Edit tour

Windows Analysis Report
ersyb.exe

Overview

General Information

Sample name:	ersyb.exe
Analysis ID:	1583435
MD5:	5d19a21c61d16d22619b846816a0e270
SHA1:	8aba1f6780ec5a1e389a193821f727b9e8ddb710
SHA256:	e0cc614e2c756bfe9eb3773daa8d6c0ac66a2902826f5ccbd94113e3ff69e3db
Tags:	147-45-44-131bookingexeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

DcRat, KeyLogger, StormKitty, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected BrowserPasswordDump

Yara detected DcRat

Yara detected Keylogger Generic

Yara detected Powershell download and execute

Yara detected StormKitty Stealer

Yara detected VenomRAT

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ersyb.exe (PID: 2288 cmdline: "C:\Users\user\Desktop\ersyb.exe" MD5: 5D19A21C61D16D22619B846816A0E270)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, 404KeyLogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ersyb.exe	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
ersyb.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
ersyb.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
ersyb.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
ersyb.exe	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
ersyb.exe	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
ersyb.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241408:$a1: havecamera 0x28c232:$a2: timeout 3 > NUL 0x28f5b5:$a3: START "" " 0x28faca:$a3: START "" " 0x28f9a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28fa42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
ersyb.exe	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x29292c:$str01: Processe: 0x2927e8:$str02: Compname: 0x2928e2:$str04: SandBoxie: 0x292878:$str08: WEBCAMS COUNT: 0x29289c:$str09: [Virtualization] 0x2930ea:$str10: [Open google maps]( 0x294b61:$str11: Remember password: 0x287c54:$str12: Target.Browsers.Firefox 0x26f3cf:$str13: Modules.Keylogger 0x277292:$str14: ClipperAddresses 0x279437:$str15: ChromiumPswPaths 0x279449:$str15: ChromiumPswPaths 0x27538c:$str16: DetectedBankingServices 0x2754f5:$str17: DetectCryptocurrencyServices 0x2833ee:$str18: CheckRemoteDebuggerPresent 0x284373:$str19: GetConnectedCamerasCount
ersyb.exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x5db:$sk01: LimerBoy/StormKitty 0x252952:$str01: set_sUsername 0x25fe84:$str03: set_sExpMonth 0x27523f:$str04: WritePasswords 0x275cf9:$str05: WriteCookies 0x279448:$str06: sChromiumPswPaths 0x279423:$str07: sGeckoBrowserPaths 0x28eacf:$str10: encrypted_key":"(.*?)"
ersyb.exe	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28fa42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x28bb12:$str04: Pac_ket 0x29b858:$str05: Perfor_mance 0x29b89c:$str06: Install_ed 0x245f05:$str07: get_IsConnected 0x25c3ca:$str08: get_ActivatePo_ng 0x270305:$str09: isVM_by_wim_temper 0x29c14a:$str10: save_Plugin 0x28c232:$str11: timeout 3 > NUL 0x29b438:$str12: ProcessHacker.exe 0x29b62a:$str13: Select * from Win32_CacheMemory
ersyb.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28fa42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28f9a5:$s2: L2Mgc2NodGFza3MgL2
ersyb.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29b62a:$q1: Select * from Win32_CacheMemory 0x29b66a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x29b6b8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x29b706:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
ersyb.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293806:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
ersyb.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2991a1:$s1: \VPN\NordVPN 0x299187:$s2: \VPN\OpenVPN 0x299169:$s3: \VPN\ProtonVPN
ersyb.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28e27b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
ersyb.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x27dff4:$s2: GetAntivirus 0x29405a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28d4a5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28eacd:$s6: "encrypted_key":"(.*?)"
ersyb.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28baa2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287c16:$s6: VirtualBox 0x297795:$s6: VirtualBox 0x2931b2:$s8: Win32_ComputerSystem 0x2976fb:$s8: Win32_ComputerSystem 0x2902de:$s9: Win32_Process Where ParentProcessID= 0x28fefb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ff98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2900ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290195:$cnc4: POST / HTTP/1.1
Click to see the 12 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3801545178.0000000003573000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241208:$a1: havecamera 0x28c032:$a2: timeout 3 > NUL 0x28f3b5:$a3: START "" " 0x28f8ca:$a3: START "" " 0x28f7a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28f842:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293606:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28b8a2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287a16:$s6: VirtualBox 0x297595:$s6: VirtualBox 0x292fb2:$s8: Win32_ComputerSystem 0x2974fb:$s8: Win32_ComputerSystem 0x2900de:$s9: Win32_Process Where ParentProcessID= 0x28fcfb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28fd98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28fead:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x28ff95:$cnc4: POST / HTTP/1.1
Process Memory Space: ersyb.exe PID: 2288	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: ersyb.exe PID: 2288	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: ersyb.exe PID: 2288	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: ersyb.exe PID: 2288	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ersyb.exe PID: 2288	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
Process Memory Space: ersyb.exe PID: 2288	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
Process Memory Space: ersyb.exe PID: 2288	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x11be82:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: ersyb.exe PID: 2288	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbfc36:$s6: VirtualBox 0x633f:$s8: Win32_ComputerSystem 0x6430:$s8: Win32_ComputerSystem 0x94a2:$s8: Win32_ComputerSystem 0x9aca:$s8: Win32_ComputerSystem 0x20e33:$s8: Win32_ComputerSystem 0x20e92:$s8: Win32_ComputerSystem 0x21fcd:$s8: Win32_ComputerSystem 0x220a1:$s8: Win32_ComputerSystem 0x2c8b7:$s8: Win32_ComputerSystem 0x2c97e:$s8: Win32_ComputerSystem 0x32b91:$s8: Win32_ComputerSystem 0x32bd6:$s8: Win32_ComputerSystem 0x53c46:$s8: Win32_ComputerSystem 0x54e1d:$s8: Win32_ComputerSystem 0x54f3b:$s8: Win32_ComputerSystem 0x55028:$s8: Win32_ComputerSystem 0x55466:$s8: Win32_ComputerSystem 0x55aac:$s8: Win32_ComputerSystem 0x58e79:$s8: Win32_ComputerSystem 0x58f40:$s8: Win32_ComputerSystem
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.ersyb.exe.a35b8a.1.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
0.0.ersyb.exe.a35b8a.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.ersyb.exe.a35b8a.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.ersyb.exe.a35b8a.1.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
0.0.ersyb.exe.a35b8a.1.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
0.0.ersyb.exe.a35b8a.1.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x11d67e:$a1: havecamera 0x1684a8:$a2: timeout 3 > NUL 0x16b82b:$a3: START "" " 0x16bd40:$a3: START "" " 0x16bc1b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16bcb8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.ersyb.exe.a35b8a.1.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x16eba2:$str01: Processe: 0x16ea5e:$str02: Compname: 0x16eb58:$str04: SandBoxie: 0x16eaee:$str08: WEBCAMS COUNT: 0x16eb12:$str09: [Virtualization] 0x16f360:$str10: [Open google maps]( 0x170dd7:$str11: Remember password: 0x163eca:$str12: Target.Browsers.Firefox 0x14b645:$str13: Modules.Keylogger 0x153508:$str14: ClipperAddresses 0x1556ad:$str15: ChromiumPswPaths 0x1556bf:$str15: ChromiumPswPaths 0x151602:$str16: DetectedBankingServices 0x15176b:$str17: DetectCryptocurrencyServices 0x15f664:$str18: CheckRemoteDebuggerPresent 0x1605e9:$str19: GetConnectedCamerasCount
