Edit tour

Windows Analysis Report
systempreter.exe

Overview

General Information

Sample name:	systempreter.exe
Analysis ID:	1582633
MD5:	d07714b594ae5d7f674c7fcf6a803807
SHA1:	938efbba8d8e34c2d1dcc0db37a84f887ae6724f
SHA256:	ad8248e7dafb0a1b3d6c22dac544f0abcfab093a75561e534a473d46917f1d47
Tags:	AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

systempreter.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\systempreter.exe" MD5: D07714B594AE5D7F674C7FCF6A803807)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "6.tcp.eu.ngrok.io", "Ports": "12925", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "MK91XYMOqmeCC1gruq5zLNqgxLkrjgzK", "Mutex": "hDtjdONRXVCh", "Certificate": "MIIE8jCCAtqgAwIBAgIQAP0oyiOz3B6IlGmGQxDdOTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQxMjI3MTYwODExWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOL81KWlg/fnIqdbRhcZAWTJXSZyblsfdmVXtpoDKqUW3mZW6wAser7vp+5ZFOyoziZ07q+uPix+p8mU7pYPRk5AdXEE3etHPJsuF3vU89lwDU8EzLnFSqILEX27yUQDCczwhG8coxKU7+Etmj90VXH+GqBDAf0rhEEQ79pxnSxVsZrTVntMm150OmFaXglX80L1s1LbBW5k2U4kjR6MVsVr4++8kH3/1PQIl/9u4RxWSipRCC+0ko5YlGuMtDiURgAfWJaDqp55MyPJdaads/c5VpUKHgpp3QHYyKxwHfook/IxJv7F69mJIOGtIx0WoH/A5n6BC7GVoZBo10rJQ/K/PqxUZtLxtLPqb2tR1z4AbGcNJs1GJ65HnFZbl4JlRJSZUNkCloNollmUomImI61vsgvrX7eds+KAGnIR/FA3ZqcsGi0HOybcL7cLq/C53cxD6de6zjL6E3Y6cnOaJVcEZiL/Ht1DLvPjYi0oGYGYnrQmnfuvTMHXdENymDdkr5UzuzAmbLqfMoIr/VhYxFE2yFB58yfGgyCIIjq2f8CsnW4FVvBlj8wu9pgaLJDfaIt/kk10smBJrHmApWM2dBNfuAH81aOC5wH7D9NCJQsjI6t5Z8STEOUEieRlGSDGHYDD1V/mNz7W0quApyUzp2BxnNLbxwvI1i6QOUMwVf+LAgMBAAGjMjAwMB0GA1UdDgQWBBRXDQJGYiU2B9aIEfynLf86NKMKxDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQDgWGOa86eW1S706lfEMR3eHEOG8aheW1bclqFdCU//CEMTVj5y+jxgmdDi6D1VPyj6BY7xrRIc2dxK77fA3G6mnzf2NGatOUuWtfTQml2K6M8Lmsjut/G05hAM3R/DLalds1qmqmvs3+9jwguSd6FMDkZ1/we+yP3zPzByqJM2+cnAPKisGcimf/XTlImc86Qs1aCn1UW86vNsDFjHPeLKRkem23zZf1CGMxTrg1n5YWvYcLwoRK238te99h10XMVF4VzMAg6M0lMqsRcn+59P9SFNO2uHOXCpc5Z5u1b2ueP1YZ58jZMpxSyrRTByb5tomHR5C9MWdAR0Uf2KZvtN8QX0WmmxxjXzltoy9eunK57DJ7pYbFXw2WtIK31AObxL8k7d/Tj7tMtX0xD3PVT52sfdyL1B7VejcOGaia3IqmIyy3HmVaBWLqNaVLz02VTmMhfGgdufs2ElNstaIvkMVIr9sAdPhIcvi4so7oavxc3fFcZ5FMRBaOytYgmi4NIFKqdIOVWWKyKFyALDaI9ltTxeDDA9DGXFgaPWr+607z0suV4gi//RZNePt88/ofSKXJSzGHCwE+pVhMJPOT/s9Hxo/q4UtJ6sytT/10GNJ7t18uvtF5HeMXPLS3h4K/B47Zv2sjWfoApzSbGkcViHo8NRFRQkiudAt/u3zu3afQ==", "ServerSignature": "DHvyoNyX5eL00U2I93ULMTiza3OmiuwwIPWMljP1fsu+AdOByxC0k8/oQBKf+BOD3inmIcpFsumEaRGH+dtEgJJtVwE9G6lELNPRbS0LWDCuBRB/4d9jpmKq3onz+2N/IW0xab/zBqbmOXgVMMCkx6jgdMK6z0uv//JN3+72hxOUAnniVBq2wOTSQ63Bk87IXgOzJCBRbd+yX0erjd0bdnz+3rtd9wHEVaewq96DmNTiMXwlkr3mZBzwJEEQK7tpHk9rmJrxkltcJeVKO+XjA4dd/suYAaafydb34RwIDIC2kQjkxzCPHMeY0peBuWRSlFBeQ3Fer6bSm+b9Nb0iHvvHzhCTNEv6cQQPxiz2vUtmOhAMx7t6ZnBsch9/6m4M0knc5oLiEJ9rCR1kDmtOBIsnlsam/icBdip8XdQYwQgl/AB1isOpFtVCDEnadkXojpy+/4YC3wE/ojiWzofXn5Y5QBrwyBzk8ZzZwt1Meg63VGmvunBXQCHb3YG0dzzLgZksvaXRZt5IecW8qlUoJa9IoGDaDd9+nB17vcSsL6xu7cZa0YuTWHQzjlHHsdzKDIk4rMutviZBZVzyfIE2Uab+llp2eT7QNIOgclX3bZo/ubaMd6Y6QtUwtfUHNAfK6nvEDeB/8xhgHwUv8vqAlqYTbVbCmz0OhL/YWXjeCGg=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
systempreter.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
systempreter.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
systempreter.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa25b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xc9b8:$a2: Stub.exe 0xca48:$a2: Stub.exe 0x6ff9:$a3: get_ActivatePong 0xa473:$a4: vmware 0xa2eb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7cd5:$a6: get_SslClient
systempreter.exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6ff9:$str01: get_ActivatePong 0x7cd5:$str02: get_SslClient 0x7cf1:$str03: get_TcpClient 0x662a:$str04: get_SendSync 0x66ba:$str05: get_IsConnected 0x6d63:$str06: set_UseShellExecute 0xa591:$str07: Pastebin 0xa613:$str08: Select * from AntivirusProduct 0xc9b8:$str09: Stub.exe 0xca48:$str09: Stub.exe 0xa36b:$str10: timeout 3 > NUL 0xa25b:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xa2eb:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
systempreter.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2ed:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1650931356.0000000000662000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1650931356.0000000000662000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa0ed:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: systempreter.exe PID: 7348	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: systempreter.exe PID: 7348	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd631:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.systempreter.exe.660000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.systempreter.exe.660000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa25b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xc9b8:$a2: Stub.exe 0xca48:$a2: Stub.exe 0x6ff9:$a3: get_ActivatePong 0xa473:$a4: vmware 0xa2eb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7cd5:$a6: get_SslClient
0.0.systempreter.exe.660000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6ff9:$str01: get_ActivatePong 0x7cd5:$str02: get_SslClient 0x7cf1:$str03: get_TcpClient 0x662a:$str04: get_SendSync 0x66ba:$str05: get_IsConnected 0x6d63:$str06: set_UseShellExecute 0xa591:$str07: Pastebin 0xa613:$str08: Select * from AntivirusProduct 0xc9b8:$str09: Stub.exe 0xca48:$str09: Stub.exe 0xa36b:$str10: timeout 3 > NUL 0xa25b:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xa2eb:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.0.systempreter.exe.660000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2ed:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: systempreter.exe

