Edit tour

Windows Analysis Report
bKxtUOPLtR.exe

Overview

General Information

Sample name:	bKxtUOPLtR.exe renamed because original name is a hash value
Original sample name:	eb6c0249f9400e57260fd7a03b73e532f4efdfdb.exe
Analysis ID:	1582813
MD5:	5728d13936b16b914babca7f1067c13b
SHA1:	eb6c0249f9400e57260fd7a03b73e532f4efdfdb
SHA256:	5d8b55532cda3855a8211e70366648a22ef5193dd36931fa61e3393290c2ada9
Tags:	exeuser-NDA0E
Infos:

Detection

AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AveMaria stealer

Yara detected BrowserPasswordDump

Yara detected DcRat

Yara detected Keylogger Generic

Yara detected Powershell download and execute

Yara detected StormKitty Stealer

Yara detected VenomRAT

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

bKxtUOPLtR.exe (PID: 6792 cmdline: "C:\Users\user\Desktop\bKxtUOPLtR.exe" MD5: 5728D13936B16B914BABCA7F1067C13B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Ave Maria, AveMariaRAT, avemaria	Information stealer which uses AutoIT for wrapping.	Anunak	http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery https://asec.ahnlab.com/en/36629/ https://blog.cyber5w.com/analyzing-macro-enabled-office-documents https://blog.morphisec.com/syk-crypter-discord https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, 404KeyLogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bKxtUOPLtR.exe	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
bKxtUOPLtR.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
bKxtUOPLtR.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
bKxtUOPLtR.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
bKxtUOPLtR.exe	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
bKxtUOPLtR.exe	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
bKxtUOPLtR.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241408:$a1: havecamera 0x28c232:$a2: timeout 3 > NUL 0x28f5b5:$a3: START "" " 0x28faca:$a3: START "" " 0x28f9a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28fa42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
bKxtUOPLtR.exe	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x29292c:$str01: Processe: 0x2927e8:$str02: Compname: 0x2928e2:$str04: SandBoxie: 0x292878:$str08: WEBCAMS COUNT: 0x29289c:$str09: [Virtualization] 0x2930ea:$str10: [Open google maps]( 0x294b61:$str11: Remember password: 0x287c54:$str12: Target.Browsers.Firefox 0x26f3cf:$str13: Modules.Keylogger 0x277292:$str14: ClipperAddresses 0x279437:$str15: ChromiumPswPaths 0x279449:$str15: ChromiumPswPaths 0x27538c:$str16: DetectedBankingServices 0x2754f5:$str17: DetectCryptocurrencyServices 0x2833ee:$str18: CheckRemoteDebuggerPresent 0x284373:$str19: GetConnectedCamerasCount
bKxtUOPLtR.exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x5db:$sk01: LimerBoy/StormKitty 0x252952:$str01: set_sUsername 0x25fe84:$str03: set_sExpMonth 0x27523f:$str04: WritePasswords 0x275cf9:$str05: WriteCookies 0x279448:$str06: sChromiumPswPaths 0x279423:$str07: sGeckoBrowserPaths 0x28eacf:$str10: encrypted_key":"(.*?)"
bKxtUOPLtR.exe	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28fa42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x28bb12:$str04: Pac_ket 0x29b830:$str05: Perfor_mance 0x29b874:$str06: Install_ed 0x245f05:$str07: get_IsConnected 0x25c3ca:$str08: get_ActivatePo_ng 0x270305:$str09: isVM_by_wim_temper 0x29c122:$str10: save_Plugin 0x28c232:$str11: timeout 3 > NUL 0x29b410:$str12: ProcessHacker.exe 0x29b602:$str13: Select * from Win32_CacheMemory
bKxtUOPLtR.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28fa42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28f9a5:$s2: L2Mgc2NodGFza3MgL2
bKxtUOPLtR.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29b602:$q1: Select * from Win32_CacheMemory 0x29b642:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x29b690:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x29b6de:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
bKxtUOPLtR.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293806:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
bKxtUOPLtR.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2991a1:$s1: \VPN\NordVPN 0x299187:$s2: \VPN\OpenVPN 0x299169:$s3: \VPN\ProtonVPN
bKxtUOPLtR.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28e27b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
bKxtUOPLtR.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x27dff4:$s2: GetAntivirus 0x29405a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28d4a5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28eacd:$s6: "encrypted_key":"(.*?)"
bKxtUOPLtR.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28baa2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287c16:$s6: VirtualBox 0x297795:$s6: VirtualBox 0x2931b2:$s8: Win32_ComputerSystem 0x2976fb:$s8: Win32_ComputerSystem 0x2902de:$s9: Win32_Process Where ParentProcessID= 0x28fefb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ff98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2900ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290195:$cnc4: POST / HTTP/1.1
Click to see the 12 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4203659638.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241208:$a1: havecamera 0x28c032:$a2: timeout 3 > NUL 0x28f3b5:$a3: START "" " 0x28f8ca:$a3: START "" " 0x28f7a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28f842:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293606:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28b8a2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287a16:$s6: VirtualBox 0x297595:$s6: VirtualBox 0x292fb2:$s8: Win32_ComputerSystem 0x2974fb:$s8: Win32_ComputerSystem 0x2900de:$s9: Win32_Process Where ParentProcessID= 0x28fcfb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28fd98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28fead:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x28ff95:$cnc4: POST / HTTP/1.1
Process Memory Space: bKxtUOPLtR.exe PID: 6792	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: bKxtUOPLtR.exe PID: 6792	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: bKxtUOPLtR.exe PID: 6792	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: bKxtUOPLtR.exe PID: 6792	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: bKxtUOPLtR.exe PID: 6792	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
Process Memory Space: bKxtUOPLtR.exe PID: 6792	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