0.0.ersyb.exe.a35b8a.1.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x12ebc8:$str01: set_sUsername 0x13c0fa:$str03: set_sExpMonth 0x1514b5:$str04: WritePasswords 0x151f6f:$str05: WriteCookies 0x1556be:$str06: sChromiumPswPaths 0x155699:$str07: sGeckoBrowserPaths 0x16ad45:$str10: encrypted_key":"(.*?)"
0.0.ersyb.exe.a35b8a.1.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x16bcb8:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x167d88:$str04: Pac_ket 0x177ace:$str05: Perfor_mance 0x177b12:$str06: Install_ed 0x12217b:$str07: get_IsConnected 0x138640:$str08: get_ActivatePo_ng 0x14c57b:$str09: isVM_by_wim_temper 0x1783c0:$str10: save_Plugin 0x1684a8:$str11: timeout 3 > NUL 0x1776ae:$str12: ProcessHacker.exe 0x1778a0:$str13: Select * from Win32_CacheMemory
0.0.ersyb.exe.a35b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x16bcb8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16bc1b:$s2: L2Mgc2NodGFza3MgL2
0.0.ersyb.exe.a35b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x1778a0:$q1: Select * from Win32_CacheMemory 0x1778e0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x17792e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x17797c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.ersyb.exe.a35b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x16fa7c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.ersyb.exe.a35b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x175417:$s1: \VPN\NordVPN 0x1753fd:$s2: \VPN\OpenVPN 0x1753df:$s3: \VPN\ProtonVPN
0.0.ersyb.exe.a35b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a161:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a1d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a25d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a2ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a359:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a3cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a461:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16a4f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.ersyb.exe.a35b8a.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167d18:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x163e8c:$s6: VirtualBox 0x173a0b:$s6: VirtualBox 0x16f428:$s8: Win32_ComputerSystem 0x173971:$s8: Win32_ComputerSystem 0x16c554:$s9: Win32_Process Where ParentProcessID= 0x16c171:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16c20e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16c323:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16c40b:$cnc4: POST / HTTP/1.1
0.0.ersyb.exe.910000.0.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
0.0.ersyb.exe.910000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.0.ersyb.exe.910000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.ersyb.exe.910000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.ersyb.exe.910000.0.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
0.0.ersyb.exe.910000.0.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
0.0.ersyb.exe.910000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241408:$a1: havecamera 0x28c232:$a2: timeout 3 > NUL 0x28f5b5:$a3: START "" " 0x28faca:$a3: START "" " 0x28f9a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28fa42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.ersyb.exe.910000.0.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x29292c:$str01: Processe: 0x2927e8:$str02: Compname: 0x2928e2:$str04: SandBoxie: 0x292878:$str08: WEBCAMS COUNT: 0x29289c:$str09: [Virtualization] 0x2930ea:$str10: [Open google maps]( 0x294b61:$str11: Remember password: 0x287c54:$str12: Target.Browsers.Firefox 0x26f3cf:$str13: Modules.Keylogger 0x277292:$str14: ClipperAddresses 0x279437:$str15: ChromiumPswPaths 0x279449:$str15: ChromiumPswPaths 0x27538c:$str16: DetectedBankingServices 0x2754f5:$str17: DetectCryptocurrencyServices 0x2833ee:$str18: CheckRemoteDebuggerPresent 0x284373:$str19: GetConnectedCamerasCount
0.0.ersyb.exe.910000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x5db:$sk01: LimerBoy/StormKitty 0x252952:$str01: set_sUsername 0x25fe84:$str03: set_sExpMonth 0x27523f:$str04: WritePasswords 0x275cf9:$str05: WriteCookies 0x279448:$str06: sChromiumPswPaths 0x279423:$str07: sGeckoBrowserPaths 0x28eacf:$str10: encrypted_key":"(.*?)"
0.0.ersyb.exe.910000.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28fa42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x28bb12:$str04: Pac_ket 0x29b858:$str05: Perfor_mance 0x29b89c:$str06: Install_ed 0x245f05:$str07: get_IsConnected 0x25c3ca:$str08: get_ActivatePo_ng 0x270305:$str09: isVM_by_wim_temper 0x29c14a:$str10: save_Plugin 0x28c232:$str11: timeout 3 > NUL 0x29b438:$str12: ProcessHacker.exe 0x29b62a:$str13: Select * from Win32_CacheMemory
0.0.ersyb.exe.910000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28fa42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28f9a5:$s2: L2Mgc2NodGFza3MgL2
0.0.ersyb.exe.910000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29b62a:$q1: Select * from Win32_CacheMemory 0x29b66a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x29b6b8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x29b706:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.ersyb.exe.910000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293806:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.ersyb.exe.910000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2991a1:$s1: \VPN\NordVPN 0x299187:$s2: \VPN\OpenVPN 0x299169:$s3: \VPN\ProtonVPN
0.0.ersyb.exe.910000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28e27b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.ersyb.exe.910000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x27dff4:$s2: GetAntivirus 0x29405a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28d4a5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28eacd:$s6: "encrypted_key":"(.*?)"
0.0.ersyb.exe.910000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28baa2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287c16:$s6: VirtualBox 0x297795:$s6: VirtualBox 0x2931b2:$s8: Win32_ComputerSystem 0x2976fb:$s8: Win32_ComputerSystem 0x2902de:$s9: Win32_Process Where ParentProcessID= 0x28fefb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ff98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2900ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290195:$cnc4: POST / HTTP/1.1
Click to see the 27 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T19:14:17.280082+0100	2842478	1	Malware Command and Control Activity Detected	157.20.182.177	4449	192.168.2.9	49720	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ersyb.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: ersyb.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ersyb.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: 4449
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: 157.20.182.177
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: RAT + hVNC 6.0.5
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: false
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: rbdebzqnfarpyomol
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: MIICLjCCAZegAwIBAgIVAPMNUbaXLLtiHcN1m+dlPpK7vns9MA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDAzMTgxNjQ3MjZaFw0zNDEyMjYxNjQ3MjZaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaTwbFDhuWkASq9P+NWgPLnP41KwsDJJLX7xv2vo4FUXTwpEsoIrbqvSKldDp6m3lNHXNWYqqy0JX1ZnvClJ/gvVpmMCJfzkIDbW0sKPoOMmwx4PjzdNDQbKSSmM6rMMu8tDchwJEfQtMlgGPXFsMnPTYj6xNeMBCjcTIP5gwFCQIDAQABozIwMDAdBgNVHQ4EFgQU06NiTQAo8LSYzcJVCrt9Ah49blwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQBg3cQkJK1HiQGjHKgDefp3ooSUSiEh+SRWC4Q/Jsp2TsM6Me9+ix/2g+oxV6/rhaeJkcDDCBtnjouhViDhezLBfl3oE0P29Ssq/skwUyjEZDScIepLewWrtQYtjyYbQL/ubsa0hoLDSZaKydxgH8cAtvOvMqE6WjrfEvcVupZLMQ==
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: Q+AFJAFiCL8OIXnK8vpppK2iElr5z1WborIl7rv6KiQoJrBbUTm5VXnSYAmidoRGFDhbPZQNsmEzkAX+OxkvuApCdcHhIykks+QzQbWVaQ2kFUGLle9WnlLZKzmw4R0L8hrBDa6GtG0avdXbvgSOzH5rALYyXUgmgBPNJoJdbSM=
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: null
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: false
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: false
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: Default
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: false
Source: 0.0.ersyb.exe.910000.0.unpack	String decryptor: false