Avira: detected

Antivirus detection for URL or domain

Source: 6.tcp.eu.ngrok.io

Avira URL Cloud: Label: malware

Found malware configuration

Source: systempreter.exe

Malware Configuration Extractor: AsyncRAT {"Server": "6.tcp.eu.ngrok.io", "Ports": "12925", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "MK91XYMOqmeCC1gruq5zLNqgxLkrjgzK", "Mutex": "hDtjdONRXVCh", "Certificate": "MIIE8jCCAtqgAwIBAgIQAP0oyiOz3B6IlGmGQxDdOTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQxMjI3MTYwODExWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOL81KWlg/fnIqdbRhcZAWTJXSZyblsfdmVXtpoDKqUW3mZW6wAser7vp+5ZFOyoziZ07q+uPix+p8mU7pYPRk5AdXEE3etHPJsuF3vU89lwDU8EzLnFSqILEX27yUQDCczwhG8coxKU7+Etmj90VXH+GqBDAf0rhEEQ79pxnSxVsZrTVntMm150OmFaXglX80L1s1LbBW5k2U4kjR6MVsVr4++8kH3/1PQIl/9u4RxWSipRCC+0ko5YlGuMtDiURgAfWJaDqp55MyPJdaads/c5VpUKHgpp3QHYyKxwHfook/IxJv7F69mJIOGtIx0WoH/A5n6BC7GVoZBo10rJQ/K/PqxUZtLxtLPqb2tR1z4AbGcNJs1GJ65HnFZbl4JlRJSZUNkCloNollmUomImI61vsgvrX7eds+KAGnIR/FA3ZqcsGi0HOybcL7cLq/C53cxD6de6zjL6E3Y6cnOaJVcEZiL/Ht1DLvPjYi0oGYGYnrQmnfuvTMHXdENymDdkr5UzuzAmbLqfMoIr/VhYxFE2yFB58yfGgyCIIjq2f8CsnW4FVvBlj8wu9pgaLJDfaIt/kk10smBJrHmApWM2dBNfuAH81aOC5wH7D9NCJQsjI6t5Z8STEOUEieRlGSDGHYDD1V/mNz7W0quApyUzp2BxnNLbxwvI1i6QOUMwVf+LAgMBAAGjMjAwMB0GA1UdDgQWBBRXDQJGYiU2B9aIEfynLf86NKMKxDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQDgWGOa86eW1S706lfEMR3eHEOG8aheW1bclqFdCU//CEMTVj5y+jxgmdDi6D1VPyj6BY7xrRIc2dxK77fA3G6mnzf2NGatOUuWtfTQml2K6M8Lmsjut/G05hAM3R/DLalds1qmqmvs3+9jwguSd6FMDkZ1/we+yP3zPzByqJM2+cnAPKisGcimf/XTlImc86Qs1aCn1UW86vNsDFjHPeLKRkem23zZf1CGMxTrg1n5YWvYcLwoRK238te99h10XMVF4VzMAg6M0lMqsRcn+59P9SFNO2uHOXCpc5Z5u1b2ueP1YZ58jZMpxSyrRTByb5tomHR5C9MWdAR0Uf2KZvtN8QX0WmmxxjXzltoy9eunK57DJ7pYbFXw2WtIK31AObxL8k7d/Tj7tMtX0xD3PVT52sfdyL1B7VejcOGaia3IqmIyy3HmVaBWLqNaVLz02VTmMhfGgdufs2ElNstaIvkMVIr9sAdPhIcvi4so7oavxc3fFcZ5FMRBaOytYgmi4NIFKqdIOVWWKyKFyALDaI9ltTxeDDA9DGXFgaPWr+607z0suV4gi//RZNePt88/ofSKXJSzGHCwE+pVhMJPOT/s9Hxo/q4UtJ6sytT/10GNJ7t18uvtF5HeMXPLS3h4K/B47Zv2sjWfoApzSbGkcViHo8NRFRQkiudAt/u3zu3afQ==", "ServerSignature": "DHvyoNyX5eL00U2I93ULMTiza3OmiuwwIPWMljP1fsu+AdOByxC0k8/oQBKf+BOD3inmIcpFsumEaRGH+dtEgJJtVwE9G6lELNPRbS0LWDCuBRB/4d9jpmKq3onz+2N/IW0xab/zBqbmOXgVMMCkx6jgdMK6z0uv//JN3+72hxOUAnniVBq2wOTSQ63Bk87IXgOzJCBRbd+yX0erjd0bdnz+3rtd9wHEVaewq96DmNTiMXwlkr3mZBzwJEEQK7tpHk9rmJrxkltcJeVKO+XjA4dd/suYAaafydb34RwIDIC2kQjkxzCPHMeY0peBuWRSlFBeQ3Fer6bSm+b9Nb0iHvvHzhCTNEv6cQQPxiz2vUtmOhAMx7t6ZnBsch9/6m4M0knc5oLiEJ9rCR1kDmtOBIsnlsam/icBdip8XdQYwQgl/AB1isOpFtVCDEnadkXojpy+/4YC3wE/ojiWzofXn5Y5QBrwyBzk8ZzZwt1Meg63VGmvunBXQCHb3YG0dzzLgZksvaXRZt5IecW8qlUoJa9IoGDaDd9+nB17vcSsL6xu7cZa0YuTWHQzjlHHsdzKDIk4rMutviZBZVzyfIE2Uab+llp2eT7QNIOgclX3bZo/ubaMd6Y6QtUwtfUHNAfK6nvEDeB/8xhgHwUv8vqAlqYTbVbCmz0OhL/YWXjeCGg=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Multi AV Scanner detection for submitted file

