Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1585488
MD5:	b525ea79a587def213905cf77f2b5e7e
SHA1:	08211f74b221764ad5e0ff24c914c8d8bf0fdedb
SHA256:	7d11842cce74194adfff7709d7ba3f560dd381dc05b79810ac5c08bb220e6556
Tags:	NETexeMSILuser-jstrosch
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 2000 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B525EA79A587DEF213905CF77F2B5E7E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "wzt5xcg.localto.net", "Ports": "1604,5274", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "KYGOClient.exe", "Install_File": "dkdJQzRXdUpMV2syb1FUTzZyT0VRTzJmalpUdWc2RGY="}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
file.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
file.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9981:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x670b:$a3: get_ActivatePong 0x9b99:$a4: vmware 0x9a11:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
file.exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x670b:$str01: get_ActivatePong 0x745a:$str02: get_SslClient 0x7476:$str03: get_TcpClient 0x5d0e:$str04: get_SendSync 0x5d5e:$str05: get_IsConnected 0x648d:$str06: set_UseShellExecute 0x9cb7:$str07: Pastebin 0x9d39:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a91:$str10: timeout 3 > NUL 0x9981:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x9a11:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
file.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9a13:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2078557398.0000000000112000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2078557398.0000000000112000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9813:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: file.exe PID: 2000	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: file.exe PID: 2000	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xbf19:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.file.exe.110000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.file.exe.110000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.file.exe.110000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9981:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x670b:$a3: get_ActivatePong 0x9b99:$a4: vmware 0x9a11:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
0.0.file.exe.110000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x670b:$str01: get_ActivatePong 0x745a:$str02: get_SslClient 0x7476:$str03: get_TcpClient 0x5d0e:$str04: get_SendSync 0x5d5e:$str05: get_IsConnected 0x648d:$str06: set_UseShellExecute 0x9cb7:$str07: Pastebin 0x9d39:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a91:$str10: timeout 3 > NUL 0x9981:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x9a11:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.0.file.exe.110000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9a13:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: wzt5xcg.localto.net

Avira URL Cloud: Label: malware

Found malware configuration

Source: file.exe

Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "wzt5xcg.localto.net", "Ports": "1604,5274", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "KYGOClient.exe", "Install_File": "dkdJQzRXdUpMV2syb1FUTzZyT0VRTzJmalpUdWc2RGY="}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: wzt5xcg.localto.net

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 116.203.56.216 ports 5274,2,4,5,7,1604

Yara detected Generic Downloader

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 116.203.56.216:5274

Source: Joe Sandbox View

IP Address: 116.203.56.216 116.203.56.216

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: wzt5xcg.localto.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2078557398.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2000, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: file.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: file.exe, type: SAMPLE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: file.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.2078557398.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: file.exe PID: 2000, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: file.exe, 00000000.00000000.2078578693.000000000011E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameStub.exe" vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: file.exe, type: SAMPLE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: file.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.2078557398.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: file.exe PID: 2000, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: file.exe, Settings.cs