Source: ersyb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb] source: ersyb.exe
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb source: ersyb.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 157.20.182.177:4449 -> 192.168.2.9:49720

Yara detected Generic Downloader

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:49720 -> 157.20.182.177:4449

Source: Joe Sandbox View

IP Address: 157.20.182.177 157.20.182.177

Source: Joe Sandbox View

ASN Name: FCNUniversityPublicCorporationOsakaJP FCNUniversityPublicCorporationOsakaJP

Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177
Source: unknown	TCP traffic detected without corresponding DNS query: 157.20.182.177

Source: ersyb.exe, 00000000.00000002.3807541640.000000001B94A000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ersyb.exe, 00000000.00000002.3807987344.000000001BB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en~
Source: ersyb.exe	String found in binary or memory: http://ipinfo.io/ip
Source: ersyb.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: ersyb.exe, 00000000.00000002.3801545178.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ersyb.exe	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: ersyb.exe	String found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
Source: ersyb.exe	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: ersyb.exe	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: ersyb.exe	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: ersyb.exe	String found in binary or memory: https://stackoverflow.com/q/14436606/23354cIt
Source: ersyb.exe	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: ersyb.exe	String found in binary or memory: https://urn.to/r/sds_see
Source: ersyb.exe	String found in binary or memory: https://urn.to/r/sds_seeaCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Keylogger Generic

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: ersyb.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: ersyb.exe, type: SAMPLE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: ersyb.exe, type: SAMPLE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: ersyb.exe, type: SAMPLE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: ersyb.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: ersyb.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: ersyb.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: ersyb.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: ersyb.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: ersyb.exe, type: SAMPLE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: ersyb.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\ersyb.exe