Source: systempreter.exe	Virustotal: Detection: 68%			Perma Link
Source: systempreter.exe	ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: systempreter.exe

Joe Sandbox ML: detected

Source: systempreter.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: systempreter.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 6.tcp.eu.ngrok.io

Yara detected Generic Downloader

Source: Yara match

File source: systempreter.exe, type: SAMPLE

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 52.28.247.255:12925
Source: global traffic	TCP traffic: 192.168.2.4:49770 -> 3.68.171.119:12925
Source: global traffic	TCP traffic: 192.168.2.4:50020 -> 3.69.157.220:12925

Source: Joe Sandbox View	IP Address: 52.28.247.255 52.28.247.255
Source: Joe Sandbox View	IP Address: 3.68.171.119 3.68.171.119
Source: Joe Sandbox View	IP Address: 3.69.157.220 3.69.157.220

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 6.tcp.eu.ngrok.io

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: systempreter.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systempreter.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1650931356.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systempreter.exe PID: 7348, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: systempreter.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: systempreter.exe, type: SAMPLE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: systempreter.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.systempreter.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.systempreter.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.0.systempreter.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1650931356.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: systempreter.exe PID: 7348, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: systempreter.exe, 00000000.00000000.1650931356.000000000066E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs systempreter.exe
Source: systempreter.exe	Binary or memory string: OriginalFilenameStub.exe" vs systempreter.exe

Source: systempreter.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: systempreter.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: systempreter.exe, type: SAMPLE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: systempreter.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.systempreter.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.systempreter.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.0.systempreter.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1650931356.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: systempreter.exe PID: 7348, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: systempreter.exe, BJPVcoiNkUCc.cs

Base64 encoded string: 'wxU5BDdsUDGV7yg69fQaXtKF1lR3icLL4vwX5D4OJeKj5icDbrljh1HZ6AYvE0woda/OQDKKHd+kdX05vC/qzg==', 'ixCnTZ1qWKUQDrPTqhPeddc/d98fmAR/DTk9QS/4lVx7W1OX6NbAwSfyob3++1C7natZh8bv+ImHG9OgpjFS+OJ8jR0SdgRPT53HS+rtO8SC07cUEbHSrS0b3drPx3pVkdXPcbZuFA44mbneJezW5BuAltuaKNKG7TvQXheAfZOfAdMdyU4RGqVABJSbr0u1WVjU+j7s9eEUBw5mYD22YJgB2h6ddi99E2AzoeSG/1sthnEj4pdm1NuAQLKygdMaiuaF/0zBeuukfMMAHyf9i4zmDgi9aU6GoeOUb1uqjh9r57Q2JEUFTQ3ZR2cgitiSU0H5d272zH3CJz+zbevyKsfrAbu5IToABB/LF7tp8ql698fN6VN1K3OXxe6sARGEKHFNWOdN3G2PzFAgpycFd7IG03oREOY/RsYnJupxLWlrumdQaIU6Jw3N5eJEoVUQ35XOsNjG2K3LPHygUZtJU4tJKhX0B2YBZe1j14cbb8Oh+EY0zHA3XkU+oOjsAu0HGFFEhjBbw54YRI7oh0RD9a0up8QpiHyN6B/DS0/kwrHJXMR8NhrljCVRXbfC/ugKjuft0YaDOccHkdjD/XP/1gLEwX1XA0FY9VdPZix3JOniBYMq/7crbC8dLbQXOaQbbsjxfp3JSMC5wlaS0z1liFN3kgF8z9F8OGUcKdtbDJP+UDSQu4hCpdClDfeo0x2l5AsJXsnUYSbfT+1A4HHHr+ifBbaPjUWYkzfb+l3sWtF1fLxKymex2CZiAMqyGaE99hWE1jU1XvJFdgM2oMnCXlinV4Kw8HDEcWwghATcVxNxVZDVyczCUpBGeOSjIiyEj4W4Nv6BCp0ZpFLLQm1erkwtUJbISBoCXeSWBBrde6pY8xpyxUtkOgpn7htuQ5XZrErZYB9lyFJihZ3YnhGoqNdEBK+xrdVjYPzndGUeArTLPa5arEgciiNL4jnZPpg/YrP2KXHuceCbhyHnmbuMJa1ndWpyLtmvyZLLCD8NFSl4qblCGnqwrfYOwITea7WxJOCiDBSQHdlany0utA1wDH2io23Y2TGiN2M5jf9zDi90v063SFKuQzVKmBKYatZcKJL+9hfoKufxLNN+7OxUA0MXOcmBIS/N3xMHRwa/C8/h3U4YA2g5mnz1Xmic2DL9S4FZ6VUqno1hgABptxSSFLsPupduqxNHbgmaD7tdbzYhvcjrMuzc7+tRkLkFN4CyJNUyiC+jAY0sXH82ZncwHB39BcPCNhrBS8+r2lMJS+VVO20HLKiPwTa+7FZASkCtcCnuZkJgfh1+pepm+NVdOfSXMjGiTk/e7P+0AmP0XQUwc0zaBd1Z8i1qiV9DYE+0HM63h+AZN4xBKUNxVvbV6NzaxZ9TGRlW3qswcz3wIorBcUBbXYFsp62kT7DI9Opd3YP7t6eeX+5ACSq3ZBcHmiKHyxLz9O9yDOjfoGY3E0g9lI4zl/IvMlqsPruI3c6SeDspxI6OlGDfm67eGBC5giKFc4yuYa4yjLmpOTheAqN1Q92GWuyDF6yrqOu3z7UwSxd7HP9/J5EtZtcbjwQxi3hWkj4+/p5n+S64R2DT0uWytjTSV8aJkV1fLJUipupBgDc/REkCa27nUalupno9+LjcRRNK+14Dsvlbnvbmp7GH0dWxOrBy1hA7Be7k9PahWkhkyTCDTSe6qSpUg7qQhscZjmCUwJCkzRkt5dpznCPwh7YddtT2mdeInV1sLO4kBR1wuAqxYjHruFOH2SDXuwz7jvR9Bxat9/5+7WvizPHk27L/3+QvxToiO1m3VEgO1XYPTK27Pn31XFq9uOePVY9g5hNrhESS+B9lriHcgw62gZhDX9OYCC95PwSl3Bh9ArZSxpjs8lZeBFiIrpodsB1ewdF8tHsedwgKIThFuknyP2PDOYvAJNMH9KVddwtNu5MfRSj00ohvVyW019a+egACmU9bQ0XeMWUGls08XYGnbWJ3X5vT1ZwK5jHKz/tUl6WRCTuBRDURytHu19ZNtE8UbxUFgnQl2vVR/jqVvzxqxye5XxMl/uTXLuxaz03Ypj1moj8FIwCka1b+LP0eghvQn14OrnXWwUYt2oIbjElykBRUACZt5ITEFdvPcpduCaSY+iqTsL0snnl+sF3vGUGlh5WNQtkmRmg8g6VeJzXSlFlG9ElHfPdofHB+wDiu7cpRY0oNBrel9PUoMNSd8BAuN7LdHnS+ccT3sfPFFFO/2DEwjZdrS5ZtjCblIM08E4QwyGk5o+YVxkIk8BpXTCClytlKLPLLPM4wgn73aLtBIz4rlnv8fFpSSswTs4A0KVmXBGPh77rEeuvIbodg28E06nST6Z3CORcfozauk3o=', 'glrFacwSSK2KIg+4FZlO/HqGottNJVC/T5xHG34i+eirG/wHVDGxSQcYLM4pKACetc+AvSugmXMbN6vXLKPb2g=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@3/3