Base64 encoded string: 'K60oVrq/3SKe+wD2IrVvqik46b55i7I6c3kAvBAOWpQCOmgJrL7NLuQNyhoRK69GETK6Y1SBfT+lWBr1jKxi0CRq8A/TF7DmSg/DpI/gzOw=', 'jk8QWIO2sk2cMKw3FjeBFuvPSbBWCeQZ7gNN7TX/+4Ug1RqG8c6JNkhTsCS6iVOqbPFZz4aFIW17tBtD7BPZ0pMoJgAUi4EgiDvml36tFVZfR7hGs3Vi4QxsHI0k6OYUWQ10oJYwyB1jxyrVGPuPES/u/boWeZ6QoQw48fRFI/BOQn0UGJzYTJ6jqOeiePsp7X1Z5mPOXPocgXxwoRSNp+bCvR50ThKNxp7p+2lvfgeZTXGOFlN6wLFwa5J+eVtlvEdtoPoNsf1kS9pNvklIOn1YQFi50pvcAMKRP36pDcPPQ0qmYCclWs7iXhwmcRPPr4QJ2NBBzqXh7YU21CzHmRp3oY7Vye/caR2VePEivwOTC8Ul0/mDozvzUu3fy1a/FlIqS3oT46+YDcZ3STRU6FUqq7pawaQZTDO72Wi003AhHRgMX6BwJPd8MG3SQ0BykpbnZtVlNSGuEaOnrr0g1wLtJ4M5F7OQIhQKUCWL86ptsR7kP04nXf+7EsVLhtdsTFJEp3EbGzn6TEaXbuo7A48X/OFG9AT5NuHkZpCebnn/z/S+MP24oG9aatF7xOiQXSSoQnBF+njCzrznDVfOouH7bH0UTmyysXI2z5VjrSpcUY66QSOuE4e2TAcWRhFjrx/9vLQCgfQyGO8B7OwqaNxLON4D8VBi/cqmsKwDJxlCz3pvW2Jvs0cySaXhwKTYlG1NoQgFP5vAQaXBGr/MZwWoSvDDUzlQ/k/oEyO30SLig22/qX39UzWF1iemu6A8XO25sPpPIZrT2WslxiH/PG244vPEgfCPPEcOB8M5OeOTx5B/Em7ZSdbphtJ/i9mKCRUVULXCW26042TfVGMlMWo2HhJnTX92fl97NGXe6MtAb30ArU6SZLM1s5SLAQr76xJH1WePnbnvbe9n+6OOdAjxJL/GRm2QCP7wHjSGPIzi799yDTrhVCL6ghs/yUmKwxY/J8RV4RzBMMR1mj+Uk3yIH/1QoYEUX+pltvC5lT6+78RNpS9O8lIxifxUPXxMZpl4NYVo4MAljGjowzvbFKkI7R0xAuLLBWsbSd3WwstNKjn0r0W581JKUo5Hk267aTXs07ocIWTGp/EfT/+epXY9MpYJCqXEX7U7SuwJYvIUPx/IsvVhdH2UuPCWa7NOn5dd1aFYp8XRj1VkCsnqunv8QOUM3OnVF/TvSvKBzIGNoOEq0Ei2yGSwvxJL0NLW3CJfmNJt6miiOyUe/d2KaV1gROoxOjcHTm6NrIE8Dl3b8n0bOIq+VvUDC7rElWZQOP09mOiGmqkYqY2hh9hNbyVyCMbuNoHLGoJbYzxvRorS1obnK+ERSkF3BZJtOt5i6fTmj0hP4E2Vs8UiZeLiKDSB7zMTainjuY7lL8A5f0WbGE7yT7ez4/2G6ESXmDEhrl62yPjs8wBRbeHx/kIGB2tTyUY7g1RBbFN4oLghHhLSjr50BZhyrWvcfCSomxVGU4lln1Eg3byBbSBQeP3yRqLvwXky9s6EJMstAUce3Hht2XTZZKozOyCRRhf5eWyIwu5rQT0O3G3mwV3S2DzUyBVs8hayb1fArJVVfjQh1ISube4ZbwOA3A2KTFaxyLhwyqYIaa6t3ebwTAishGQLBbFNijUohUqiD/D6F9RxNir4otwaCrTIbZFEdiwH2UzWlc59gEf25+HpCi+GhKIWxh2uRsiXF9xmwUkkWilB+wfdV83ezwMJfWuc5KzAYK9pujb4C/YJ74Dc3Xa1F8qTIRLWAnt0CvSML/jw6O85ANIN+vReNMet3jj+b4bG2EQfgtdABwKqs3m3qwfHXXRy2G+LF3dz7Whe+wJOaM/XZyZ134CGcFOB/tsio0HTRohBG8HKKPHFd9e9XXsTwuWsPgWRZbN5c1yloQjcR0ijF+I7GK2rO4jIYqOTF6+9sJ0N0OWXS/seM0CLNNZbFtne9d19KZMBxuDVWpy8TLwtmn0ApeEYIlRzFHfu+s6thLUTwbW0fn8XZGX0Ntyfjg3mwhs+WeCdVQ2n+1JZPGEywclsd2e04sLBxrt4w7ktoHetZv/slAPKwcAsiT0jJng72mqJMAv4QAxnmOxdYSQus8dDfbzNtOwUIvDQT8GjJtK4ml0REfDLX8X31qNl+U2mLPoNH4UXVe+qMDtO3KDmSTPUGiQYi5yvNVeJ2XBOsp41wxhWapUCVKKIc5ba3pWoCf2PzO0dS/Id503F2RtgxqTJYxtseIDtqKx8A3od1BujuZSYJsZiqrYI4mdi8btcUUdeE0u9YbK+iaYqKLA0uz/GqCayO8ZeRvuCbY2ljhNhF6QzGOTM07IQg2nJJIHymCva/NuWx8sdslRK6M8wN6A=', 'hqRpbcGKdV9zJKD9SDhaGddVcpuYlkWfWmivZpS0UEZtTYON1RBBXV0lxn0WFlziwwl9wlWHWG833B86PAMZQA==', 'sVD+R3+6dmYYgSDKVPolfJnXRKBNBQbIv4tEhhls+ng/VUGSDBaEloYOKiye9B/MQxyHsORQ8FUC9HR7iKcZTw==', 'pCGyk/mkHKebD7WavFtjAfy1U0WiqWCXY0WA/rYQycKFm+eK/riW+8+Wb0dofHg/VGBtQQc4N/Th5bnc3IAHRQ=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2078557398.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2000, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2078557398.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2000, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 22B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6464