Code function: 0_2_00007FF887C93ACE NtProtectVirtualMemory,

0_2_00007FF887C93ACE

Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887C9C042	0_2_00007FF887C9C042
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887CA262E	0_2_00007FF887CA262E
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887C94BDC	0_2_00007FF887C94BDC
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887C93ACE	0_2_00007FF887C93ACE
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887C9B296	0_2_00007FF887C9B296
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887CB102B	0_2_00007FF887CB102B
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887C9E701	0_2_00007FF887C9E701
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887CA1415	0_2_00007FF887CA1415
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887C933DD	0_2_00007FF887C933DD

Source: ersyb.exe, 00000000.00000000.1329838003.0000000000C10000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs ersyb.exe
Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehvnc.exe" vs ersyb.exe
Source: ersyb.exe	Binary or memory string: OriginalFilenamehvnc.exe" vs ersyb.exe
Source: ersyb.exe	Binary or memory string: OriginalFilenameClientAny.exe" vs ersyb.exe

Source: ersyb.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: ersyb.exe, type: SAMPLE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: ersyb.exe, type: SAMPLE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: ersyb.exe, type: SAMPLE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: ersyb.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: ersyb.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: ersyb.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: ersyb.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: ersyb.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: ersyb.exe, type: SAMPLE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: ersyb.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\ersyb.exe

File created: C:\Users\user\AppData\Roaming\7n5rJCiEX08cdKRQsT6vxkbuaZ

Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\ersyb.exe	Mutant created: \Sessions\1\BaseNamedObjects\vfVDlx1hYR5eeg941COCgOYrK6gDAf45JWq0rREs6wMlgEvTfIqUB6GLeUYmXAHG6FXvNHIOyD5aGohg2YWDc5Vc5Yhb/Un2tvnT0+k3WzE=

Source: ersyb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ersyb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.70%

Source: C:\Users\user\Desktop\ersyb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Users\user\Desktop\ersyb.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ersyb.exe

ReversingLabs: Detection: 63%

Source: ersyb.exe	String found in binary or memory: /C -StartDelay : Sleeping ISetFileCreationDate : Changing file
Source: ersyb.exe	String found in binary or memory: maxBufferSize!CheckTaskNotNull/LoadIntoBufferAsyncCore
Source: ersyb.exe	String found in binary or memory: 9Task Scheduler 2.0 (1.2) does not support setting this property. You must use an InteractiveToken in order to have the task run in the current user session.#RunOnlyIfLoggedOn3RunOnlyIfNetworkAvailable-StopIfGoingOnBatteries
Source: ersyb.exe	String found in binary or memory: IF294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: ersyb.exe	String found in binary or memory: HasSubValue3Conflicting item/add type
Source: ersyb.exe	String found in binary or memory: U/configuration/appSettings/add[@key='{0}']
Source: ersyb.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: ersyb.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)

Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Section loaded: mmdevapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: ersyb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ersyb.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ersyb.exe

Static file information: File size 3136512 > 1048576

Source: ersyb.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2fca00

Source: ersyb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb] source: ersyb.exe
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb source: ersyb.exe

Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887CB7FBE push esp; retn 4810h	0_2_00007FF887CB8064
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887CA0691 push es; retn 7002h	0_2_00007FF887CA1279
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887CAF53F pushad ; ret	0_2_00007FF887CAF8E7
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887CB7295 pushfd ; retf 5F49h	0_2_00007FF887CB72F1
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887C900BD pushad ; iretd	0_2_00007FF887C900C1
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887CA8230 push ebx; retn 5F4Ah	0_2_00007FF887CA826A
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887CA616F push esi; ret	0_2_00007FF887CA61D7
Source: C:\Users\user\Desktop\ersyb.exe	Code function: 0_2_00007FF887CA8167 push ebx; ret	0_2_00007FF887CA816A

Boot Survival

Yara detected VenomRAT

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

Source: C:\Users\user\Desktop\ersyb.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected VenomRAT

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ersyb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ersyb.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\ersyb.exe	Memory allocated: 1550000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Memory allocated: 1B120000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe	Window / User API: threadDelayed 5194			Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Window / User API: threadDelayed 4643			Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe TID: 692	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe TID: 4220	Thread sleep time: -24903104499507879s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\ersyb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Users\user\Desktop\ersyb.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: ersyb.exe	Binary or memory string: vmware
Source: ersyb.exe, 00000000.00000002.3808293437.000000001BB78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: ersyb.exe	Binary or memory string: VMwareVBoxAAntiAnalysis : Hosting detected!AAntiAnalysis : Process detected!QAntiAnalysis : Virtual machine detected!AAntiAnalysis : SandBox detected!CAntiAnalysis : Debugger detected!
Source: ersyb.exe, 00000000.00000002.3800874486.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ersyb.exe, 00000000.00000002.3808293437.000000001BB78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ersyb.exe	Binary or memory string: VirtualMachine:

Source: C:\Users\user\Desktop\ersyb.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

Source: ersyb.exe, 00000000.00000002.3801545178.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, ersyb.exe, 00000000.00000002.3801545178.0000000003307000.00000004.00000800.00020000.00000000.sdmp, ersyb.exe, 00000000.00000002.3801545178.000000000321A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: ersyb.exe	Binary or memory string: Shell_TrayWnd
Source: ersyb.exe	Binary or memory string: ProgMan
Source: ersyb.exe	Binary or memory string: Shell_TrayWnd!SHELLDLL_DefView

Source: C:\Users\user\Desktop\ersyb.exe	Queries volume information: C:\Users\user\Desktop\ersyb.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ersyb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\ersyb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected VenomRAT

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: ersyb.exe, 00000000.00000002.3807987344.000000001BB37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\ersyb.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected BrowserPasswordDump