Source: C:\Users\user\Desktop\systempreter.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\systempreter.exe	Mutant created: \Sessions\1\BaseNamedObjects\hDtjdONRXVCh

Source: systempreter.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: systempreter.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\systempreter.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: systempreter.exe	Virustotal: Detection: 68%
Source: systempreter.exe	ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Section loaded: schannel.dll	Jump to behavior

Source: systempreter.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: systempreter.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: systempreter.exe, BmMKmFunjdrwCJ.cs

High entropy of concatenated method names: 'QsakBLZLbaELC', 'nYcaIAZYDYlgEfEq', 'vtSydVRqGISO', 'oIFMNsBIdJaI', 'mLeuYBBSmnwIc', 'ZheGVjJCrfSi', 'yNoyLbOLiUmB', 'ceGZqehiIZaXXzsR', 'ldPXbEJvGR', 'VbqyFcLdzfCRZyU'

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: systempreter.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systempreter.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1650931356.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systempreter.exe PID: 7348, type: MEMORYSTR

Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: systempreter.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systempreter.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1650931356.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systempreter.exe PID: 7348, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: systempreter.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\systempreter.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\systempreter.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\systempreter.exe TID: 7352

Thread sleep time: -75000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\systempreter.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: systempreter.exe	Binary or memory string: vmware
Source: systempreter.exe, 00000000.00000002.2904615907.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp

Source: C:\Users\user\Desktop\systempreter.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\systempreter.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\systempreter.exe

Queries volume information: C:\Users\user\Desktop\systempreter.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\systempreter.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: systempreter.exe, type: SAMPLE
Source: Yara match	File source: 0.0.systempreter.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1650931356.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: systempreter.exe PID: 7348, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
systempreter.exe	68%	Virustotal		Browse
systempreter.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
systempreter.exe	100%	Avira	TR/Dropper.Gen
systempreter.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
6.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
6.tcp.eu.ngrok.io	52.28.247.255	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
6.tcp.eu.ngrok.io	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.28.247.255	6.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true
3.68.171.119	unknown	United States	16509	AMAZON-02US	false
3.69.157.220	unknown	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582633
Start date and time:	2024-12-31 07:47:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	systempreter.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@3/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 18 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target systempreter.exe, PID 7348 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
52.28.247.255	enai2.exe	Get hash	malicious	Njrat	Browse
	NYQbqD59m8.exe	Get hash	malicious	Nanocore	Browse
	mhYCwt8wBz.exe	Get hash	malicious	Njrat	Browse
	592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exe	Get hash	malicious	Njrat	Browse
	U22p1GcCSb.exe	Get hash	malicious	Njrat	Browse
	M5vARlA2c4.exe	Get hash	malicious	Njrat	Browse
	1.exe	Get hash	malicious	Njrat	Browse
	rkIcS0Y2WY.exe	Get hash	malicious	Njrat	Browse
	N1aqZIb7KG.exe	Get hash	malicious	Njrat	Browse
	QsKtlzYaKF.exe	Get hash	malicious	Njrat	Browse
3.68.171.119	aaa (3).exe	Get hash	malicious	AsyncRAT	Browse
	NYQbqD59m8.exe	Get hash	malicious	Nanocore	Browse
	1iZH7aeO5F.exe	Get hash	malicious	Njrat	Browse
	mhYCwt8wBz.exe	Get hash	malicious	Njrat	Browse
	592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exe	Get hash	malicious	Njrat	Browse
	U22p1GcCSb.exe	Get hash	malicious	Njrat	Browse
	M5vARlA2c4.exe	Get hash	malicious	Njrat	Browse
	YTYyFVemXR.exe	Get hash	malicious	Njrat	Browse
	zyx3qItgQK.exe	Get hash	malicious	Njrat	Browse
	NfJ0jC2dPr.exe	Get hash	malicious	Njrat	Browse
3.69.157.220	NYQbqD59m8.exe	Get hash	malicious	Nanocore	Browse
	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse
	mhYCwt8wBz.exe	Get hash	malicious	Njrat	Browse
	Client.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	YTYyFVemXR.exe	Get hash	malicious	Njrat	Browse
	NfJ0jC2dPr.exe	Get hash	malicious	Njrat	Browse
	ziTLBa3N50.exe	Get hash	malicious	Njrat	Browse
	1.exe	Get hash	malicious	Njrat	Browse
	226dVJ2zRZ.exe	Get hash	malicious	Njrat	Browse
	myidJB8lDL.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6.tcp.eu.ngrok.io	enai2.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	aaa (3).exe	Get hash	malicious	AsyncRAT	Browse	3.66.38.117
	NYQbqD59m8.exe	Get hash	malicious	Nanocore	Browse	3.69.115.178
	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	3.69.115.178
	1iZH7aeO5F.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	mhYCwt8wBz.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	U22p1GcCSb.exe	Get hash	malicious	Njrat	Browse	3.66.38.117
	Client.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	3.69.157.220
	M5vARlA2c4.exe	Get hash	malicious	Njrat	Browse	3.68.171.119