Thread sleep time: -70000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: file.exe	Binary or memory string: vmware
Source: file.exe, 00000000.00000002.3327877148.0000000004AE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2078557398.0000000000112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2000, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
file.exe	100%	Avira	TR/Dropper.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
wzt5xcg.localto.net	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wzt5xcg.localto.net	116.203.56.216	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wzt5xcg.localto.net	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
116.203.56.216	wzt5xcg.localto.net	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585488
Start date and time:	2025-01-07 17:58:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 17 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 2000 because it is empty
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
116.203.56.216	RuntimeBroker.exe	Get hash	malicious	Quasar	Browse
	Fattura (3).jar	Get hash	malicious	Unknown	Browse
	Fattura (4).jar	Get hash	malicious	Unknown	Browse
	Fattura (3).jar	Get hash	malicious	Unknown	Browse
	Fattura (4).jar	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	UXxZ4m65ro.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkM	Get hash	malicious	HTMLPhisher	Browse	148.251.133.221
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	116.202.167.133
	1.exe	Get hash	malicious	Unknown	Browse	144.76.136.153
	1.exe	Get hash	malicious	Unknown	Browse	144.76.136.153
	miori.x86.elf	Get hash	malicious	Unknown	Browse	144.79.65.29
	sfqbr.ps1	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	94.130.22.61
	http://yamjoop.site	Get hash	malicious	Unknown	Browse	116.203.80.157
	ZipThis.exe	Get hash	malicious	Unknown	Browse	5.161.105.73
	https://tfeweb.co.uk/signoff	Get hash	malicious	Unknown	Browse	144.76.9.200

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.454401358245793
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	file.exe
File size:	46'080 bytes
MD5:	b525ea79a587def213905cf77f2b5e7e
SHA1:	08211f74b221764ad5e0ff24c914c8d8bf0fdedb
SHA256:	7d11842cce74194adfff7709d7ba3f560dd381dc05b79810ac5c08bb220e6556
SHA512:	dc9ff41591b455589a97f09245b2a70fccb1a68f1176696f386b634511f8498df8d549d9e931919c7e598586251a6552f118f0a439e4e708568afb7a0e7f46b1
SSDEEP:	768:OuUOVTwkbBHWU72ZcFmo2qjXMDnIMWBVEWWzjbvgX3isq+4YxUNcDZCf+:OuUOVTwA4M2cM2BVfW3bYXSxr+dCf+
TLSH:	AE231A003BE9812AF2BE5FB89CF26146467AF2633603E6491CC441D75713BC69A526FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n8e............................N.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40c74e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65386E86 [Wed Oct 25 01:25:26 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc700	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x7e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa754	0xa800	242ce232bf5e221a85eca9cd8843af18	False	0.5000697544642857	data	5.514022344464601	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x7e4	0x800	76663115a40dfd17c9c592100d268f2e	False	0.41650390625	data	4.8059490111849055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	befe45ae6d36b117ec9664968e15c14d	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0xe36c	0x478	exported SGML document, Unicode text, UTF-8 (with BOM) text			0.4423076923076923

