Edit tour

Windows Analysis Report
I6la3suRdt.exe

Overview

General Information

Sample name:	I6la3suRdt.exe renamed because original name is a hash value
Original sample name:	f53df3d1d050644762fcb2b3a697c7d3.exe
Analysis ID:	1585657
MD5:	f53df3d1d050644762fcb2b3a697c7d3
SHA1:	c1bccfdf62c6e55df6d7a203366f46ac3fca9917
SHA256:	60336b211d156dfd0502c00083c9e3b216e5c00046a8a1a066d6eff7e9cb0f87
Tags:	AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

I6la3suRdt.exe (PID: 4796 cmdline: "C:\Users\user\Desktop\I6la3suRdt.exe" MD5: F53DF3D1D050644762FCB2B3A697C7D3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "38.240.58.195", "Ports": "6606", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "PVWWJXVoJwVMlOvTI4Y8AeFWMiPev9wO", "Mutex": "mndjZ3XYTW62", "Certificate": "MIIE8jCCAtqgAwIBAgIQAOEX6EgmXS61NIZHbGJtoTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwMTA0MTU1NzE4WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIMrri21HCu3pM85/1h+qKlKRrB59CYRvnU0Cwzl7CQ6LDmmRaM9wI02sQeQB+mDRM2/ZREw6VeConcYuXbnNrVk5k96qEGV3MiaysiiWGT9eUWi4BsJvbr2TSOc9iIQk9PZNmmzUYwcHj3HO/l8IKM75NnxSzj3HWRf8AD34iM5SFdmTtxhq5KBfPr/oqoW0n7XF4X9yhIKmd87GVtCbWQBm/WbfArWUF0TaPAniDWuN8YYQksljfh10QDZEdQe0ogj45MLU/jbF6ptWRKqrffOrQjYtKPl9nQu2J5yb7CbavMxsbwZbednUAp3SifGoZI81e1e5v3eBu1ER4tp6DclTGyaLY3AISjK1Zl4tIA7ZsRRXNAVvVQjYYM3g/+8MQKdXahGH+bcEHAqkgc40juUD/yeIUqltJ5DPd4AzZVcZ2asQgGKAoj49EDYevMh4VqzuoHKPDuAtpLV+U3fscz64NS0H+nK3TDJ5Ih08je7ChS8OSWZklsKIEhFFgALTlvXKNXoMk2nLHPV4cLZclgXiYOyWc+OGija5bfRJLnJ2kYXXllgzbiRGke1bfiRHdUsI2rd6befplj8giwjCeiVj5egE0ivWjk6he9Fr9EJbvbLfE91rfpmgCnhhamYJ7XobrItxs75S0Z5xIw8pTg33l3QV4bbncDIXwYC1ai3AgMBAAGjMjAwMB0GA1UdDgQWBBQUdapiQGb72JzOQuQeSgtV3OmBGjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQB6iVkHhXwvPbDAKDX2U6cLnWJtSVFeNGh/aSao+3Zw88KnPocBmC4rzrGXPMVjQ6Ox6pGOTOFnzT07vUiwYSLX6Q9mgn/JEMfBmHzpSpN0+nK07BRm74Mbx7rN4MBD9Z0qoWQgdusV72UdcydVwaYXhQOiyPMnJamBFgF5GOpM+0YaLK939h4GyQCBnn2xtZgkM8doXB82XyOhfgz8eZ3x83K84pl6RCWXdxWe/W3VegFiB5nvxO9Ndtz/EPBdqq7+DeWawWUuPczvrbADSkDGoGsbgDxn2Qh7KAnigXtcBpzfl34eYot6c1gM/ggFnH6h7kBm0LKnsiXWwWLf1y8H8UXA+opcid/0yJeI9A5tDW+4p5Z9FbYmIpA2SGmFm2Xewx+P6fEtw8f2AAPhvRw7H0dWdIoJ65IeJlOtTGh/Kk+gWvijGqaw+tnT94RkqXVn/3l2wbnesiWy+j1gVEHAMFqWby2uzOlUjh6Y3y5M1V9KgLSiH2M11vDpPXkW+sBmDA+9iJqWQ9z/auNrma4dUA5WzlpNd6Zm+Iq40rcVobP1XX1yoFhJSW0wlVM5qJGHnDO0Qp5SHN25OZ4sWQNACLV1767PA5RXsjYQz0TRyXVBQuFB2lXEcYyi9e3KUl48X4OE0exRZdBH3/eAksdFYGqZGJJ7Y0UbyALKFBnzmQ==", "ServerSignature": "fyL3wib0D3U9GdHac8/M8RQjBRzJ7i+CbJjEO7apR1AfzI+GbndOH7GjBJru2SrcIUq7Ne+G9cinkYBlZ/6oBzXNi5CRu4ZTY0JHimfUbGM7SX1akEqGgHusvJLqMbU8+cOdo5CytoIvS4DIN9bw6fT0Rtg+wARgW6NlN5+eraObyooKHxXTfs4Wk5PG2Q+22EuH8EaTPxOSkYkl5WEcZlGSimVAIEmBRsF+yT41XGpl98YdEW7RZLao7TY13KDVXT82NwTsSZbsO2IYCnnxqXKzBWpulTwJPMpXlS9D5iOOWs7zlG0UoW0iwa6VKbyHiC6+tbbXcSoUnKFUgY4XeaKPMWeyC0QGRbESOmPKHjZuEu735GY+tN4cV4rPWFf4eqjUr2lLeipiOqpRwG2dE62s/EZOEazL6SJLr4C31Z5sL4oKpIwz3jAjqlLk3l12EnNbW4sW4sJOLR5trAbh9wW/whdt6yp9qdsAqzRqNM5v7iPiApBQ4c8i8R/WHqYxQX5qeQQFI4PuL4Ghb4s2GU2OHoURo3Poqfts4az0shQ50+FjILqIfmHwIPaxnoOI6xn56ymlBzB5Wqjbhxvb23FK4juPl8R3OUJJjsFqm+TZMw8SjvcYkTRtDCV54S7fxxNm1XGdJwK9jA5i4g/D64S+GLcVPozQLzSPu4Y3wxo=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