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	13.32.99.103
	rjnven64.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	18.245.31.129
	Epsilon.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	kwari.arm.elf	Get hash	malicious	Unknown	Browse	54.168.12.166
	kwari.mpsl.elf	Get hash	malicious	Unknown	Browse	52.63.235.181
	kwari.arm7.elf	Get hash	malicious	Mirai	Browse	52.17.112.151
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	dlr.arm7.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
AMAZON-02US	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	13.32.99.103
	rjnven64.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	18.245.31.129
	Epsilon.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	kwari.arm.elf	Get hash	malicious	Unknown	Browse	54.168.12.166
	kwari.mpsl.elf	Get hash	malicious	Unknown	Browse	52.63.235.181
	kwari.arm7.elf	Get hash	malicious	Mirai	Browse	52.17.112.151
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	dlr.arm7.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
AMAZON-02US	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	13.32.99.103
	rjnven64.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	18.245.31.129
	Epsilon.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	kwari.arm.elf	Get hash	malicious	Unknown	Browse	54.168.12.166
	kwari.mpsl.elf	Get hash	malicious	Unknown	Browse	52.63.235.181
	kwari.arm7.elf	Get hash	malicious	Mirai	Browse	52.17.112.151
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	dlr.arm7.elf	Get hash	malicious	Unknown	Browse	34.249.145.219

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.871614204932907
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	systempreter.exe
File size:	53'760 bytes
MD5:	d07714b594ae5d7f674c7fcf6a803807
SHA1:	938efbba8d8e34c2d1dcc0db37a84f887ae6724f
SHA256:	ad8248e7dafb0a1b3d6c22dac544f0abcfab093a75561e534a473d46917f1d47
SHA512:	487306ea6bdd7e247c9b194eae6d1e22fe898161f6417eb773c84144584cfb96c4d47d188f38a349cee7b13887f3fdf81b5542ac914cfe072beb564899553250
SSDEEP:	1536:RuPfZTgKa2pvKBk+cabGrpgaQFezdDFdKHx:RuPBTgKa2FKBk+TbGOYzV2x
TLSH:	1D334C0477E9812AF3BE8F746CF25215857BF2673603E64D2CC4519B5A23FC28A429F9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e............................N.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	0f9b98995d291b0e