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 17:59:06.781871080 CET	49705	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:06.843719006 CET	5274	49705	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:06.843897104 CET	49705	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:06.885363102 CET	49705	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:06.890166998 CET	5274	49705	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:08.528769970 CET	5274	49705	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:08.528930902 CET	49705	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:13.565562010 CET	49705	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:13.566472054 CET	49706	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:13.570336103 CET	5274	49705	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:13.571293116 CET	5274	49706	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:13.571365118 CET	49706	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:13.571624994 CET	49706	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:13.576354980 CET	5274	49706	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:15.280958891 CET	5274	49706	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:15.281091928 CET	49706	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:20.283282995 CET	49706	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:20.284284115 CET	49718	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:20.288032055 CET	5274	49706	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:20.289176941 CET	1604	49718	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:20.289295912 CET	49718	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:20.289614916 CET	49718	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:20.294369936 CET	1604	49718	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:21.962249994 CET	1604	49718	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:21.963475943 CET	49718	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:26.970396042 CET	49718	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:26.971152067 CET	49762	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:26.975327969 CET	1604	49718	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:26.975914001 CET	1604	49762	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:26.978481054 CET	49762	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:26.978780985 CET	49762	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:26.983526945 CET	1604	49762	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:28.655534029 CET	1604	49762	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:28.655610085 CET	49762	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:33.727567911 CET	49762	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:33.732644081 CET	1604	49762	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:33.739217043 CET	49803	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:33.744149923 CET	5274	49803	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:33.744251013 CET	49803	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:33.745594025 CET	49803	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:33.750598907 CET	5274	49803	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:35.426182032 CET	5274	49803	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:35.426260948 CET	49803	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:40.439080954 CET	49803	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:40.439958096 CET	49846	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:40.444730043 CET	5274	49803	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:40.444760084 CET	5274	49846	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:40.444853067 CET	49846	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:40.445146084 CET	49846	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:40.450004101 CET	5274	49846	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:42.122200012 CET	5274	49846	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:42.122267008 CET	49846	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:47.126926899 CET	49846	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:47.127882957 CET	49889	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:47.131758928 CET	5274	49846	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:47.132709980 CET	1604	49889	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:47.132807970 CET	49889	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:47.133145094 CET	49889	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:47.137876987 CET	1604	49889	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:48.808675051 CET	1604	49889	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:48.808784962 CET	49889	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:53.956044912 CET	49889	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:53.957042933 CET	49930	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:53.960905075 CET	1604	49889	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:53.961807966 CET	1604	49930	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:53.961878061 CET	49930	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:53.964236975 CET	49930	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 17:59:53.969058990 CET	1604	49930	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:55.673754930 CET	1604	49930	116.203.56.216	192.168.2.5
Jan 7, 2025 17:59:55.673826933 CET	49930	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:00.689126015 CET	49930	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:00.690171003 CET	49977	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:00.694009066 CET	1604	49930	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:00.695003986 CET	1604	49977	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:00.695082903 CET	49977	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:00.695384026 CET	49977	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:00.700172901 CET	1604	49977	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:02.385021925 CET	1604	49977	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:02.385113001 CET	49977	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:07.439081907 CET	49977	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:07.440166950 CET	49984	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:07.444004059 CET	1604	49977	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:07.444940090 CET	1604	49984	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:07.445024967 CET	49984	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:07.445329905 CET	49984	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:07.450090885 CET	1604	49984	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:09.258531094 CET	1604	49984	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:09.258615971 CET	49984	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:14.269598007 CET	49984	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:14.270380974 CET	49985	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:14.280335903 CET	1604	49984	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:14.281538010 CET	5274	49985	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:14.281616926 CET	49985	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:14.281930923 CET	49985	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:14.293005943 CET	5274	49985	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:15.981825113 CET	5274	49985	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:15.981910944 CET	49985	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:20.986002922 CET	49985	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:20.987114906 CET	49986	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:20.990923882 CET	5274	49985	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:20.991969109 CET	5274	49986	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:20.992121935 CET	49986	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:20.992626905 CET	49986	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:20.997368097 CET	5274	49986	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:22.670244932 CET	5274	49986	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:22.670301914 CET	49986	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:27.673590899 CET	49986	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:27.674587011 CET	49987	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:27.678505898 CET	5274	49986	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:27.679394960 CET	5274	49987	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:27.679526091 CET	49987	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:27.679816961 CET	49987	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:27.684597015 CET	5274	49987	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:29.359893084 CET	5274	49987	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:29.360022068 CET	49987	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:34.361006975 CET	49987	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:34.361875057 CET	49988	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:34.418061972 CET	5274	49987	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:34.418076992 CET	5274	49988	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:34.418225050 CET	49988	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:34.418534994 CET	49988	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:34.424276114 CET	5274	49988	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:36.089680910 CET	5274	49988	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:36.089778900 CET	49988	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:41.095376968 CET	49988	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:41.096379995 CET	49989	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:41.100291967 CET	5274	49988	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:41.101241112 CET	1604	49989	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:41.101322889 CET	49989	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:41.101670980 CET	49989	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:41.106472969 CET	1604	49989	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:42.779445887 CET	1604	49989	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:42.779522896 CET	49989	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:47.782908916 CET	49989	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:47.783767939 CET	49990	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:47.787756920 CET	1604	49989	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:47.788590908 CET	5274	49990	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:47.788656950 CET	49990	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:47.788944960 CET	49990	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:47.793688059 CET	5274	49990	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:49.499228001 CET	5274	49990	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:49.499402046 CET	49990	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:54.501677990 CET	49990	5274	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:54.502988100 CET	49991	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:54.506587982 CET	5274	49990	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:54.507781029 CET	1604	49991	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:54.507886887 CET	49991	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:54.508508921 CET	49991	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:00:54.513293982 CET	1604	49991	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:56.263679028 CET	1604	49991	116.203.56.216	192.168.2.5
Jan 7, 2025 18:00:56.263837099 CET	49991	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:01:01.267467022 CET	49991	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:01:01.268323898 CET	49992	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:01:01.273637056 CET	1604	49991	116.203.56.216	192.168.2.5
Jan 7, 2025 18:01:01.274463892 CET	1604	49992	116.203.56.216	192.168.2.5
Jan 7, 2025 18:01:01.274658918 CET	49992	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:01:01.274981976 CET	49992	1604	192.168.2.5	116.203.56.216
Jan 7, 2025 18:01:01.281013012 CET	1604	49992	116.203.56.216	192.168.2.5
Jan 7, 2025 18:01:03.102490902 CET	1604	49992	116.203.56.216	192.168.2.5
Jan 7, 2025 18:01:03.102631092 CET	49992	1604	192.168.2.5	116.203.56.216

