbVES/mQpKNEji8NRDIHkecWfb5pOcuaTMC9TzQs//tVPtTjw2kfaiuiMy/b47hwXRw3b3Z/L5qm1GIMzqTnwSnIWwAvtcm/ZosCT6Gkp5UAQsn9BvVBsAdyaPuJ556ohjxD+ckqHVoz8wFmHzvuLrY/bR4RtqabhI1SG+GH+U8dk+RVZ19FUphuP+1pkmsDw9Hli/YtEg7AgMBAAGjMjAwMB0GA1UdDgQWBBTXtZPdF7dIGGVXoRT9D35BMUE1VDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCBk2+eHVC6WWkLCDRqfT/pD38to9JsD8Sb66jAf54zFl06Iu9RcBDWsUsrm0gEjY3mm8GWipkdGzSiZ83PIPeM6mClep7HxptnqyJeyZeI3y/JgHblmN1DN5lYv9jw9U/lW48SuQzmwNyfwlxYCZC6ZjcHGKWxTfd4d0Dsb2VLdrlPNy7E+mUQRBV+hwuBoOfYKMWkSWedLk8kIx93TWMVlyN9ifd81jdLwsmpVMiCjmq6xyGVGp8FiMfUpQ4N5Ul2/LK4Bli3eRuKh1jeb+quabsRcqvoadTDTshjCZs7iWhn3xPfLDeekh/8DYbbUhd2ezYlC8f0t5BwDnB+hi2WHzeKnzqYFTwW5L9FOcnNnwJMSxYcmMr5t5IB3xTIe/zbg7C7ZHcPKvaSEhrAtQme0Do6bAGEvh5NmpABvu4HHhxV9qCZKU+yc8KJVoHK/+Y+ejgC6hGE9c87f35wl/1w0Un7p6/kA5k1ZUuvPAFmKagcvCD6OG3QRSHb8c0+Cn8OkUCGUdPKFEVhLUrYAk8uFyHQeXdXn6fYPXxjhzk37Uf+VujPbAsDJCPkkAPQtnZHXwlJrdsPqqv+cu9rdgBXNEL0GWLahtuWmQTBuUtlYQZUOUMRVz8h4v2q3psLxLXHT5i9AvvS6rgRHAEazA6k1qRjBwzyJqG2F0ir34wXlg==", "ServerSignature": "hzdtzrQtzrthv8Ps9I7PJADjMYqi1ALGsvT1dZB1bZl5Jo4MjC93S5jN4p8dGNQzRHFNFRJq2tG2ZeBOqc67jq37USkyhoxS0Hm0t1rpCkQF8sCtVxEEWcJvN3zPo/f35960i8nUFwK2VmxOzuyTqTf3+h9oyk5Ed4XoZLFr3LTDbYv+XToe+yA75eD+Z6DuXkq1jBcwvPrR04onOnlfmqDXDWbYdZM7RSH6TV7Aet/MzA/SUyEOZmTM5/wdFrcdUjjEZ49GPcdw7AcE6UMgX5NVJ1oRQKqdcw+ETwkDZ9Ic0kQxcAMt6ex2wZl7x1dd1OcSGmFEgz89X32i0dE+8g59Uoej0+RfQ3/q+jOqaHH06jn7q0MJsewEm4OXqWVTYPftgeMbtPwlVhAbK1ZauA+GBvEygCIpnX0sD9vZgtB3MkMvcieMscF81gdCYk16VOWBKfTvXaRVuVoCU0jzzgSiJZzhowvAFDBlGndx7qFBvSm/cAHhzvUfSUWrwyNafXKz7vS4OR44GuOkcDpTEgjcPF3XDbZDcqc4ZwM3v7XXuZJIFbNbc7YYk3dSAt2ussWE6+N85Cz+vcKtBlJSXQild4PtvmMvfd6pPn/jSSlSvdFKEtWvw4C5qfpfy1aQ0sOnRJQQl9B60F5BWWW43js/zl1U7h9iLzagiBcjI5Q=", "Group": "17+1_Fuck"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
    • 0xc915:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
    • 0xf7b0:$a2: Stub.exe
    • 0xf840:$a2: Stub.exe
    • 0x9352:$a3: get_ActivatePong
    • 0xcb2d:$a4: vmware
    • 0xc9a5:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
    • 0xa254:$a6: get_SslClient
    1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xc9a7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeMalware Configuration Extractor: AsyncRAT {"Server": "windows11.theworkpc.com", "Ports": "2022", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "DMIDE45.tmp.exe", "AES_key": "hgBtGlNaJurG4RGwPTntsZEFA7zQY5jY", "Mutex": "ERMEUDsX4nzWMHDjtnG5JA5/XTE\"o", "AntiDetection": "false", "External_config_on_Pastebin": "false", "BDOS": "null", "Startup_Delay": "3", "HWID": "3po4CbzHv1StRy4BESbe+1+gZlZ96iuXSEpNkXYCxYVjs0LCNa1n9heVp1Z7lpPzK3lpDDS/ghrI9VQ9tjNHsQ==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAJX3OBU31PdGsgdievk+0zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjExMDIwMDEwNzMwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIxzTLr4hnFFaKeh1kJdDFO+XMX152Kh80UYTFrsZSUdoFYtEb250ZfMcFOlbfg14wjuBrn1kaoflXitSm/EtDRAIzTfctOf0QhvGJ7/g+aDHfKIuGsBlQzqtzO+0Ab7rCDwjtSJkGXSL/UvoTF1L8kXB7kI4veHXuRqCHgHKSUomkqbYkeXrfQZTvVBXV3EVEIbLCiAIOsXRjLtd6KuopfwinutWYntLXaN4HO9JSsSRJ/NIj7YV78VqZUIl3ykpxEKKBtAsy9hmDzNmSHckfA9xi7b8lnUm4uVGHja5nS1aPP4H6/WfJ8CqAe53jY89InBpXQpRjAMNBIn+KnVjDKXurV2I/REO0XjVp/IxSdccxx7a9LcaZuo1bYnVCS3PFt9BOGsUV/WVnH4jyD6vql3dRlJRubMlb031xrqbozcrnepI/qRJEAuIuvQat6aowf8RqoNnbtxOOGepC6Hc1QZp6L+/6b/EmbVES/mQpKNEji8NRDIHkecWfb5pOcuaTMC9TzQs//tVPtTjw2kfaiuiMy/b47hwXRw3b3Z/L5qm1GIMzqTnwSnIWwAvtcm/ZosCT6Gkp5UAQsn9BvVBsAdyaPuJ556ohjxD+ckqHVoz8wFmHzvuLrY/bR4RtqabhI1SG+GH+U8dk+RVZ19FUphuP+1pkmsDw9Hli/YtEg7AgMBAAGjMjAwMB0GA1UdDgQWBBTXtZPdF7dIGGVXoRT9D35BMUE1VDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCBk2+eHVC6WWkLCDRqfT/pD38to9JsD8Sb66jAf54zFl06Iu9RcBDWsUsrm0gEjY3mm8GWipkdGzSiZ83PIPeM6mClep7HxptnqyJeyZeI3y/JgHblmN1DN5lYv9jw9U/lW48SuQzmwNyfwlxYCZC6ZjcHGKWxTfd4d0Dsb2VLdrlPNy7E+mUQRBV+hwuBoOfYKMWkSWedLk8kIx93TWMVlyN9ifd81jdLwsmpVMiCjmq6xyGVGp8FiMfUpQ4N5Ul2/LK4Bli3eRuKh1jeb+quabsRcqvoadTDTshjCZs7iWhn3xPfLDeekh/8DYbbUhd2ezYlC8f0t5BwDnB+hi2WHzeKnzqYFTwW5L9FOcnNnwJMSxYcmMr5t5IB3xTIe/zbg7C7ZHcPKvaSEhrAtQme0Do6bAGEvh5NmpABvu4HHhxV9qCZKU+yc8KJVoHK/+Y+ejgC6hGE9c87f35wl/1w0Un7p6/kA5k1ZUuvPAFmKagcvCD6OG3QRSHb8c0+Cn8OkUCGUdPKFEVhLUrYAk8uFyHQeXdXn6fYPXxjhzk37Uf+VujPbAsDJCPkkAPQtnZHXwlJrdsPqqv+cu9rdgBXNEL0GWLahtuWmQTBuUtlYQZUOUMRVz8h4v2q3psLxLXHT5i9AvvS6rgRHAEazA6k1qRjBwzyJqG2F0ir34wXlg==", "ServerSignature": "hzdtzrQtzrthv8Ps9I7PJADjMYqi1ALGsvT1dZB1bZl5Jo4MjC93S5jN4p8dGNQzRHFNFRJq2tG2ZeBOqc67jq37USkyhoxS0Hm0t1rpCkQF8sCtVxEEWcJvN3zPo/f35960i8nUFwK2VmxOzuyTqTf3+h9oyk5Ed4XoZLFr3LTDbYv+XToe+yA75eD+Z6DuXkq1jBcwvPrR04onOnlfmqDXDWbYdZM7RSH6TV7Aet/MzA/SUyEOZmTM5/wdFrcdUjjEZ49GPcdw7AcE6UMgX5NVJ1oRQKqdcw+ETwkDZ9Ic0kQxcAMt6ex2wZl7x1dd1OcSGmFEgz89X32i0dE+8g59Uoej0+RfQ3/q+jOqaHH06jn7q0MJsewEm4OXqWVTYPftgeMbtPwlVhAbK1ZauA+GBvEygCIpnX0sD9vZgtB3MkMvcieMscF81gdCYk16VOWBKfTvXaRVuVoCU0jzzgSiJZzhowvAFDBlGndx7qFBvSm/cAHhzvUfSUWrwyNafXKz7vS4OR44GuOkcDpTEgjcPF3XDbZDcqc4ZwM3v7XXuZJIFbNbc7YYk3dSAt2ussWE6+N85Cz+vcKtBlJSXQild4PtvmMvfd6pPn/jSSlSvdFKEtWvw4C5qfpfy1aQ0sOnRJQQl9B60F5BWWW43js/zl1U7h9iLzagiBcjI5Q=", "Group": "17+1_Fuck"}
    Multi AV Scanner detection for submitted file
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeReversingLabs: Detection: 39%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.8% probability
    Machine Learning detection for sample
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeJoe Sandbox ML: detected
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: windows11.theworkpc.com