Process Memory Space: bKxtUOPLtR.exe PID: 6792	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: bKxtUOPLtR.exe PID: 6792	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xdc061:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: bKxtUOPLtR.exe PID: 6792	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7fe15:$s6: VirtualBox 0xee9e:$s8: Win32_ComputerSystem 0x188a4:$s8: Win32_ComputerSystem 0x189b5:$s8: Win32_ComputerSystem 0xdbd37:$s8: Win32_ComputerSystem 0xddf54:$s8: Win32_ComputerSystem 0x104562:$s8: Win32_ComputerSystem 0x1045ba:$s8: Win32_ComputerSystem 0x126d80:$s8: Win32_ComputerSystem 0x12c54a:$s8: Win32_ComputerSystem 0x12c55f:$s8: Win32_ComputerSystem 0x12cb76:$s8: Win32_ComputerSystem 0x12de2d:$s8: Win32_ComputerSystem 0x131bc9:$s8: Win32_ComputerSystem 0x131c90:$s8: Win32_ComputerSystem 0x1326d7:$s8: Win32_ComputerSystem 0x13b871:$s8: Win32_ComputerSystem 0xda68d:$s9: Win32_Process Where ParentProcessID= 0xda4a0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xda4ee:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xda578:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x11d67e:$a1: havecamera 0x1684a8:$a2: timeout 3 > NUL 0x16b82b:$a3: START "" " 0x16bd40:$a3: START "" " 0x16bc1b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16bcb8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x16eba2:$str01: Processe: 0x16ea5e:$str02: Compname: 0x16eb58:$str04: SandBoxie: 0x16eaee:$str08: WEBCAMS COUNT: 0x16eb12:$str09: [Virtualization] 0x16f360:$str10: [Open google maps]( 0x170dd7:$str11: Remember password: 0x163eca:$str12: Target.Browsers.Firefox 0x14b645:$str13: Modules.Keylogger 0x153508:$str14: ClipperAddresses 0x1556ad:$str15: ChromiumPswPaths 0x1556bf:$str15: ChromiumPswPaths 0x151602:$str16: DetectedBankingServices 0x15176b:$str17: DetectCryptocurrencyServices 0x15f664:$str18: CheckRemoteDebuggerPresent 0x1605e9:$str19: GetConnectedCamerasCount
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x12ebc8:$str01: set_sUsername 0x13c0fa:$str03: set_sExpMonth 0x1514b5:$str04: WritePasswords 0x151f6f:$str05: WriteCookies 0x1556be:$str06: sChromiumPswPaths 0x155699:$str07: sGeckoBrowserPaths 0x16ad45:$str10: encrypted_key":"(.*?)"
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x16bcb8:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x167d88:$str04: Pac_ket 0x177aa6:$str05: Perfor_mance 0x177aea:$str06: Install_ed 0x12217b:$str07: get_IsConnected 0x138640:$str08: get_ActivatePo_ng 0x14c57b:$str09: isVM_by_wim_temper 0x178398:$str10: save_Plugin 0x1684a8:$str11: timeout 3 > NUL 0x177686:$str12: ProcessHacker.exe 0x177878:$str13: Select * from Win32_CacheMemory
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x16bcb8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16bc1b:$s2: L2Mgc2NodGFza3MgL2
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x177878:$q1: Select * from Win32_CacheMemory 0x1778b8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x177906:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x177954:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x16fa7c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x175417:$s1: \VPN\NordVPN 0x1753fd:$s2: \VPN\OpenVPN 0x1753df:$s3: \VPN\ProtonVPN
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a161:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a1d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a25d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a2ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a359:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a3cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a461:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16a4f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167d18:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x163e8c:$s6: VirtualBox 0x173a0b:$s6: VirtualBox 0x16f428:$s8: Win32_ComputerSystem 0x173971:$s8: Win32_ComputerSystem 0x16c554:$s9: Win32_Process Where ParentProcessID= 0x16c171:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16c20e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16c323:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16c40b:$cnc4: POST / HTTP/1.1
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241408:$a1: havecamera 0x28c232:$a2: timeout 3 > NUL 0x28f5b5:$a3: START "" " 0x28faca:$a3: START "" " 0x28f9a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28fa42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x29292c:$str01: Processe: 0x2927e8:$str02: Compname: 0x2928e2:$str04: SandBoxie: 0x292878:$str08: WEBCAMS COUNT: 0x29289c:$str09: [Virtualization] 0x2930ea:$str10: [Open google maps]( 0x294b61:$str11: Remember password: 0x287c54:$str12: Target.Browsers.Firefox 0x26f3cf:$str13: Modules.Keylogger 0x277292:$str14: ClipperAddresses 0x279437:$str15: ChromiumPswPaths 0x279449:$str15: ChromiumPswPaths 0x27538c:$str16: DetectedBankingServices 0x2754f5:$str17: DetectCryptocurrencyServices 0x2833ee:$str18: CheckRemoteDebuggerPresent 0x284373:$str19: GetConnectedCamerasCount
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x5db:$sk01: LimerBoy/StormKitty 0x252952:$str01: set_sUsername 0x25fe84:$str03: set_sExpMonth 0x27523f:$str04: WritePasswords 0x275cf9:$str05: WriteCookies 0x279448:$str06: sChromiumPswPaths 0x279423:$str07: sGeckoBrowserPaths 0x28eacf:$str10: encrypted_key":"(.*?)"
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28fa42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x28bb12:$str04: Pac_ket 0x29b830:$str05: Perfor_mance 0x29b874:$str06: Install_ed 0x245f05:$str07: get_IsConnected 0x25c3ca:$str08: get_ActivatePo_ng 0x270305:$str09: isVM_by_wim_temper 0x29c122:$str10: save_Plugin 0x28c232:$str11: timeout 3 > NUL 0x29b410:$str12: ProcessHacker.exe 0x29b602:$str13: Select * from Win32_CacheMemory
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28fa42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28f9a5:$s2: L2Mgc2NodGFza3MgL2
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29b602:$q1: Select * from Win32_CacheMemory 0x29b642:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x29b690:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x29b6de:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293806:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2991a1:$s1: \VPN\NordVPN 0x299187:$s2: \VPN\OpenVPN 0x299169:$s3: \VPN\ProtonVPN
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28e27b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x27dff4:$s2: GetAntivirus 0x29405a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28d4a5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28eacd:$s6: "encrypted_key":"(.*?)"
0.0.bKxtUOPLtR.exe.3e0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28baa2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287c16:$s6: VirtualBox 0x297795:$s6: VirtualBox 0x2931b2:$s8: Win32_ComputerSystem 0x2976fb:$s8: Win32_ComputerSystem 0x2902de:$s9: Win32_Process Where ParentProcessID= 0x28fefb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ff98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2900ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290195:$cnc4: POST / HTTP/1.1
Click to see the 27 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T15:06:43.209877+0100	2842478	1	Malware Command and Control Activity Detected	157.20.182.177	4449	192.168.2.4	49730	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bKxtUOPLtR.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: bKxtUOPLtR.exe	Virustotal: Detection: 58%			Perma Link
Source: bKxtUOPLtR.exe	ReversingLabs: Detection: 75%