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 17:59:06.756395102 CET	52655	53	192.168.2.5	1.1.1.1
Jan 7, 2025 17:59:06.774887085 CET	53	52655	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 17:59:06.756395102 CET	192.168.2.5	1.1.1.1	0x34ef	Standard query (0)	wzt5xcg.localto.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 17:59:06.774887085 CET	1.1.1.1	192.168.2.5	0x34ef	No error (0)	wzt5xcg.localto.net		116.203.56.216	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:59:01
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x110000
File size:	46'080 bytes
MD5 hash:	B525EA79A587DEF213905CF77F2B5E7E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2078557398.0000000000112000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.2078557398.0000000000112000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00A71727 Relevance: 5.4, Strings: 4, Instructions: 442COMMON

Download Yara Rule

Strings

,, xrefs: 00A71870
xiq, xrefs: 00A71D76
aeq, xrefs: 00A71CDF
aeq, xrefs: 00A71D3C

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID: aeq$ aeq$,$xiq
API String ID: 0-3263247928
Opcode ID: a6cfa1af9b022faf2dd254bcb2fc3df1bb972a0617d39240e73cfca86adcbfb1
Instruction ID: 48c59b07c092a2b36d946d1d20fe1bdff58bf72e7f17b9e21760fd9acbabffde
Opcode Fuzzy Hash: a6cfa1af9b022faf2dd254bcb2fc3df1bb972a0617d39240e73cfca86adcbfb1
Instruction Fuzzy Hash: D40271747002049FDB15EF68D954B6E7BE2EF84710F20C969E409AF3A6DB70AD46CB80

Function 00A71962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

xiq, xrefs: 00A71D76
aeq, xrefs: 00A71CDF
aeq, xrefs: 00A71D3C

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID: aeq$ aeq$xiq
API String ID: 0-3614498683
Opcode ID: 495b1832304fcc950045add39a361260c9d36f20b5e7663d233abf6b3f949c17
Instruction ID: 3f797ad152068f94c8eddc3583de65be59531012dd2c2f0fc08e30346102d7bc
Opcode Fuzzy Hash: 495b1832304fcc950045add39a361260c9d36f20b5e7663d233abf6b3f949c17
Instruction Fuzzy Hash: 606170747002008FD715DF68D844B6E7BE2EF88714F10C968E50A9F3A6DB71AD46CB80