Static PE Info

General

Entrypoint:	0x40d04e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcff4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x1b80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb054	0xb200	e996bff240d39bb787c93f6ff72c0bf9	False	0.5405986657303371	data	5.612583093172456	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x1b80	0x1c00	89176ee62eb6bcb546e3db18443c712e	False	0.77734375	data	7.271210236709125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	91caef5211b2a1365e139b0b7bf07352	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xe130	0x12dc	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9391052195526097
RT_GROUP_ICON	0xf40c	0x14	data	0.95
RT_VERSION	0xf420	0x2cc	data	0.43575418994413406
RT_MANIFEST	0xf6ec	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 07:47:59.556441069 CET	49730	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:47:59.561599016 CET	12925	49730	52.28.247.255	192.168.2.4
Dec 31, 2024 07:47:59.561695099 CET	49730	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:47:59.573543072 CET	49730	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:47:59.578393936 CET	12925	49730	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:01.190330029 CET	12925	49730	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:01.190577984 CET	49730	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:06.255949020 CET	49730	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:06.261038065 CET	12925	49730	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:06.267894030 CET	49731	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:06.272819042 CET	12925	49731	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:06.272897959 CET	49731	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:06.278692961 CET	49731	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:06.283540010 CET	12925	49731	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:07.907382011 CET	12925	49731	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:07.907449961 CET	49731	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:12.921602011 CET	49731	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:12.922456980 CET	49733	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:12.926592112 CET	12925	49731	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:12.927366018 CET	12925	49733	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:12.927443027 CET	49733	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:12.927753925 CET	49733	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:12.932662964 CET	12925	49733	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:14.565468073 CET	12925	49733	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:14.565546989 CET	49733	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:19.577899933 CET	49733	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:19.579251051 CET	49739	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:19.582835913 CET	12925	49733	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:19.584172010 CET	12925	49739	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:19.584263086 CET	49739	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:19.584609032 CET	49739	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:19.589489937 CET	12925	49739	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:21.220940113 CET	12925	49739	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:21.221029997 CET	49739	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:26.249933004 CET	49739	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:26.251238108 CET	49740	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:26.254828930 CET	12925	49739	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:26.256175041 CET	12925	49740	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:26.256253958 CET	49740	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:26.256593943 CET	49740	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:26.261415005 CET	12925	49740	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:27.891948938 CET	12925	49740	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:27.892066002 CET	49740	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:32.929754019 CET	49740	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:32.933684111 CET	49741	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:32.934803009 CET	12925	49740	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:32.938668013 CET	12925	49741	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:32.938749075 CET	49741	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:32.939076900 CET	49741	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:32.943902969 CET	12925	49741	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:34.563517094 CET	12925	49741	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:34.563606024 CET	49741	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:39.577929020 CET	49741	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:39.578835964 CET	49742	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:39.582954884 CET	12925	49741	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:39.583760023 CET	12925	49742	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:39.583846092 CET	49742	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:39.584115982 CET	49742	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:39.588964939 CET	12925	49742	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:41.223684072 CET	12925	49742	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:41.223839998 CET	49742	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:46.234083891 CET	49742	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:46.235025883 CET	49743	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:46.238969088 CET	12925	49742	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:46.239835978 CET	12925	49743	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:46.239912033 CET	49743	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:46.240160942 CET	49743	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:46.244976044 CET	12925	49743	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:47.877999067 CET	12925	49743	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:47.878103971 CET	49743	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:52.890522957 CET	49743	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:52.891688108 CET	49745	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:52.895457983 CET	12925	49743	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:52.896619081 CET	12925	49745	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:52.896703959 CET	49745	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:52.897038937 CET	49745	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:52.901874065 CET	12925	49745	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:54.583868027 CET	12925	49745	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:54.583952904 CET	49745	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:59.593529940 CET	49745	12925	192.168.2.4	52.28.247.255
Dec 31, 2024 07:48:59.598350048 CET	12925	49745	52.28.247.255	192.168.2.4
Dec 31, 2024 07:48:59.603467941 CET	49770	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:48:59.608350992 CET	12925	49770	3.68.171.119	192.168.2.4
Dec 31, 2024 07:48:59.608427048 CET	49770	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:48:59.608675003 CET	49770	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:48:59.613504887 CET	12925	49770	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:01.254146099 CET	12925	49770	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:01.255491018 CET	49770	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:06.314870119 CET	49770	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:06.319761992 CET	12925	49770	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:06.351495028 CET	49813	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:06.356379032 CET	12925	49813	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:06.356467962 CET	49813	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:06.356775045 CET	49813	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:06.361618042 CET	12925	49813	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:08.008217096 CET	12925	49813	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:08.008383989 CET	49813	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:13.015333891 CET	49813	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:13.016061068 CET	49858	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:13.020207882 CET	12925	49813	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:13.020936012 CET	12925	49858	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:13.020993948 CET	49858	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:13.021300077 CET	49858	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:13.026117086 CET	12925	49858	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:14.657023907 CET	12925	49858	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:14.657089949 CET	49858	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:19.671828985 CET	49858	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:19.676090956 CET	49899	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:19.676692009 CET	12925	49858	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:19.680864096 CET	12925	49899	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:19.680958033 CET	49899	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:19.685019016 CET	49899	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:19.689821005 CET	12925	49899	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:21.336112022 CET	12925	49899	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:21.336210012 CET	49899	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:26.343463898 CET	49899	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:26.344388008 CET	49941	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:26.348196030 CET	12925	49899	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:26.349175930 CET	12925	49941	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:26.349240065 CET	49941	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:26.349546909 CET	49941	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:26.354305983 CET	12925	49941	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:27.987178087 CET	12925	49941	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:27.987246037 CET	49941	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:32.999825001 CET	49941	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:33.000515938 CET	49987	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:33.005639076 CET	12925	49941	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:33.006093025 CET	12925	49987	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:33.006164074 CET	49987	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:33.006429911 CET	49987	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:33.012228012 CET	12925	49987	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:34.646500111 CET	12925	49987	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:34.646570921 CET	49987	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:39.656047106 CET	49987	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:39.656856060 CET	50017	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:39.660875082 CET	12925	49987	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:39.661664963 CET	12925	50017	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:39.661998987 CET	50017	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:39.661998987 CET	50017	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:39.666862965 CET	12925	50017	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:41.334784031 CET	12925	50017	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:41.334866047 CET	50017	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:46.345911026 CET	50017	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:46.346745014 CET	50018	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:46.350858927 CET	12925	50017	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:46.351615906 CET	12925	50018	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:46.351685047 CET	50018	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:46.351982117 CET	50018	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:46.358218908 CET	12925	50018	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:47.987051010 CET	12925	50018	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:47.987258911 CET	50018	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:52.999809027 CET	50018	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:53.000613928 CET	50019	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:53.004700899 CET	12925	50018	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:53.005455971 CET	12925	50019	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:53.005533934 CET	50019	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:53.005747080 CET	50019	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:53.010478973 CET	12925	50019	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:54.644020081 CET	12925	50019	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:54.644109011 CET	50019	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:59.656024933 CET	50019	12925	192.168.2.4	3.68.171.119
Dec 31, 2024 07:49:59.660933018 CET	12925	50019	3.68.171.119	192.168.2.4
Dec 31, 2024 07:49:59.666923046 CET	50020	12925	192.168.2.4	3.69.157.220
Dec 31, 2024 07:49:59.671720028 CET	12925	50020	3.69.157.220	192.168.2.4
Dec 31, 2024 07:49:59.671788931 CET	50020	12925	192.168.2.4	3.69.157.220
Dec 31, 2024 07:49:59.672070980 CET	50020	12925	192.168.2.4	3.69.157.220
Dec 31, 2024 07:49:59.676855087 CET	12925	50020	3.69.157.220	192.168.2.4
Dec 31, 2024 07:50:01.300278902 CET	12925	50020	3.69.157.220	192.168.2.4
Dec 31, 2024 07:50:01.300441980 CET	50020	12925	192.168.2.4	3.69.157.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 07:47:59.545031071 CET	61272	53	192.168.2.4	1.1.1.1
Dec 31, 2024 07:47:59.554557085 CET	53	61272	1.1.1.1	192.168.2.4
Dec 31, 2024 07:48:59.594152927 CET	57191	53	192.168.2.4	1.1.1.1
Dec 31, 2024 07:48:59.602905035 CET	53	57191	1.1.1.1	192.168.2.4
Dec 31, 2024 07:49:59.657412052 CET	60816	53	192.168.2.4	1.1.1.1
Dec 31, 2024 07:49:59.666197062 CET	53	60816	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 07:47:59.545031071 CET	192.168.2.4	1.1.1.1	0xc148	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 31, 2024 07:48:59.594152927 CET	192.168.2.4	1.1.1.1	0x11c7	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 31, 2024 07:49:59.657412052 CET	192.168.2.4	1.1.1.1	0x51b6	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 07:47:59.554557085 CET	1.1.1.1	192.168.2.4	0xc148	No error (0)	6.tcp.eu.ngrok.io	52.28.247.255	A (IP address)	IN (0x0001)	false
Dec 31, 2024 07:48:59.602905035 CET	1.1.1.1	192.168.2.4	0x11c7	No error (0)	6.tcp.eu.ngrok.io	3.68.171.119	A (IP address)	IN (0x0001)	false
Dec 31, 2024 07:49:59.666197062 CET	1.1.1.1	192.168.2.4	0x51b6	No error (0)	6.tcp.eu.ngrok.io	3.69.157.220	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	01:47:54
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\systempreter.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\systempreter.exe"
Imagebase:	0x660000
File size:	53'760 bytes
MD5 hash:	D07714B594AE5D7F674C7FCF6A803807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1650931356.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1650931356.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00E21727 Relevance: 4.2, Strings: 3, Instructions: 442COMMON