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Yara detected AsyncRAT
    Source: Yara matchFile source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe, type: SAMPLE

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeStatic PE information: No import functions for PE file found
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeStatic PE information: Data appended to the last section found
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeBinary or memory string: OriginalFilenameStub.exe" vs 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
    Source: classification engineClassification label: mal88.troj.evad.winEXE@0/0@0/0
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeReversingLabs: Detection: 39%
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Boot Survival

    barindex
    Yara detected AsyncRAT
    Source: Yara matchFile source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe, type: SAMPLE

    Malware Analysis System Evasion

    barindex
    Yara detected AsyncRAT
    Source: Yara matchFile source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe, type: SAMPLE
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeBinary or memory string: SBIEDLL.DLL
    Source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exeBinary or memory string: vmware

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Yara detected AsyncRAT
    Source: Yara matchFile source: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe, type: SAMPLE

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		1
    Obfuscated Files or Information    		OS Credential Dumping11
    Security Software Discovery    		Remote ServicesData from Local System1
    Application Layer Protocol    		Exfiltration Over Other Network MediumAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe39%ReversingLabs
    1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    s-part-0035.t-0009.t-msedge.net
    		13.107.246.63
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      windows11.theworkpc.comtrue
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1578608
        Start date and time:2024-12-19 23:31:46 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 33s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:1
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe
        Detection:MAL
        Classification:mal88.troj.evad.winEXE@0/0@0/0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Unable to launch sample, stop analysis

        Errors

        • No process behavior to analyse as no analysis process or sample was found
        • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.63
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
        • VT rate limit hit for: 1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        s-part-0035.t-0009.t-msedge.net17346471075cda6f52d28bb99d0fb4a0a36b95ba9175e33925cffe8347818dc425c0939518385.dat-decoded.exeGet hashmaliciousXWormBrowse
        • 13.107.246.63
        1734647108c2d815e9b224b58a4453e937ebbee326356eaa9618758f1ee8f3e412a78fcc82730.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
        • 13.107.246.63
        1734647107844cefc30e20a3cfa75326746e701b95e6b08e7c9f9df9ee9dffdfb305989914130.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
        • 13.107.246.63
        17346471071327285ef086de4665e082957c3e792cf4eed0d7926676db9f12a7d8cce93192399.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
        • 13.107.246.63
        1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeGet hashmaliciousQuasarBrowse
        • 13.107.246.63
        file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
        • 13.107.246.63
        Gioia Faggioli-End Of Year-Bonus.docxGet hashmaliciousUnknownBrowse
        • 13.107.246.63
        dz6dQWx0DD.dllGet hashmaliciousNitolBrowse
        • 13.107.246.63
        Eallentoff_401k_1484013830.htmlGet hashmaliciousHTMLPhisherBrowse
        • 13.107.246.63
        INVOICE-0098.pdf ... .lnk.lnk.d.lnkGet hashmaliciousUnknownBrowse
        • 13.107.246.63