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: bKxtUOPLtR.exe

Joe Sandbox ML: detected

Source: bKxtUOPLtR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb] source: bKxtUOPLtR.exe
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb source: bKxtUOPLtR.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 157.20.182.177:4449 -> 192.168.2.4:49730

Yara detected Generic Downloader

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 157.20.182.177:4449

Source: Joe Sandbox View

ASN Name: FCNUniversityPublicCorporationOsakaJP FCNUniversityPublicCorporationOsakaJP

Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177

Source: bKxtUOPLtR.exe, 00000000.00000002.4203485003.0000000000C53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: bKxtUOPLtR.exe, 00000000.00000002.4208622460.000000001B5B4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: bKxtUOPLtR.exe	String found in binary or memory: http://ipinfo.io/ip
Source: bKxtUOPLtR.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: bKxtUOPLtR.exe, 00000000.00000002.4203659638.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bKxtUOPLtR.exe	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: bKxtUOPLtR.exe	String found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
Source: bKxtUOPLtR.exe	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: bKxtUOPLtR.exe	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: bKxtUOPLtR.exe	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: bKxtUOPLtR.exe	String found in binary or memory: https://stackoverflow.com/q/14436606/23354cIt
Source: bKxtUOPLtR.exe	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: bKxtUOPLtR.exe	String found in binary or memory: https://urn.to/r/sds_see
Source: bKxtUOPLtR.exe	String found in binary or memory: https://urn.to/r/sds_seeaCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Keylogger Generic

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

Code function: 0_2_00007FFD9B6F3ACE NtProtectVirtualMemory,

0_2_00007FFD9B6F3ACE

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B6F3ACE	0_2_00007FFD9B6F3ACE
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B6FB296	0_2_00007FFD9B6FB296
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B6F4A38	0_2_00007FFD9B6F4A38
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B6FC042	0_2_00007FFD9B6FC042
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B70262E	0_2_00007FFD9B70262E
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B701415	0_2_00007FFD9B701415
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B6F33DD	0_2_00007FFD9B6F33DD
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B71102B	0_2_00007FFD9B71102B
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B6FE701	0_2_00007FFD9B6FE701

Source: bKxtUOPLtR.exe, 00000000.00000000.1734693172.00000000006E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs bKxtUOPLtR.exe
Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehvnc.exe" vs bKxtUOPLtR.exe
Source: bKxtUOPLtR.exe	Binary or memory string: OriginalFilenamehvnc.exe" vs bKxtUOPLtR.exe
Source: bKxtUOPLtR.exe	Binary or memory string: OriginalFilenameClientAny.exe" vs bKxtUOPLtR.exe

Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: bKxtUOPLtR.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

File created: C:\Users\user\AppData\Roaming\7n5rJCiEX08cdKRQsT6vxkbuaZ

Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Mutant created: \Sessions\1\BaseNamedObjects\FkwbxYcgg1G0FnF/TAjQzi9jUa9qcKKioTum8hnjwFlv/+1VfkEHx8BfkllXkWd9Y+CD9XIOkxhhblHpQPtD1w==

Source: bKxtUOPLtR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bKxtUOPLtR.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.70%

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bKxtUOPLtR.exe	Virustotal: Detection: 58%
Source: bKxtUOPLtR.exe	ReversingLabs: Detection: 75%