Download Yara Rule

Strings

xbq, xrefs: 00E21D76
a^q, xrefs: 00E21D3C
a^q, xrefs: 00E21CDF

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID: a^q$ a^q$xbq
API String ID: 0-2081302502
Opcode ID: 661fb3ef5e2c43c4a7976cae53186bb25014abea03418d7f89d9b29dd2f770a0
Instruction ID: 24c08270485e697f8602504690aa46f015984ef6d602d47e6173871c753445f8
Opcode Fuzzy Hash: 661fb3ef5e2c43c4a7976cae53186bb25014abea03418d7f89d9b29dd2f770a0
Instruction Fuzzy Hash: E6028E34700214CFCB15AF64E994B6EBBE2FB84304F248969E4059B3A9DF75DD86CB81

Function 00E21962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

xbq, xrefs: 00E21D76
a^q, xrefs: 00E21D3C
a^q, xrefs: 00E21CDF

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID: a^q$ a^q$xbq
API String ID: 0-2081302502
Opcode ID: dc176cd9d1043f99e8224cb39b204ef9558dd46d62c3d9287bc829d541289e69
Instruction ID: 05d72303d6570578205378a5529b6fa0185dbe8b6a2f77c19e4463e181c0faf5
Opcode Fuzzy Hash: dc176cd9d1043f99e8224cb39b204ef9558dd46d62c3d9287bc829d541289e69
Instruction Fuzzy Hash: 19619E747002108FC709EF28E894B5EBBE2FB85314F208969E5059F3A6DBB1ED458BC1

Function 00E20EB8 Relevance: 2.7, Strings: 2, Instructions: 161COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00E20EED
(bq, xrefs: 00E21192

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID: (bq$Te^q
API String ID: 0-2856382362
Opcode ID: 7e26b55b8aef036431076e3244183003fbcdb87ae4f988879404d432148c6a56
Instruction ID: a513563853c6984b4b4eed3fa2a39d457ba0cc6440b0f5ac24ab7c31f584d96e
Opcode Fuzzy Hash: 7e26b55b8aef036431076e3244183003fbcdb87ae4f988879404d432148c6a56
Instruction Fuzzy Hash: 8651A030B101148FC754DF69D498A5EBBF6FF89700F2580AAE805EB3A6CB75DD058B90

Function 00E20D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00E20E40
dLdq, xrefs: 00E20D5B

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID: Hbq$dLdq
API String ID: 0-411705877
Opcode ID: c2b4617064fd6ba9513936b6a937ec7dc6b13bd6a7a507610a65f6c5decd4214
Instruction ID: dc8b8a10597f0e9b0a8895fe17deec29c6affba4d5334e0db7bb745996232c56
Opcode Fuzzy Hash: c2b4617064fd6ba9513936b6a937ec7dc6b13bd6a7a507610a65f6c5decd4214
Instruction Fuzzy Hash: F441BF317002148FCB15DF69D494AAEBBF6BF89300F1544AAE506EB3A2CA359C09CB91

Function 00E21339 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00E2138B

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 1ba78c384e7b679631b54ac4032f69d171af5d4f11da2f29000aff189ed0bf85
Instruction ID: c3bf884f898e9e0cf9baad23cc233a4a46a83fdf94d7daebccc1e9ed8ebf8bde
Opcode Fuzzy Hash: 1ba78c384e7b679631b54ac4032f69d171af5d4f11da2f29000aff189ed0bf85
Instruction Fuzzy Hash: 6A31E234F002658FCB04EB7C949066EBBF6EFC5214B1041A9E509EB3A5EE30CD028792

Function 00E20D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

dLdq, xrefs: 00E20D5B

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: f221aabc8e87a3ef3fc308d8dd20c09386fd342dcca98019f43bc2b17a4b9616
Instruction ID: 13192981f379c00a3a4f73350a816d0003db4e0289d2d031b7b9936c7f7b9be2
Opcode Fuzzy Hash: f221aabc8e87a3ef3fc308d8dd20c09386fd342dcca98019f43bc2b17a4b9616
Instruction Fuzzy Hash: 2E316135A002148FDB14DF69D488B9EBBF2FF88304F149569D401AB3A2CB75ED49CB91

Function 00E20E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00E20E40

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: f69ccabf6f4e7d56bd5ee1c5fe34cd7b94b64d8ab5bcc14e0360e31deb5e8c4f
Instruction ID: fc282acc913b00de5733a5750e3aa91dde42ce6f07e623fd49ed6f3e1601c02a
Opcode Fuzzy Hash: f69ccabf6f4e7d56bd5ee1c5fe34cd7b94b64d8ab5bcc14e0360e31deb5e8c4f
Instruction Fuzzy Hash: 2FF0C8313042945FC355AB7DA85452E3BE7BFCB25076508F6E109DB3A3DD248C0A8365