Function 00A70EBC Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

(iq, xrefs: 00A71192
Teeq, xrefs: 00A70EED

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID: (iq$Teeq
API String ID: 0-2499105880
Opcode ID: eaaef1d440a7a4d1a381f163c8dcb6fcdbc8a2dbb54eff4e92cf6f7ac1cfbb10
Instruction ID: 1e0836447fcfd047722bc173efa5defda5fb62f976f092bbd3fa630b48a34d76
Opcode Fuzzy Hash: eaaef1d440a7a4d1a381f163c8dcb6fcdbc8a2dbb54eff4e92cf6f7ac1cfbb10
Instruction Fuzzy Hash: 81517975B101148FCB04DF6CC458A5EBBF2BF88700F25C1A9E806DB3A6DA75DD418B80

Function 00A70D20 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

Hiq, xrefs: 00A70E40
dLkq, xrefs: 00A70D5B

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID: Hiq$dLkq
API String ID: 0-2635426336
Opcode ID: aad9a5aca19bd394ffb11489292bf93ace97844073c3d205e80ab46b455e5051
Instruction ID: 2dd57545b83e2a2d500e89d359ea593dfab7cf48259a540a20d77785f2474363
Opcode Fuzzy Hash: aad9a5aca19bd394ffb11489292bf93ace97844073c3d205e80ab46b455e5051
Instruction Fuzzy Hash: 5A41D131B042048FCB15DF68D854A9EBFF6BF89300F1489AAE006DB3A2CB759D45CB90

Function 00A71339 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

LReq, xrefs: 00A7138B

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID: LReq
API String ID: 0-2687900687
Opcode ID: 79205cfa9e4ccc4be00106e2ad5104049368746f5f5837c882687b8cdba2c452
Instruction ID: 8c18d9703e1b3e4492e11bd08d23155343a387df689e17d5a1385eb26dcc024f
Opcode Fuzzy Hash: 79205cfa9e4ccc4be00106e2ad5104049368746f5f5837c882687b8cdba2c452
Instruction Fuzzy Hash: FC31F334F002168FCB45ABBC995196E7BF2EFC9310B14856DE54ADB3A5EE30CD018790

Function 00A70D10 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

dLkq, xrefs: 00A70D5B

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID: dLkq
API String ID: 0-1300969514
Opcode ID: c970ee691876970ed2585d3c5b7f9096e1376c0ad556544314c7ad142d85b3af
Instruction ID: 9b51f53ab858a49c8eae38a0904882876746def26b5d6f189d27d9897ac332dc
Opcode Fuzzy Hash: c970ee691876970ed2585d3c5b7f9096e1376c0ad556544314c7ad142d85b3af
Instruction Fuzzy Hash: 35316F75A00204CFDB15DF69C958BAEBFF6BF48300F1485A9E405AB362CB75AD44CB90

Function 00A70E3F Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

Hiq, xrefs: 00A70E40

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID: Hiq
API String ID: 0-3823623015
Opcode ID: b573daa1dd4793cdff33b407698971a5927ae84d562775c227e3dce043b34280
Instruction ID: f096e3b2d0d7a476dc8e69981c08b8fb93b1da3500376a4b9a9e59dd1babcbef
Opcode Fuzzy Hash: b573daa1dd4793cdff33b407698971a5927ae84d562775c227e3dce043b34280
Instruction Fuzzy Hash: 46F022207082908FC745DB7D681492E2FE3AFDA25072848BED14ACB3A3CE298C068351

Function 00A70AA0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b67bff2ab1271da6234efcecdacc5e747c51baa1c467cbc1c0e9e1f2ad0dd4b
Instruction ID: 75eb55e52bb5cdac939ed959cd9c0ff14c2519b6931ed0af5d4e61952f01ec30
Opcode Fuzzy Hash: 2b67bff2ab1271da6234efcecdacc5e747c51baa1c467cbc1c0e9e1f2ad0dd4b
Instruction Fuzzy Hash: 1251D37C602601CFC797EF78F85495E7BA6FB84B053508A6DD401AF22ADB319986DF80

Function 00A711D0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740c18bb59777423321d0562eabaae88ce9d80164d821466c8be68b7b739d933
Instruction ID: 1986b179c089c4d9e3a952ede16c104b7d99dcf988bb171aea20912fbe0d927e
Opcode Fuzzy Hash: 740c18bb59777423321d0562eabaae88ce9d80164d821466c8be68b7b739d933
Instruction Fuzzy Hash: E541A271E00209AFCB04EFBD894466EBBF6FF88310F24C5A9D549D7346DA349E418790