Source: bKxtUOPLtR.exe	String found in binary or memory: /C -StartDelay : Sleeping ISetFileCreationDate : Changing file
Source: bKxtUOPLtR.exe	String found in binary or memory: maxBufferSize!CheckTaskNotNull/LoadIntoBufferAsyncCore
Source: bKxtUOPLtR.exe	String found in binary or memory: 9Task Scheduler 2.0 (1.2) does not support setting this property. You must use an InteractiveToken in order to have the task run in the current user session.#RunOnlyIfLoggedOn3RunOnlyIfNetworkAvailable-StopIfGoingOnBatteries
Source: bKxtUOPLtR.exe	String found in binary or memory: IF294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: bKxtUOPLtR.exe	String found in binary or memory: HasSubValue3Conflicting item/add type
Source: bKxtUOPLtR.exe	String found in binary or memory: U/configuration/appSettings/add[@key='{0}']
Source: bKxtUOPLtR.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: bKxtUOPLtR.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Section loaded: mmdevapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: bKxtUOPLtR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bKxtUOPLtR.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: bKxtUOPLtR.exe

Static file information: File size 3136512 > 1048576

Source: bKxtUOPLtR.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2fca00

Source: bKxtUOPLtR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb] source: bKxtUOPLtR.exe
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb source: bKxtUOPLtR.exe

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B717295 pushfd ; retf 5F4Ch	0_2_00007FFD9B7172F1
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B700691 push es; retn 7002h	0_2_00007FFD9B701279
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B708230 push ebx; retn 5F4Dh	0_2_00007FFD9B70826A
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B70616F push esi; ret	0_2_00007FFD9B7061D7
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B708167 push ebx; ret	0_2_00007FFD9B70816A
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Code function: 0_2_00007FFD9B6F00BD pushad ; iretd	0_2_00007FFD9B6F00C1

Boot Survival

Yara detected VenomRAT

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected VenomRAT

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: bKxtUOPLtR.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Memory allocated: B60000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Memory allocated: 1A9E0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Window / User API: threadDelayed 8916			Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Window / User API: threadDelayed 937			Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe TID: 7076	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe TID: 5820	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: bKxtUOPLtR.exe	Binary or memory string: vmware
Source: bKxtUOPLtR.exe	Binary or memory string: VMwareVBoxAAntiAnalysis : Hosting detected!AAntiAnalysis : Process detected!QAntiAnalysis : Virtual machine detected!AAntiAnalysis : SandBox detected!CAntiAnalysis : Debugger detected!
Source: bKxtUOPLtR.exe, 00000000.00000002.4208622460.000000001B56A000.00000004.00000020.00020000.00000000.sdmp, bKxtUOPLtR.exe, 00000000.00000002.4208114590.000000001B4B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bKxtUOPLtR.exe	Binary or memory string: VirtualMachine:

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Source: bKxtUOPLtR.exe, 00000000.00000002.4203659638.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, bKxtUOPLtR.exe, 00000000.00000002.4203659638.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, bKxtUOPLtR.exe, 00000000.00000002.4203659638.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: bKxtUOPLtR.exe	Binary or memory string: Shell_TrayWnd
Source: bKxtUOPLtR.exe	Binary or memory string: ProgMan
Source: bKxtUOPLtR.exe	Binary or memory string: Shell_TrayWnd!SHELLDLL_DefView

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Queries volume information: C:\Users\user\Desktop\bKxtUOPLtR.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\bKxtUOPLtR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected VenomRAT

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: bKxtUOPLtR.exe, 00000000.00000002.4209341345.000000001BF70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\bKxtUOPLtR.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Yara detected BrowserPasswordDump

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Yara detected DcRat

Source: Yara match

File source: 00000000.00000002.4203659638.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected StormKitty Stealer

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: exodus
Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: bKxtUOPLtR.exe, 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match

File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Yara detected BrowserPasswordDump

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.505b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Yara detected DcRat

Source: Yara match

File source: 00000000.00000002.4203659638.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected StormKitty Stealer