Function 00E20AA0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a571b8ee20163da08b1cd1bf7d9a5d15d59a81de106b74d3192c6398c33eecdf
Instruction ID: fdb7d443c999c72512b5d3a7e662044ce433d6fc13a3d20096abdd29515948ac
Opcode Fuzzy Hash: a571b8ee20163da08b1cd1bf7d9a5d15d59a81de106b74d3192c6398c33eecdf
Instruction Fuzzy Hash: 7A51F978200215CFCB06FB74EDC465A7B62FB853857118668D4068B3ADDB75A94BEFC0

Function 00E211D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261bbbde5aab2c0e11699892bfd7db281cfe1c79e96ac44ad8e4580fbfada26a
Instruction ID: d1bfe1a86568b59b72b8e1181173bb5c199478a3d2ee4f3d608726875e551413
Opcode Fuzzy Hash: 261bbbde5aab2c0e11699892bfd7db281cfe1c79e96ac44ad8e4580fbfada26a
Instruction Fuzzy Hash: 3241A271F04219AFCB04EFB9D54466EBBFAEF88300F2085A9D449E7355DA349E418B91

Function 00E20998 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5197a338f3243837066fcc2db073d6c845814adabbf3f18e1496e1ea6056833b
Instruction ID: 2369251a7a33ec3f0e0788ac9187a4fd9667335e2689338029b4d1083900abd7
Opcode Fuzzy Hash: 5197a338f3243837066fcc2db073d6c845814adabbf3f18e1496e1ea6056833b
Instruction Fuzzy Hash: 6621CFB8B003628FDF69AB74B84836E3BA4BF51349B54642DD407E21E3EB208941CB91

Function 00C3D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904539111.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3d000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0c8cc8db5d5227029ee62d63f0e6d56b7542ebbb6f53b00f8cdab84fd74037
Instruction ID: cc858e52f657e6d179213865a157037dc3507c30e07f755f444a270cecc02cf0
Opcode Fuzzy Hash: 8a0c8cc8db5d5227029ee62d63f0e6d56b7542ebbb6f53b00f8cdab84fd74037
Instruction Fuzzy Hash: 8F2137B1554200DFDB05DF14E9C0B27BF65FB98318F20C169E90B0B256C336D956CBA2

Function 00E209A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee634c8ae1a6e667de8569d2a7696e60aa9be73dddeb8102b0f8f4215a6633a
Instruction ID: 06280608a2cd0d69f2563d8f4f580c8d38ce611187d30644af86eca6914e7c4c
Opcode Fuzzy Hash: 1ee634c8ae1a6e667de8569d2a7696e60aa9be73dddeb8102b0f8f4215a6633a
Instruction Fuzzy Hash: 27219FB87003268FDF68ABB5B84836E3BA4BF4134975064299407E21D3EA30C941DBA2

Function 00E21431 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb714cb9cca7b683fac9326fbc1ef31d1c006de502f9a701f880943632ff06f3
Instruction ID: 9f40e9454ecb2702f2e599e77fbe7ec9bf814ca5cf7853d1de6904a3d9587f0f
Opcode Fuzzy Hash: fb714cb9cca7b683fac9326fbc1ef31d1c006de502f9a701f880943632ff06f3
Instruction Fuzzy Hash: 7411AC74A00229DFCB50EBB8D884A9A7BF5EF89344B2504B9D009DB364EB30DD06DB90

Function 00C3D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904539111.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c3d000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 6830b3543a885ad5250c6f963b5470026f195452370f425ada68f6923aa412c3
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: D811D3B6904240CFDB16CF14D5C4B16BF72FB94324F24C5A9D90A0B256C336D95ACBA2

Function 00E21440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d5970d908eab58b9863c906473d0fa4027f666cd59b8ca8825308bb525dd4f
Instruction ID: a22cd50f7c80fde593f5ebc7b79cd690c699efa2d3ab8ed57a35038237ae2604
Opcode Fuzzy Hash: 16d5970d908eab58b9863c906473d0fa4027f666cd59b8ca8825308bb525dd4f
Instruction Fuzzy Hash: 1D116D74B00218DFCB54EBB9E944A6A7BE6FF8934571108B9D40ADB354EA31DD02CB90

Function 00E216A0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8efed0e1a6ab587b9ec9d9fd66f0505b278578ade2e83c4c012fcfec81e261
Instruction ID: 62828e58996def9b25c26e97f1fa354a4761f708b6174af0935c9f8324d5c876
Opcode Fuzzy Hash: 4e8efed0e1a6ab587b9ec9d9fd66f0505b278578ade2e83c4c012fcfec81e261
Instruction Fuzzy Hash: 26018F75B012228FDF18EFA8A491BAE77F0EF54304B0540AEC816A7692DB705E06DB91

Function 00E20A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18657d852a24010bf324d0c76c4b65948955b7dda5a6abbc71ef86eb375d0bf1
Instruction ID: df5ee73c9a02ec1c69499392fc5e67696b7456960ff8e863c5087230a4afdf3a
Opcode Fuzzy Hash: 18657d852a24010bf324d0c76c4b65948955b7dda5a6abbc71ef86eb375d0bf1
Instruction Fuzzy Hash: 5CC08CB820472BCFD72527A0F90C76C3D10BB82306F902152A003540F38EB40940871B

Function 00E20A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904801949.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_systempreter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc8416c5ec48aa8f0f5c13e70c7ddb5fb24b2d3448bf8afebbc76e275fbe092
Instruction ID: 6812c7a56fbe976b6e041d32de6c6eea4baf97d9a22acff4ef6e94a355698549
Opcode Fuzzy Hash: 3cc8416c5ec48aa8f0f5c13e70c7ddb5fb24b2d3448bf8afebbc76e275fbe092
Instruction Fuzzy Hash: 19C08CB8204B6ECFDB2527A0F90C76C3E10B782306F902157A003540F38EB409808B1B

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report systempreter.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
systempreter.exe