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):5.445867466343719
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
        • Win32 Executable (generic) a (10002005/4) 49.97%
        • Generic Win/DOS Executable (2004/3) 0.01%
        • DOS Executable Generic (2002/1) 0.01%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe
        File size:65'430 bytes
        MD5:3396089e42b45faa5a8edeb249ec6ccd
        SHA1:7c20a1d5502ed2c0c94c34799bac5203a504d851
        SHA256:97fb0982a2e2177491ff62cb07c49c895cd761aec81da722ed18c13cdf578984
        SHA512:156485f06524e4f6bf9fb186df587e798f3ddecc3bb1b9e320c176a587f669246e4d86421423b8e1780f1e47f4432adaf71de7276ef7b02d4e2ad9f482f828ab
        SSDEEP:1536:CQXzZ8fkYB5Wk3ytsMuUeR9qAda0bbQAVAseIq+Gpv3iPbrjTGFn:CQjZ88akkQsMuUeRcA/bbQtpV67Gn
        TLSH:6C53FA053BE8901AF2BECF749DF7658146F9F4AB2D12D54D0C8911CE0633B86A941BBB
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.4d................................. ... ....@.. .......................`............`................................

        File Icon

        Icon Hash:90cececece8e8eb0

        Static PE Info

        General

        Entrypoint:0x410ece
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Time Stamp:0x64348F75 [Mon Apr 10 22:36:37 2023 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:

        Entrypoint Preview

        Instruction
        and byte ptr [eax], al
        adc eax, 01F58111h
        adc eax, dword ptr [eax]
        pop es
        adc eax, 01F58111h
        adc dh, byte ptr [esp+eax+20h]
        add byte ptr [ebx], dl
        add byte ptr [13020120h], al
        add byte ptr [esi], al
        and byte ptr [ecx], al
        add dword ptr [ecx], edx
        add byte ptr [ecx], 00000002h
        sbb eax, 0100071Ch
        adc al, byte ptr [edx+06051D05h]
        and byte ptr [ecx], al
        adc al, byte ptr [edx+200D0E09h]
        add eax, 82110E1Ch
        or eax, 1C118212h
        sbb eax, 0100061Ch
        adc al, byte ptr [ecx+00050E4Dh]
        add al, byte ptr [ecx]
        push cs
        push cs
        push es
        add byte ptr [ebx], al
        add dword ptr [esi], ecx
        push cs
        add al, byte ptr [ebx]
        pop es
        add dword ptr [82120000h+eax], ebx
        adc eax, 12012007h
        add byte ptr [0006051Dh], 00000001h
        sbb al, 12h
        or byte ptr [ecx], 00000008h
        add byte ptr [ecx], al
        adc al, byte ptr [edx+1D821109h]
        or dword ptr [eax], eax
        add dl, byte ptr [edx]
        and byte ptr [ecx], 00000011h
        and byte ptr [05001C0Eh], 00000012h
        sub byte ptr [0E318211h], 00000015h
        adc al, byte ptr [ecx-7DEDFE03h]
        or dword ptr [edx], edx
        or byte ptr [ecx], 00000015h
        adc al, byte ptr [ecx-7DEDFE03h]
        and dword ptr [edi], edx
        adc eax, 15015912h
        adc bl, byte ptr [ebp+0Ah]
        adc ah, byte ptr [ecx+1Ch]
        adc cl, byte ptr [1D0E0912h]
        add eax, 0E0E4512h
        push cs
        or eax, dword ptr [eax]
        add dword ptr [13015912h], edx
        add byte ptr [edx], dl
        sub byte ptr [00130603h], 00000000h

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x10e7c0x4f.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x7ff.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000xeed40xf0002251713f00665d247f0ccc13639d9117False0.4557291666666667data5.490546701010748IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rsrc0x120000x7ff0x80013adf7d725c4eaee733c90f3867c0164False0.4365234375data4.184819784646382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x140000xc0x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ

        Network Behavior

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Dec 19, 2024 23:32:36.350972891 CET1.1.1.1192.168.2.30xc530No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
        Dec 19, 2024 23:32:36.350972891 CET1.1.1.1192.168.2.30xc530No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

        Statistics

        No statistics

        System Behavior

        No system behavior

        Disassembly

        No disassembly