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

Yara detected DcRat

Source: Yara match

File source: 00000000.00000002.3801545178.0000000003573000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected StormKitty Stealer

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: exodus
Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: ersyb.exe, 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.a35b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

Yara detected DcRat

Source: Yara match

File source: 00000000.00000002.3801545178.0000000003573000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected StormKitty Stealer

Source: Yara match	File source: ersyb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ersyb.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ersyb.exe PID: 2288, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Scheduled Task/Job	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	151 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
ersyb.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.CryoMarte
ersyb.exe	100%	Avira	HEUR/AGEN.1357486
ersyb.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://stackoverflow.com/q/14436606/23354cIt	ersyb.exe	false	high
https://urn.to/r/sds_see	ersyb.exe	false	high
http://ipinfo.io/ip	ersyb.exe	false	high
https://github.com/LimerBoy/StormKitty	ersyb.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ersyb.exe, 00000000.00000002.3801545178.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	ersyb.exe	false	high
https://stackoverflow.com/q/2152978/23354	ersyb.exe	false	high
https://urn.to/r/sds_seeaCould	ersyb.exe	false	high
http://james.newtonking.com/projects/json	ersyb.exe	false	high
https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5	ersyb.exe	false	high
http://www.newtonsoft.com/jsonschema	ersyb.exe	false	high
https://discordapp.com/api/v6/users/	ersyb.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
157.20.182.177	unknown	unknown		24297	FCNUniversityPublicCorporationOsakaJP	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583435
Start date and time:	2025-01-02 19:13:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ersyb.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 7 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: ersyb.exe

Simulations

Behavior and APIs

Time	Type	Description
13:14:17	API Interceptor	13793932x Sleep call for process: ersyb.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
157.20.182.177	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse
	vfdjo.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse
	gqub.bat	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse
	bKxtUOPLtR.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	Hornswoggle.exe	Get hash	malicious	GuLoader	Browse	199.232.214.172
	8n26gvrXUM.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690	Get hash	malicious	Unknown	Browse	199.232.210.172
	5fr5gthkjdg71.exe	Get hash	malicious	Quasar, R77 RootKit	Browse	199.232.214.172
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	hcxmivKYfL.exe	Get hash	malicious	RedLine	Browse	199.232.210.172
	WN3Y9XR9c7.exe	Get hash	malicious	AsyncRAT	Browse	199.232.210.172
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	199.232.214.172
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	199.232.210.172
	ROtw3Hvdow.exe	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FCNUniversityPublicCorporationOsakaJP	loligang.mips.elf	Get hash	malicious	Mirai	Browse	157.16.83.250
	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	157.20.182.177
	vfdjo.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	157.20.182.177
	gqub.bat	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	157.20.182.177
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	157.20.182.177
	bKxtUOPLtR.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	157.20.182.177
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	157.20.182.177
	armv4l.elf	Get hash	malicious	Mirai	Browse	163.227.210.66
	2.elf	Get hash	malicious	Unknown	Browse	157.20.21.157
	1.elf	Get hash	malicious	Unknown	Browse	157.20.21.140