Source: Yara match	File source: bKxtUOPLtR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bKxtUOPLtR.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bKxtUOPLtR.exe PID: 6792, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Scheduled Task/Job	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	151 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bKxtUOPLtR.exe	58%	Virustotal		Browse
bKxtUOPLtR.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.CryoMarte
bKxtUOPLtR.exe	100%	Avira	HEUR/AGEN.1357486
bKxtUOPLtR.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.newtonsoft.com/jsonschema	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stackoverflow.com/q/14436606/23354cIt	bKxtUOPLtR.exe	false		high
https://urn.to/r/sds_see	bKxtUOPLtR.exe	false		high
http://ipinfo.io/ip	bKxtUOPLtR.exe	false		high
https://github.com/LimerBoy/StormKitty	bKxtUOPLtR.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	bKxtUOPLtR.exe, 00000000.00000002.4203659638.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	bKxtUOPLtR.exe	false		high
https://stackoverflow.com/q/2152978/23354	bKxtUOPLtR.exe	false		high
https://urn.to/r/sds_seeaCould	bKxtUOPLtR.exe	false		high
http://james.newtonking.com/projects/json	bKxtUOPLtR.exe	false		high
https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5	bKxtUOPLtR.exe	false		high
http://www.newtonsoft.com/jsonschema	bKxtUOPLtR.exe	false	Avira URL Cloud: safe	unknown
https://discordapp.com/api/v6/users/	bKxtUOPLtR.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
157.20.182.177	unknown	unknown		24297	FCNUniversityPublicCorporationOsakaJP	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582813
Start date and time:	2024-12-31 15:05:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bKxtUOPLtR.exe renamed because original name is a hash value
Original Sample Name:	eb6c0249f9400e57260fd7a03b73e532f4efdfdb.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 7 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:06:43	API Interceptor	13276800x Sleep call for process: bKxtUOPLtR.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
157.20.182.177	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	46VHQmFDxC.exe	Get hash	malicious	RedLine	Browse	199.232.210.172
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	199.232.214.172
	GYede3Gwn0.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	Qu3ped8inH.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	DIS_37745672.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	199.232.214.172
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	199.232.214.172
	222.msi	Get hash	malicious	XRed	Browse	199.232.214.172
	universityform.xlsm	Get hash	malicious	Unknown	Browse	199.232.210.172
	universityform.xlsm	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FCNUniversityPublicCorporationOsakaJP	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	157.20.182.177
	armv4l.elf	Get hash	malicious	Mirai	Browse	163.227.210.66
	2.elf	Get hash	malicious	Unknown	Browse	157.20.21.157
	1.elf	Get hash	malicious	Unknown	Browse	157.20.21.140
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	157.20.218.11
	3.elf	Get hash	malicious	Unknown	Browse	157.20.207.5
	3.elf	Get hash	malicious	Unknown	Browse	157.20.68.123
	3.elf	Get hash	malicious	Unknown	Browse	157.16.228.185
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	157.20.68.153
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	157.20.21.139