I6la3suRdt.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
I6la3suRdt.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
I6la3suRdt.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98ff:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x670f:$a3: get_ActivatePong 0x9b17:$a4: vmware 0x998f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745e:$a6: get_SslClient
I6la3suRdt.exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x670f:$str01: get_ActivatePong 0x745e:$str02: get_SslClient 0x747a:$str03: get_TcpClient 0x5d1c:$str04: get_SendSync 0x5d6c:$str05: get_IsConnected 0x649b:$str06: set_UseShellExecute 0x9c35:$str07: Pastebin 0x9cb7:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a0f:$str10: timeout 3 > NUL 0x98ff:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x998f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
I6la3suRdt.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9991:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2023015610.00000000003A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2023015610.00000000003A2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9791:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.3263577740.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: I6la3suRdt.exe PID: 4796	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: I6la3suRdt.exe PID: 4796	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3a487:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.I6la3suRdt.exe.3a0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.I6la3suRdt.exe.3a0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.I6la3suRdt.exe.3a0000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98ff:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x670f:$a3: get_ActivatePong 0x9b17:$a4: vmware 0x998f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745e:$a6: get_SslClient
0.0.I6la3suRdt.exe.3a0000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x670f:$str01: get_ActivatePong 0x745e:$str02: get_SslClient 0x747a:$str03: get_TcpClient 0x5d1c:$str04: get_SendSync 0x5d6c:$str05: get_IsConnected 0x649b:$str06: set_UseShellExecute 0x9c35:$str07: Pastebin 0x9cb7:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a0f:$str10: timeout 3 > NUL 0x98ff:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x998f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.0.I6la3suRdt.exe.3a0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9991:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T23:57:03.634914+0100	2035595	1	Domain Observed Used for C2 Detected	38.240.58.195	6606	192.168.2.5	49704	TCP

ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T23:57:03.634914+0100	2035607	1	Domain Observed Used for C2 Detected	38.240.58.195	6606	192.168.2.5	49704	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T23:57:03.634914+0100	2842478	1	Malware Command and Control Activity Detected	38.240.58.195	6606	192.168.2.5	49704	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: I6la3suRdt.exe