Process:	C:\Users\user\Desktop\ersyb.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\ersyb.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2478978672539016
Encrypted:	false
SSDEEP:	6:kK43F9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:MsDImsLNkPlE99SNxAhUe/3
MD5:	06BAA2E86DB5C690E0BB2E1100E210E7
SHA1:	7F3ABE23C09A19B84FC405FC658B68209F8094B9
SHA-256:	C198763D3A51AB835942E7F925CA7E0C61EEA7CC4D1D2D447E0701BA88326DF6
SHA-512:	0E3D89B586F5706B934AE6A88C818D5CEEE939EB3E30E85FEEC554236BC78F269A3C914DA1E63DC02565AF6CE6B96092D0517B0D7DF8924393D754B1CAC2F244
Malicious:	false
Reputation:	low
Preview:	p...... ...........#B]..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.8498071792142605
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.70% Win32 Executable (generic) a (10002005/4) 49.65% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win32 EXE PECompact compressed (generic) (41571/9) 0.21% Windows Screen Saver (13104/52) 0.07%
File name:	ersyb.exe
File size:	3'136'512 bytes
MD5:	5d19a21c61d16d22619b846816a0e270
SHA1:	8aba1f6780ec5a1e389a193821f727b9e8ddb710
SHA256:	e0cc614e2c756bfe9eb3773daa8d6c0ac66a2902826f5ccbd94113e3ff69e3db
SHA512:	1a6f7daf3778f2b095092187d2d9540d27320100f0dbac8d29e48b34a1f929d1eb928344a0046ad3952825e1f9006a72f9821a6509dc54a392976b3b0358b580
SSDEEP:	49152:0GVLgqHU3mdatQdsgUBX3B3kNC3H6vUZ7r/N2e:0GFQ3mdatQSm
TLSH:	2BE55A91BBE4DE1AE1AF2771E4B1011527B1E419A732DB8F56C0E2B82C53740AD463BF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nf\g................../.........../.. ....0...@.. .......................@0...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6fe8ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675C666E [Fri Dec 13 16:53:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2fe898	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x300000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x302000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2fc8f4	0x2fca00	b5bcf1559ac65202d6c28b47beeb642c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x300000	0xdf7	0xe00	f0879fac534efcb99739407818b71fe1	False	0.40345982142857145	data	5.115505372139322	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x302000	0xc	0x200	ba94922989b4fd8dd718612974baba5b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3000a0	0x2d4	data			0.44751381215469616
RT_MANIFEST	0x300374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T19:14:17.280082+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	157.20.182.177	4449	192.168.2.9	49720	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 19:14:16.645153999 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:16.649916887 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:16.649995089 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:16.660727024 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:16.665514946 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:17.267939091 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:17.274936914 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:17.280081987 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:17.452164888 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:17.507725000 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:19.355693102 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:19.360568047 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:19.360625029 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:19.365425110 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:34.072407007 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:34.077218056 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:34.077299118 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:34.082091093 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:34.381408930 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:34.429753065 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:34.506352901 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:34.519990921 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:34.525532007 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:34.525652885 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:34.531193018 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:48.789741993 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:48.794616938 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:48.794694901 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:48.799407959 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:49.094005108 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:49.148602962 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:49.231321096 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:49.240387917 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:49.245903969 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:14:49.245954037 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:14:49.251395941 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:03.508572102 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:03.513508081 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:03.513644934 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:03.518460035 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:03.813865900 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:03.867470026 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:03.946955919 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:03.948574066 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:03.953316927 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:03.953376055 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:03.958110094 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:18.227771044 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:18.232657909 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:18.232747078 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:18.237504959 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:18.542609930 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:18.586330891 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:18.675055981 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:18.676861048 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:18.681672096 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:18.681745052 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:18.688235998 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:27.633785009 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:27.638730049 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:27.641417980 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:27.646217108 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:27.959122896 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:28.013300896 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:28.095065117 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:28.098635912 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:28.103437901 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:28.103632927 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:28.108527899 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:28.790318012 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:28.795214891 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:28.795284033 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:28.800005913 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:29.096684933 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:29.148926020 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:29.227058887 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:29.229275942 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:29.234100103 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:29.234146118 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:29.238940001 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:32.571417093 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:32.576203108 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:32.576308012 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:32.581034899 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:32.877413988 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:32.930223942 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:33.011163950 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:33.053951979 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:33.058718920 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:33.058768034 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:33.063510895 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:34.243026972 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:34.247828960 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:34.247894049 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:34.252609968 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:34.552071095 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:34.602066040 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:34.678894043 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:34.681149960 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:34.686178923 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:34.686229944 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:34.691570044 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:46.915191889 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:46.919975996 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:46.920027971 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:46.924786091 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:47.228827000 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:47.299818039 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:47.363137007 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:47.365431070 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:47.370187998 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:47.370249033 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:47.374974966 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:48.137442112 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:48.142245054 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:48.145524025 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:48.150307894 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:48.455746889 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:48.539679050 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:48.587193012 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:48.589181900 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:48.594011068 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:48.594058037 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:48.598895073 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:50.118204117 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:50.123033047 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:50.125557899 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:50.130347013 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:50.433301926 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:50.534912109 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:50.567204952 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:50.569797039 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:50.574528933 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:50.574584961 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:50.579346895 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:57.681504011 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:57.686285019 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:57.686389923 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:57.691205978 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:57.992932081 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:58.039755106 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:58.127296925 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:58.170773029 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:58.175555944 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:15:58.175621986 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:15:58.180382013 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:11.431024075 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:11.435867071 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:11.435933113 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:11.440764904 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:11.748449087 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:11.805502892 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:11.867290020 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:11.877746105 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:11.882663965 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:11.882781029 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:11.887609959 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:22.930982113 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:22.935944080 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:22.936119080 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:22.940959930 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:23.250978947 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:23.305541992 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:23.388597012 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:23.390661001 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:23.395482063 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:23.395528078 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:23.400269985 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:33.431658030 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:33.436599970 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:33.436672926 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:33.441525936 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:33.744009972 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:33.868575096 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:33.868668079 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:33.871117115 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:33.875847101 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:33.877824068 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:33.882601976 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:34.618838072 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:34.624167919 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:34.624223948 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:34.629225016 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:34.952790976 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:35.084134102 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:35.087342024 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:35.089190960 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:35.093978882 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:35.094072104 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:35.098839045 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:35.977833033 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:35.982812881 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:35.983928919 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:35.988719940 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:36.281886101 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:36.368139982 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:36.415391922 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:36.477557898 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:36.676204920 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:36.681178093 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:36.681256056 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:36.686033010 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:41.321635008 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:41.326601028 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:41.326664925 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:41.331526995 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:41.625585079 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:41.758671045 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:41.761915922 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:41.771109104 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:41.775878906 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:41.777864933 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:41.782619953 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:42.478008986 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:42.482914925 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:42.482990980 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:42.487829924 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:42.634175062 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:42.639125109 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:42.639173031 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:42.643901110 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:42.800389051 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:42.849087954 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:42.931619883 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:42.933525085 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:42.938364983 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:42.938424110 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:42.943197012 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:43.022420883 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:43.024606943 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:43.029381990 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:43.029419899 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:43.034179926 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:45.603111982 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:45.607952118 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:45.608011961 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:45.612739086 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:45.916707993 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:45.967895031 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:46.055577040 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:46.057499886 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:46.062278032 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:16:46.062441111 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:16:46.067172050 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:00.321907043 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:00.326853991 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:00.326932907 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:00.331721067 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:00.625907898 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:00.680811882 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:00.763575077 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:00.771209955 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:00.776017904 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:00.776065111 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:00.780908108 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:15.040878057 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:15.045785904 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:15.045852900 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:15.050715923 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:15.350574017 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:15.488315105 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:15.488399982 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:15.490787029 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:15.495663881 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:15.495722055 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:15.500504017 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:22.275458097 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:22.280339956 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:22.280484915 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:22.285248041 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:22.578388929 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:22.711649895 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:22.711721897 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:22.714528084 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:22.719381094 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:22.719441891 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:22.724272966 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:23.886024952 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:23.890774012 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:23.890840054 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:23.895639896 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:24.193917036 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:24.321604967 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:24.327588081 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:24.335654974 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:24.340543032 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:24.340673923 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:24.345563889 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:26.184164047 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:26.189080000 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:26.189172029 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:26.194211006 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:26.487248898 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:26.619618893 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:26.622282028 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:26.627851009 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:26.632630110 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:26.632776976 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:26.637526035 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:27.322374105 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:27.327243090 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:27.327297926 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:27.332156897 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:27.625276089 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:27.759614944 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:27.759949923 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:27.762042999 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:27.766798973 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:27.770169020 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:27.775044918 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:42.042135000 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:42.047010899 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:42.047080994 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:42.051902056 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:42.344950914 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:42.479706049 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:42.479921103 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:42.483501911 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:42.488276958 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:42.488373995 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:42.493118048 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:50.353549004 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:50.358510971 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:50.360593081 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:50.365463972 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:50.657771111 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:50.714221001 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:50.791826010 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:50.793787956 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:50.798675060 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:17:50.798724890 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:17:50.803580999 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:05.072598934 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:05.077929974 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:05.077980042 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:05.083240986 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:05.384531975 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:05.431221008 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:05.519984007 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:05.523169041 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:05.527964115 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:05.528023958 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:05.532818079 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:12.666300058 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:12.671170950 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:12.671447039 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:12.676232100 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:12.975498915 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:13.025046110 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:13.111888885 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:13.114566088 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:13.119396925 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:13.119447947 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:13.124228001 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:19.853962898 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:19.858696938 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:19.858848095 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:19.863636971 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:20.166706085 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:20.307715893 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:20.307789087 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:20.311127901 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:20.315933943 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:20.315989971 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:20.320808887 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:21.681891918 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:21.686666965 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:21.686717987 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:21.691550970 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:21.986304998 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:22.040868998 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:22.119842052 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:22.120620012 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:22.125699043 CET	4449	49720	157.20.182.177	192.168.2.9
Jan 2, 2025 19:18:22.125765085 CET	49720	4449	192.168.2.9	157.20.182.177
Jan 2, 2025 19:18:22.130852938 CET	4449	49720	157.20.182.177	192.168.2.9