Process:	C:\Users\user\Desktop\bKxtUOPLtR.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\bKxtUOPLtR.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2478978672539016
Encrypted:	false
SSDEEP:	6:kKRqi9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:YDImsLNkPlE99SNxAhUe/3
MD5:	75EE0FC331733E6AF12D5D658E1685C6
SHA1:	EC0007BA28490A3EFBB64DC5D18217FD334199B2
SHA-256:	D7D69D90264F4C5445FDBD19276155DE7EBBBCDBBD8EA1CA75A5E45CD194001B
SHA-512:	474C0ACAB6EE6C61C83D974F1F6B7A901BA1F891BA04A26A8BC5D2511D80F5CCCC164F6A8910394B0386F25AFFBD2CE117699CE9BAF7473A81C3DAA071546D51
Malicious:	false
Reputation:	low
Preview:	p...... ........^.8.[..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.8497929158528725
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.70% Win32 Executable (generic) a (10002005/4) 49.65% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win32 EXE PECompact compressed (generic) (41571/9) 0.21% Windows Screen Saver (13104/52) 0.07%
File name:	bKxtUOPLtR.exe
File size:	3'136'512 bytes
MD5:	5728d13936b16b914babca7f1067c13b
SHA1:	eb6c0249f9400e57260fd7a03b73e532f4efdfdb
SHA256:	5d8b55532cda3855a8211e70366648a22ef5193dd36931fa61e3393290c2ada9
SHA512:	c54d31f78af766c065905d22a864730eaaeae2a3aeb5a6eea5f70f45ad2638391185ad355e5e85b520ee270e390307b2d975934959905d3fb48fb7a0957a5de9
SSDEEP:	49152:MPCQNqtCkmdatQdsgUBX3B3kNC3H6vUZIr/N2e:MPVlkmdatQSN
TLSH:	92E55A917BE4DE1AE1AF2771E4B101152BB1E419A732DB8F56C0E2B82C53740AD463BF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nf\g................../.........../.. ....0...@.. .......................@0...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x6fe8be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675C666E [Fri Dec 13 16:53:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2fe870	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x300000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x302000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2fc8c4	0x2fca00	eb7512dd15f47404b55685b8003628eb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x300000	0xdf7	0xe00	f0879fac534efcb99739407818b71fe1	False	0.40345982142857145	data	5.115505372139322	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x302000	0xc	0x200	5297018feaf5ee2a10b3faa00fedc2e6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3000a0	0x2d4	data			0.44751381215469616
RT_MANIFEST	0x300374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T15:06:43.209877+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	157.20.182.177	4449	192.168.2.4	49730	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 15:06:42.572025061 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:06:42.576956034 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:06:42.577048063 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:06:42.589170933 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:06:42.594717979 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:06:43.197057962 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:06:43.205091953 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:06:43.209877014 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:06:43.382505894 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:06:43.431090117 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:06:45.642981052 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:06:45.647969961 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:06:45.648040056 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:06:45.652894020 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:06:59.823416948 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:06:59.828283072 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:06:59.830904007 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:06:59.835678101 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:00.124229908 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:00.165558100 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:00.253855944 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:00.268698931 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:00.275371075 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:00.275423050 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:00.280675888 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:14.009965897 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:14.015119076 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:14.015211105 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:14.020061016 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:14.307246923 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:14.353202105 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:14.441787958 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:14.493705988 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:14.512676954 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:14.517488003 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:14.517535925 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:14.522370100 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:28.197411060 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:28.202431917 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:28.202621937 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:28.207462072 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:28.495049953 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:28.540642023 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:28.615715027 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:28.617415905 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:28.622215033 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:28.622293949 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:28.627177954 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:42.384908915 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:42.518431902 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:42.518527985 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:42.523380995 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:42.823004007 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:42.868834972 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:42.954155922 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:42.955580950 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:42.960397959 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:42.960458994 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:42.965291977 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:50.306723118 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:50.311547995 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:50.311604023 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:50.316391945 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:50.603849888 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:50.644222975 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:50.738136053 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:50.739532948 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:50.744299889 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:50.744349003 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:50.749226093 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:50.792296886 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:50.797179937 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:50.797240019 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:50.802000999 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:51.157466888 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:51.212621927 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:51.294107914 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:51.295553923 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:51.300389051 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:51.300437927 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:51.305264950 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:55.322437048 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:55.327220917 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:55.327265024 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:55.332036972 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:55.620866060 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:55.665754080 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:55.754105091 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:55.755695105 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:55.760549068 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:07:55.760595083 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:07:55.765430927 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:03.113133907 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:03.270961046 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:03.271038055 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:03.275825024 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:03.574825048 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:03.708523035 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:03.708601952 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:03.738090038 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:03.742959976 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:03.743005037 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:03.747767925 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:03.853941917 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:03.858752966 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:03.858800888 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:03.863643885 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:04.042140961 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:04.165776014 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:04.177068949 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:04.180162907 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:04.184988022 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:04.185153961 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:04.189963102 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:04.212980032 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:04.217813969 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:04.217907906 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:04.222721100 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:04.487659931 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:04.618180037 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:04.618295908 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:04.620235920 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:04.625030041 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:04.625178099 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:04.629983902 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:18.403137922 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:18.407949924 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:18.411209106 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:18.416047096 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:18.728759050 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:18.807141066 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:18.816754103 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:18.823177099 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:18.829565048 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:18.863821983 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:18.871114016 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:18.921009064 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:18.927140951 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:18.931948900 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:19.120579958 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:19.194576979 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:19.254133940 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:19.255924940 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:19.260715961 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:19.260755062 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:19.265500069 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:22.744271994 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:22.749160051 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:22.749286890 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:22.754872084 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:23.045298100 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:23.092995882 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:23.177206993 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:23.179625988 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:23.187287092 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:23.187340975 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:23.192200899 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:27.744473934 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:27.749264956 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:27.749310017 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:27.754096031 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:28.041572094 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:28.089396954 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:28.174585104 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:28.179074049 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:28.183856010 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:28.183931112 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:28.188704967 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:31.931853056 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:31.936755896 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:31.936821938 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:31.941620111 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:32.230200052 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:32.337784052 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:32.366765976 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:32.371022940 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:32.375804901 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:32.375951052 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:32.380664110 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:33.994462967 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:33.999350071 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:33.999413013 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:34.004199982 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:34.292057037 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:34.339226961 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:34.426418066 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:34.432594061 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:34.437350988 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:34.437527895 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:34.442312956 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:36.838165045 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:36.842989922 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:36.843302011 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:36.848057032 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:37.157867908 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:37.228415012 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:37.260190964 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:37.264975071 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:37.265022993 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:37.269820929 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:37.290219069 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:37.292181969 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:37.347368956 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:37.347412109 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:37.352152109 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:37.559623003 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:37.664417028 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:37.694189072 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:37.695976019 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:37.700723886 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:37.700766087 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:37.705543041 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.181989908 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:40.186793089 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.189086914 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:40.193866014 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.663572073 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.666212082 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:40.666296005 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:40.671009064 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.671032906 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.787185907 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.788845062 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:40.793658018 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.794332981 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:40.799094915 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.913151979 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.917047024 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:40.921793938 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:40.927293062 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:40.932265043 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:42.463149071 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:42.468024969 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:42.468082905 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:42.472840071 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:42.760637999 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:42.839230061 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:42.894512892 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:42.896727085 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:42.901516914 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:42.901741028 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:42.906538963 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:56.653386116 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:56.734915972 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:56.735117912 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:56.739914894 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:57.026556015 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:57.134749889 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:57.158288002 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:57.160250902 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:57.164978027 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:08:57.165023088 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:08:57.169842958 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:10.872258902 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:10.877087116 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:10.877161980 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:10.881983995 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:11.182590961 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:11.268367052 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:11.318347931 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:11.320301056 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:11.325088978 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:11.325148106 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:11.330005884 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:15.760207891 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:15.765058041 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:15.765105963 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:15.769876957 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:16.057631969 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:16.135346889 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:16.194487095 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:16.196428061 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:16.201188087 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:16.201456070 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:16.206245899 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:17.119615078 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:17.124439001 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:17.124489069 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:17.129290104 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:17.417193890 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:17.550446987 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:17.554359913 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:17.556091070 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:17.560853958 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:17.560926914 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:17.565749884 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:24.228910923 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:24.233803988 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:24.237591028 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:24.242357969 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:24.545799971 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:24.637454033 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:24.680799007 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:24.683562994 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:24.688388109 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:24.689491987 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:24.694281101 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:24.744457960 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:24.749227047 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:24.749562025 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:24.754313946 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:24.982677937 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:25.025526047 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:25.116213083 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:25.120373011 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:25.125217915 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:25.125261068 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:25.130125999 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:34.435399055 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:34.440310001 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:34.447401047 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:34.452157021 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:34.745311022 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:34.839406013 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:34.882373095 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:34.886353970 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:34.891160011 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:34.899403095 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:34.904222012 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:42.527421951 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:42.532242060 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:42.535501957 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:42.540297031 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:42.823307991 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:42.869359970 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:42.958488941 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:42.967427969 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:42.972209930 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:42.978728056 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:42.983547926 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:47.011437893 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:47.016252995 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:47.016380072 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:47.021209955 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:47.307784081 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:47.370831966 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:47.446943998 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:47.448986053 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:47.453742981 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:47.453787088 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:47.458580017 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:55.963530064 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:55.968439102 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:55.968485117 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:55.973267078 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:56.260612965 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:56.394345045 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:56.394417048 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:56.395983934 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:56.400775909 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:09:56.401185989 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:09:56.405946016 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:10.163803101 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:10.168674946 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:10.168720961 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:10.173537970 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:10.568059921 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:10.702542067 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:10.702636003 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:10.704509974 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:10.713676929 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:10.713768959 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:10.718631983 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:20.385358095 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:20.390332937 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:20.390487909 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:20.395245075 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:20.685058117 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:20.776191950 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:20.781075001 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:20.781173944 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:20.786027908 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:20.818480968 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:20.824675083 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:20.871515036 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:20.873590946 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:20.878407001 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:21.073436022 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:21.206408978 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:21.209948063 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:21.212150097 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:21.216947079 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:21.216991901 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:21.221820116 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:28.667292118 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:28.672157049 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:28.672255039 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:28.677067995 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:28.963622093 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:29.088221073 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:29.098397017 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:29.104876041 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:29.109704018 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:29.109853983 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:29.114635944 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:29.276468039 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:29.281332016 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:29.281378031 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:29.286185026 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:29.527405024 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:29.588246107 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:29.658530951 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:29.660604000 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:29.665410995 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:29.665467978 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:29.670269966 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:43.508641958 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:43.513521910 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:43.513570070 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:43.518404007 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:43.807653904 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:43.946213961 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:43.946276903 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:43.948316097 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:43.953119040 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:43.953171968 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:43.958076000 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:46.764910936 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:46.770071030 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:46.774223089 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:46.779073000 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:47.074071884 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:47.206583023 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:47.211657047 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:47.211657047 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:47.216574907 CET	4449	49730	157.20.182.177	192.168.2.4
Dec 31, 2024 15:10:47.223758936 CET	49730	4449	192.168.2.4	157.20.182.177
Dec 31, 2024 15:10:47.228607893 CET	4449	49730	157.20.182.177	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 15:06:43.476666927 CET	1.1.1.1	192.168.2.4	0x573c	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:06:43.476666927 CET	1.1.1.1	192.168.2.4	0x573c	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:06:56.674547911 CET	1.1.1.1	192.168.2.4	0x56aa	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:06:56.674547911 CET	1.1.1.1	192.168.2.4	0x56aa	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:06:38
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\bKxtUOPLtR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bKxtUOPLtR.exe"
Imagebase:	0x3e0000
File size:	3'136'512 bytes
MD5 hash:	5728D13936B16B914BABCA7F1067C13B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.4203659638.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic_3, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1734380901.00000000003E2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	62.5%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9B701415 Relevance: 3.0, Strings: 2, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"c/, xrefs: 00007FFD9B701556
.N_^, xrefs: 00007FFD9B701601