Avira: detected

Found malware configuration

Source: I6la3suRdt.exe

Malware Configuration Extractor: AsyncRAT {"Server": "38.240.58.195", "Ports": "6606", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "PVWWJXVoJwVMlOvTI4Y8AeFWMiPev9wO", "Mutex": "mndjZ3XYTW62", "Certificate": "MIIE8jCCAtqgAwIBAgIQAOEX6EgmXS61NIZHbGJtoTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwMTA0MTU1NzE4WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIMrri21HCu3pM85/1h+qKlKRrB59CYRvnU0Cwzl7CQ6LDmmRaM9wI02sQeQB+mDRM2/ZREw6VeConcYuXbnNrVk5k96qEGV3MiaysiiWGT9eUWi4BsJvbr2TSOc9iIQk9PZNmmzUYwcHj3HO/l8IKM75NnxSzj3HWRf8AD34iM5SFdmTtxhq5KBfPr/oqoW0n7XF4X9yhIKmd87GVtCbWQBm/WbfArWUF0TaPAniDWuN8YYQksljfh10QDZEdQe0ogj45MLU/jbF6ptWRKqrffOrQjYtKPl9nQu2J5yb7CbavMxsbwZbednUAp3SifGoZI81e1e5v3eBu1ER4tp6DclTGyaLY3AISjK1Zl4tIA7ZsRRXNAVvVQjYYM3g/+8MQKdXahGH+bcEHAqkgc40juUD/yeIUqltJ5DPd4AzZVcZ2asQgGKAoj49EDYevMh4VqzuoHKPDuAtpLV+U3fscz64NS0H+nK3TDJ5Ih08je7ChS8OSWZklsKIEhFFgALTlvXKNXoMk2nLHPV4cLZclgXiYOyWc+OGija5bfRJLnJ2kYXXllgzbiRGke1bfiRHdUsI2rd6befplj8giwjCeiVj5egE0ivWjk6he9Fr9EJbvbLfE91rfpmgCnhhamYJ7XobrItxs75S0Z5xIw8pTg33l3QV4bbncDIXwYC1ai3AgMBAAGjMjAwMB0GA1UdDgQWBBQUdapiQGb72JzOQuQeSgtV3OmBGjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQB6iVkHhXwvPbDAKDX2U6cLnWJtSVFeNGh/aSao+3Zw88KnPocBmC4rzrGXPMVjQ6Ox6pGOTOFnzT07vUiwYSLX6Q9mgn/JEMfBmHzpSpN0+nK07BRm74Mbx7rN4MBD9Z0qoWQgdusV72UdcydVwaYXhQOiyPMnJamBFgF5GOpM+0YaLK939h4GyQCBnn2xtZgkM8doXB82XyOhfgz8eZ3x83K84pl6RCWXdxWe/W3VegFiB5nvxO9Ndtz/EPBdqq7+DeWawWUuPczvrbADSkDGoGsbgDxn2Qh7KAnigXtcBpzfl34eYot6c1gM/ggFnH6h7kBm0LKnsiXWwWLf1y8H8UXA+opcid/0yJeI9A5tDW+4p5Z9FbYmIpA2SGmFm2Xewx+P6fEtw8f2AAPhvRw7H0dWdIoJ65IeJlOtTGh/Kk+gWvijGqaw+tnT94RkqXVn/3l2wbnesiWy+j1gVEHAMFqWby2uzOlUjh6Y3y5M1V9KgLSiH2M11vDpPXkW+sBmDA+9iJqWQ9z/auNrma4dUA5WzlpNd6Zm+Iq40rcVobP1XX1yoFhJSW0wlVM5qJGHnDO0Qp5SHN25OZ4sWQNACLV1767PA5RXsjYQz0TRyXVBQuFB2lXEcYyi9e3KUl48X4OE0exRZdBH3/eAksdFYGqZGJJ7Y0UbyALKFBnzmQ==", "ServerSignature": "fyL3wib0D3U9GdHac8/M8RQjBRzJ7i+CbJjEO7apR1AfzI+GbndOH7GjBJru2SrcIUq7Ne+G9cinkYBlZ/6oBzXNi5CRu4ZTY0JHimfUbGM7SX1akEqGgHusvJLqMbU8+cOdo5CytoIvS4DIN9bw6fT0Rtg+wARgW6NlN5+eraObyooKHxXTfs4Wk5PG2Q+22EuH8EaTPxOSkYkl5WEcZlGSimVAIEmBRsF+yT41XGpl98YdEW7RZLao7TY13KDVXT82NwTsSZbsO2IYCnnxqXKzBWpulTwJPMpXlS9D5iOOWs7zlG0UoW0iwa6VKbyHiC6+tbbXcSoUnKFUgY4XeaKPMWeyC0QGRbESOmPKHjZuEu735GY+tN4cV4rPWFf4eqjUr2lLeipiOqpRwG2dE62s/EZOEazL6SJLr4C31Z5sL4oKpIwz3jAjqlLk3l12EnNbW4sW4sJOLR5trAbh9wW/whdt6yp9qdsAqzRqNM5v7iPiApBQ4c8i8R/WHqYxQX5qeQQFI4PuL4Ghb4s2GU2OHoURo3Poqfts4az0shQ50+FjILqIfmHwIPaxnoOI6xn56ymlBzB5Wqjbhxvb23FK4juPl8R3OUJJjsFqm+TZMw8SjvcYkTRtDCV54S7fxxNm1XGdJwK9jA5i4g/D64S+GLcVPozQLzSPu4Y3wxo=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Multi AV Scanner detection for submitted file