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 19:14:17.600971937 CET	1.1.1.1	192.168.2.9	0x8d8	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 2, 2025 19:14:17.600971937 CET	1.1.1.1	192.168.2.9	0x8d8	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:14:12
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\ersyb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ersyb.exe"
Imagebase:	0x910000
File size:	3'136'512 bytes
MD5 hash:	5D19A21C61D16D22619B846816A0E270
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.3801545178.0000000003573000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic_3, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1329515776.0000000000912000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	62.5%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF887C94BDC Relevance: 14.5, Strings: 11, Instructions: 784
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/B, xrefs: 00007FF887C94D44
HBL, xrefs: 00007FF887C94D63
/B, xrefs: 00007FF887C9516B
HBL, xrefs: 00007FF887C94FE0
/B, xrefs: 00007FF887C94C91
HBL, xrefs: 00007FF887C94CB0
/B, xrefs: 00007FF887C94CF0
r6B, xrefs: 00007FF887C951D7
HBL, xrefs: 00007FF887C95271
,, xrefs: 00007FF887C94D5A
/B, xrefs: 00007FF887C94DA3

Memory Dump Source

Source File: 00000000.00000002.3809233996.00007FF887C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c90000_ersyb.jbxd

Similarity

API ID:
String ID: ,$HBL$HBL$HBL$HBL$r6B$/B$/B$/B$/B$/B
API String ID: 0-824595960
Opcode ID: dd5832cd56faccab355a84d536b48a1f5f0012f883fde96b77b8a59feecb0ba6
Instruction ID: fd3d9270eb37956e864a11c5fc7f3b52219b9f51d9a23549df300dd4bfc02a57
Opcode Fuzzy Hash: dd5832cd56faccab355a84d536b48a1f5f0012f883fde96b77b8a59feecb0ba6
Instruction Fuzzy Hash: F332C431A1CA4A8FEB98EB68D4557BD73E2FF98750B644579D00EC32C6DE2CAC428741

Function 00007FF887CA1415 Relevance: 3.0, Strings: 2, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.K_^, xrefs: 00007FF887CA1601
"c/, xrefs: 00007FF887CA1556

Memory Dump Source

Source File: 00000000.00000002.3809233996.00007FF887C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c90000_ersyb.jbxd

Similarity

API ID:
String ID: "c/$.K_^
API String ID: 0-1552413223
Opcode ID: a63f4bbee38726bfe595233d3369f10cc1da252268c4e1bb0697f872c9a09693
Instruction ID: 26739d4561e81af74e27b25c24c866ef25a07ff7ee1a7d27e46b9025b102318d
Opcode Fuzzy Hash: a63f4bbee38726bfe595233d3369f10cc1da252268c4e1bb0697f872c9a09693
Instruction Fuzzy Hash: 96C12537A4DA994FE704BA6DF8942ECBBA1FF853B57080377D188CB083D9285846C795

Function 00007FF887C93ACE Relevance: 1.9, APIs: 1, Instructions: 441nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF887C93E24

Memory Dump Source

Source File: 00000000.00000002.3809233996.00007FF887C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c90000_ersyb.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 1174089632f56e6d8b2431d60d2875f5c041c433ed61a2685ebc671ec0b3e8ea
Instruction ID: 4ea20d73d09845d14533674eda3897acf27b3daa172bcd24e10dd87b5b2fe8a8
Opcode Fuzzy Hash: 1174089632f56e6d8b2431d60d2875f5c041c433ed61a2685ebc671ec0b3e8ea
Instruction Fuzzy Hash: 76C1283190CB894FE71DAB7898566FA77E2EF96350F04417ED08AC7197DE3C68068782