Memory Dump Source

Source File: 00000000.00000002.4209861636.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_bKxtUOPLtR.jbxd

Similarity

API ID:
String ID: "c/$.N_^
API String ID: 0-1514942668
Opcode ID: 0ba6d822df66eac96076f68bebb7ce8e0ef69229434445cc1b3126a029e1cb78
Instruction ID: c30fecc1308b1fca98986d893a436af57fcad44fd94fb54f33e21b82916b6903
Opcode Fuzzy Hash: 0ba6d822df66eac96076f68bebb7ce8e0ef69229434445cc1b3126a029e1cb78
Instruction Fuzzy Hash: 44C17E27B0D6660BE711B7ACBC645E9BB90EF8537174901BBE2C9C70A3DC156846C3D1

Function 00007FFD9B6F3ACE Relevance: 1.9, APIs: 1, Instructions: 438
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4209861636.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_bKxtUOPLtR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9413e785f0c91b0255b1eb38da385e6edbf5d737955406c87a7ca330f4cf2a60
Instruction ID: b8219ca9198addf430119d30234ef72d273cfb8c4c1f8b53fa0de289b17a27bf
Opcode Fuzzy Hash: 9413e785f0c91b0255b1eb38da385e6edbf5d737955406c87a7ca330f4cf2a60
Instruction Fuzzy Hash: 67C14931E0DA494FE71DAB7888665FA7BE1EF95310F0441BED09AC71DBDD2878068782

Function 00007FFD9B6F4A38 Relevance: .9, Instructions: 942COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4209861636.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_bKxtUOPLtR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8257d6f2cb8deef3fa7ac1704c19d876bd5de1f801d8a96600e2087d57a360
Instruction ID: 52169d16489817c497a9b8a0343752810e458a45b8b91f8bf0e5b81c783c81a1
Opcode Fuzzy Hash: 9c8257d6f2cb8deef3fa7ac1704c19d876bd5de1f801d8a96600e2087d57a360
Instruction Fuzzy Hash: 2C520532B0E94A4FE768EB6C84656B97BD2EF54310B5501BDD06EC72DBDE28BC018781