Function 00A70998 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876abeb98e51f2795d8e86a8836caecb5f44f0b0e76d2704bdd0b83f4bc53269
Instruction ID: fe66da65085295ff67aac93c6b91c3c53f611e94fdf624ad5fc8de2308a57f1e
Opcode Fuzzy Hash: 876abeb98e51f2795d8e86a8836caecb5f44f0b0e76d2704bdd0b83f4bc53269
Instruction Fuzzy Hash: 3E213A34A05342CFDB64EBB9ED58A3E7BB5BB14781B10D47DD40BD61A1EB308942CB61

Function 00A709A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cccad5f1a0e58df39330c04590ccec132d9e2e7e06f2a3792ae48b1f48ea933
Instruction ID: 058367a5b0d228ae9b2bdfa92ea2714e710b0a637abb00f76b7fc52380980560
Opcode Fuzzy Hash: 5cccad5f1a0e58df39330c04590ccec132d9e2e7e06f2a3792ae48b1f48ea933
Instruction Fuzzy Hash: 4F213E34A15302CFDB64EBB9ED14A3E7AA5BB54781F10C43D940AD2155EB3089429BA2

Function 00A71431 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1328ead6d84ffdc1b41a914580f1ecf044a57ed2af0271c87db6a722520bec
Instruction ID: e7019d0dbb6a157cc425e0facfe2384b8a96f55b1c7d14e94af3c07c23ed2107
Opcode Fuzzy Hash: 1d1328ead6d84ffdc1b41a914580f1ecf044a57ed2af0271c87db6a722520bec
Instruction Fuzzy Hash: 43118E74A06241DFCB55EBBCD904A6E7BF1AF8970472588BDD50ADB369DB308C01CB50

Function 00A71440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53cdeaf7e1fabf4e3987030b84719c25154ef9abb5007f5b3c7b8fe8d404b346
Instruction ID: 48b89c8357c6b05064d8abef9a0ce5a08e5852f9dd9dd910e799bedefd814738
Opcode Fuzzy Hash: 53cdeaf7e1fabf4e3987030b84719c25154ef9abb5007f5b3c7b8fe8d404b346
Instruction Fuzzy Hash: 06115BB4B012059FCB94EBBDD904A6E7BE6AF88714720887DD50ADB358EA31DC41CB90

Function 00A716A0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc6fa22b4cfd952c9d17f895c4b32e36f6b75ce994c8033e67042380cb6c063
Instruction ID: 4342fb03230ea2523055cacb5ee9a7f959f3433152e4e6d665dbbe4ab77eb856
Opcode Fuzzy Hash: 9bc6fa22b4cfd952c9d17f895c4b32e36f6b75ce994c8033e67042380cb6c063
Instruction Fuzzy Hash: C2018F78A022118FCF59EF68D951BAE77F4AF44B04F04C06DD44AEB641EB705D02CB91

Function 00A70E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab4620da9390c9ee40dce409b773b93174b43c07e3cc8d065b188398413ec38
Instruction ID: 793bbc1172b1184150ab9a912583c7379fd623ea2d3800005c395bc132d4f9a7
Opcode Fuzzy Hash: aab4620da9390c9ee40dce409b773b93174b43c07e3cc8d065b188398413ec38
Instruction Fuzzy Hash: FDE0C2317002005F8744D67EE88485BB7DBEFC92343240879F109C7325CD74CC028790

Function 00A70A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77ed26ef2fd8c992c5498926d340b5f64f7fcfd0bb32aa1f5fa400acd785d9d
Instruction ID: d8f297ae5c6f819fc132ebe7b0b8ff6ec5374b784018058dbeae39a1c6cdc966
Opcode Fuzzy Hash: e77ed26ef2fd8c992c5498926d340b5f64f7fcfd0bb32aa1f5fa400acd785d9d
Instruction Fuzzy Hash: 20C01274924307CED324A3F8AD08A7C3E20AB41342F40D021A006000A28AB008024716

Function 00A70A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3326288184.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d141df07312bd742476b2fd387d155e73e941438c34f4d6036441c4649213ab1
Instruction ID: 5a7e23726be03156d5157f8a77e7e5ce22673bd5b2466894e5df4a6e4b87404f
Opcode Fuzzy Hash: d141df07312bd742476b2fd387d155e73e941438c34f4d6036441c4649213ab1
Instruction Fuzzy Hash: 3CC0127092474ACAD72493F8AD08A7C3F20AB41342F40D026A006000A28AB008028B16

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
file.exe