Function 00007FF887CA262E Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3809233996.00007FF887C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c90000_ersyb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f873d8c27ce46345117fead45605e3996596e5b651a9716cf09fce540a0d1844
Instruction ID: a6cd241d826f12567d86f1f6e5ba5aa63e5db918dc7a275038ec5e24b0c99290
Opcode Fuzzy Hash: f873d8c27ce46345117fead45605e3996596e5b651a9716cf09fce540a0d1844
Instruction Fuzzy Hash: E9420570A4CB954FD759DB28D4907BABBE1FF85351F04417ED49AC7292CF28A842CB42

Function 00007FF887C9B296 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3809233996.00007FF887C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c90000_ersyb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7999f1e76bfe9c01b8cf307c14aed77c16dd0a2662d402d96c6f36bb071f03
Instruction ID: a7b481e09398c47a2395466e84358ab84a7c71249a4168877fac28b0b0502e24
Opcode Fuzzy Hash: cd7999f1e76bfe9c01b8cf307c14aed77c16dd0a2662d402d96c6f36bb071f03
Instruction Fuzzy Hash: 49F18430908A4D8FEBA8DF28C8557ED3BE2FF54355F04426AE84DC7295DB349945CB82

Function 00007FF887C9C042 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3809233996.00007FF887C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c90000_ersyb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6580d5bb506158824f025b9a6c38cf7975ea7a24de42f8aafce4c829dc8e95a5
Instruction ID: 8ae23b3393e17968789ac56800adfdbfee5033568a68f4b2587e0fb6ad4367d5
Opcode Fuzzy Hash: 6580d5bb506158824f025b9a6c38cf7975ea7a24de42f8aafce4c829dc8e95a5
Instruction Fuzzy Hash: AAE1B530908A8E8FEBA8DF28D8557FD77E2FB54350F04426AD84DC7291DE789945C782

Function 00007FF887C94538 Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32 ref: 00007FF887C94601

Memory Dump Source

Source File: 00000000.00000002.3809233996.00007FF887C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c90000_ersyb.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: a72afea04bf8e682d0b2f2caa8d79c5c83062f0019e669c81c839100d2304bcc
Instruction ID: 0bf6c5e7c80317fbce8d276aa9d2c799438673aa2152be618cf59dbab884a1ba
Opcode Fuzzy Hash: a72afea04bf8e682d0b2f2caa8d79c5c83062f0019e669c81c839100d2304bcc
Instruction Fuzzy Hash: C841E53191CA498FDB58EBACD8467FD7BE1EB59311F00023ED009D3192DA65A812C7C1

Non-executed Functions

Function 00007FF887C933DD Relevance: 2.9, Strings: 2, Instructions: 415COMMON

Download Yara Rule

Strings

mR_H, xrefs: 00007FF887C93591
6B, xrefs: 00007FF887C9367D

Memory Dump Source

Source File: 00000000.00000002.3809233996.00007FF887C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c90000_ersyb.jbxd

Similarity

API ID:
String ID: 6B$mR_H
API String ID: 0-3777621060
Opcode ID: 6c2b9a077e4c9670b6f94f9c630c7c073f064e6c8f1993b48181568b1c0adfad
Instruction ID: 6c52cc8ed0cfa80ccf145f76e2313c87d3cb15044360a86b8440eb81d5cd1e68
Opcode Fuzzy Hash: 6c2b9a077e4c9670b6f94f9c630c7c073f064e6c8f1993b48181568b1c0adfad
Instruction Fuzzy Hash: 11B13531E1CA495FF35DA778986A2FA77E2FF99690B04017ED04EC7197DE2C68068341

Function 00007FF887C9E701 Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

_K_I, xrefs: 00007FF887C9E804

Memory Dump Source

Source File: 00000000.00000002.3809233996.00007FF887C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c90000_ersyb.jbxd

Similarity

API ID:
String ID: _K_I
API String ID: 0-4240841318
Opcode ID: 9a60cce0defb5036d7e0df528203f31acf68977257fff5ae8eeb45a101830540
Instruction ID: 5586065f3352acb69fbc0e48af22e346f3c27a1c647195e16322dfb41bfc60d4
Opcode Fuzzy Hash: 9a60cce0defb5036d7e0df528203f31acf68977257fff5ae8eeb45a101830540
Instruction Fuzzy Hash: 3CF10963D4EAC15FE3556AFCF8512FCABA1FF5177470843B7C0884B1ABE81898468396

Function 00007FF887CB102B Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

, xrefs: 00007FF887CB1186

Memory Dump Source

Source File: 00000000.00000002.3809233996.00007FF887C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887c90000_ersyb.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c10db201d0d8387d143192e5540694fd67e75e5aaf4e280ec233382bb2a62270
Instruction ID: 0157d11c2fce19c3d27a2a2af8ad392d854bc2eb3d6f38a36616f3cacad126b4
Opcode Fuzzy Hash: c10db201d0d8387d143192e5540694fd67e75e5aaf4e280ec233382bb2a62270
Instruction Fuzzy Hash: 2951063150C78A8FD769DF24D0406BA7BE2FFA2340F24C1BEE59A47292DE65E645C740

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ersyb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
ersyb.exe

Function 00007FF887C94BDC Relevance: 14.5, Strings: 11, Instructions: 784
COMMON

Function 00007FF887CA1415 Relevance: 3.0, Strings: 2, Instructions: 463
COMMON