Function 00007FFD9B70262E Relevance: .8, Instructions: 802COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4209861636.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_bKxtUOPLtR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bd8fb3d68c9629612aacd1324454c6a6d0f3ae6c2884809cee29698a6134a5
Instruction ID: 4282048d5e7e56e81fb038da317633bdb3cf3dbee3b3db424aa5ba39813161d1
Opcode Fuzzy Hash: c8bd8fb3d68c9629612aacd1324454c6a6d0f3ae6c2884809cee29698a6134a5
Instruction Fuzzy Hash: 7442E831B1DB894FD769DB68C4A06B67BE1FF85310F05027ED4DAC72A6DE24A841CB42

Function 00007FFD9B6FB296 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4209861636.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_bKxtUOPLtR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29430cf1eeafd97c0793b25ead04fde07fd928d5dd4a4b70fd92c45060d379a1
Instruction ID: 1d220866b4d02761bb54646d0fccd1c7ab3d044328ead2d611899cff585ea434
Opcode Fuzzy Hash: 29430cf1eeafd97c0793b25ead04fde07fd928d5dd4a4b70fd92c45060d379a1
Instruction Fuzzy Hash: AFF1C631A09A4D8FEBA8DF28C8557F93BD1FF94310F04426EE85DC7295DB34A9458B81

Function 00007FFD9B6FC042 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4209861636.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_bKxtUOPLtR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2d74f05e1c12082cb7af83029174460274b70fe16623683216eca7e13dba4c
Instruction ID: 702c827635b8e21c6885903a734bfa5dc9bdb645ec64a87fa9e30f8d25caf2a4
Opcode Fuzzy Hash: 2d2d74f05e1c12082cb7af83029174460274b70fe16623683216eca7e13dba4c
Instruction Fuzzy Hash: A5E1C330A09A4E8FEBA8DF68C8657F97BE1FF54310F04426AD85DC7295CA74A9448781

Function 00007FFD9B6F4538 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9B6F4601

Memory Dump Source

Source File: 00000000.00000002.4209861636.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_bKxtUOPLtR.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: d254781002abdca8be22ff73a8072ae292d58e45ce14498a6cd9145c064b5a8e
Instruction ID: 6586d49b42afbade1ea55ce61a44f2b54863576b3cb72e6b53846334b74fb124
Opcode Fuzzy Hash: d254781002abdca8be22ff73a8072ae292d58e45ce14498a6cd9145c064b5a8e
Instruction Fuzzy Hash: 8141F631A0CA5D4FDB58EFAC98566F9BBE1EB59311F00427ED019C3592CE75B8128781

Non-executed Functions

Function 00007FFD9B6FE701 Relevance: 3.0, Strings: 2, Instructions: 534COMMON

Download Yara Rule

Strings

_N_I, xrefs: 00007FFD9B6FE804
@0], xrefs: 00007FFD9B6FEA84

Memory Dump Source

Source File: 00000000.00000002.4209861636.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_bKxtUOPLtR.jbxd

Similarity

API ID:
String ID: @0]$_N_I
API String ID: 0-1450377963
Opcode ID: 4adc5c42bbdd424ee8a514af79cd7bdfd2f15b42cd8eba6dd93b4fde7f6fe62c
Instruction ID: 3ba6d45a987b0269d77b2ee7787fe2aa8721807e7f341812c3c950aed1147552
Opcode Fuzzy Hash: 4adc5c42bbdd424ee8a514af79cd7bdfd2f15b42cd8eba6dd93b4fde7f6fe62c
Instruction Fuzzy Hash: ECF1FC5370F6D20BE31667EC78611E56F91EF8527574841FBD1DC8E0EBAC09790A8386

Function 00007FFD9B6F33DD Relevance: 2.9, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B6F33EA
mU_H, xrefs: 00007FFD9B6F3591

Memory Dump Source

Source File: 00000000.00000002.4209861636.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_bKxtUOPLtR.jbxd

Similarity

API ID:
String ID: U$mU_H
API String ID: 0-1071643295
Opcode ID: 4ea3cc81efada0f002258914166dfce628221f92ff88cab62a3ce2a076fa1314
Instruction ID: a839352c806f47188c08385b2062726a46b105d070a403e64ecb9997c5eb3725
Opcode Fuzzy Hash: 4ea3cc81efada0f002258914166dfce628221f92ff88cab62a3ce2a076fa1314
Instruction Fuzzy Hash: 6BB16822F1DA4A0FF71DAB78886A5F677D1EF99311B04017EE49AC71EBDD2878028341

Function 00007FFD9B71102B Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B711186

Memory Dump Source

Source File: 00000000.00000002.4209861636.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_bKxtUOPLtR.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cfd6721b1cdddd97a15c76536ed48bd34243511b2a06d3da59513bd3f60fd509
Instruction ID: 60865cfd9a15550de5f315eb57853d11685678632923eebd35b259547e5cb162
Opcode Fuzzy Hash: cfd6721b1cdddd97a15c76536ed48bd34243511b2a06d3da59513bd3f60fd509
Instruction Fuzzy Hash: AA51F531A0DB8D8ED779DB6480607B1BBD1EF62300F15C2BEC48A4B6B2DD65E645C760

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bKxtUOPLtR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
bKxtUOPLtR.exe

Function 00007FFD9B701415 Relevance: 3.0, Strings: 2, Instructions: 462
COMMON

Function 00007FFD9B6F3ACE Relevance: 1.9, APIs: 1, Instructions: 438
COMMON