Source: I6la3suRdt.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: I6la3suRdt.exe

Joe Sandbox ML: detected

Source: I6la3suRdt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: I6la3suRdt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 38.240.58.195:6606 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 38.240.58.195:6606 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 38.240.58.195:6606 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 38.240.58.195:6606 -> 192.168.2.5:49704

Yara detected Generic Downloader

Source: Yara match	File source: I6la3suRdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 38.240.58.195:6606

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195
Source: unknown	TCP traffic detected without corresponding DNS query: 38.240.58.195

Source: I6la3suRdt.exe, 00000000.00000002.3263158234.00000000009AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: I6la3suRdt.exe, 00000000.00000002.3264692459.0000000004C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab-
Source: I6la3suRdt.exe, 00000000.00000002.3263577740.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: I6la3suRdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2023015610.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3263577740.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I6la3suRdt.exe PID: 4796, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: I6la3suRdt.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: I6la3suRdt.exe, type: SAMPLE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: I6la3suRdt.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.2023015610.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: I6la3suRdt.exe PID: 4796, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: C:\Users\user\Desktop\I6la3suRdt.exe	Code function: 0_2_00D765C0	0_2_00D765C0
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Code function: 0_2_00D75CF0	0_2_00D75CF0
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Code function: 0_2_00D7A7A8	0_2_00D7A7A8
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Code function: 0_2_00D759A8	0_2_00D759A8
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Code function: 0_2_00D76EC0	0_2_00D76EC0

Source: I6la3suRdt.exe, 00000000.00000000.2023039831.00000000003AE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs I6la3suRdt.exe
Source: I6la3suRdt.exe	Binary or memory string: OriginalFilenameStub.exe" vs I6la3suRdt.exe

Source: I6la3suRdt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: I6la3suRdt.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: I6la3suRdt.exe, type: SAMPLE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: I6la3suRdt.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.2023015610.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: I6la3suRdt.exe PID: 4796, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: I6la3suRdt.exe, Settings.cs

Base64 encoded string: 'gxoelcFYX9nTDxyy5EAwTKMeQrVv9kCKlVtnNSTBBnM/gDnhGuKcv7XajzMZDTXbK45lK7q+SQTar+gNFIZTcg==', 'I+ivqJBdJuEFAuXbH6ExW0STSVMJHT884MwhxjgvkPXGYcUHwATK0vFJ7HkrOsGZ1RJl1NwMltUXBH82FOyqfQ==', 'rQhaCrpuRfe5zc4DPgT13uXudDAQe/iQcmTaoTtMagPKH6MvstCqEXBlyODuy9WTT89pYlehhM/aCaY8wr8MgCkHbpNmK2hi4e/GxReees8L5LiJ4LVsbPlmJALTXwLbMVTNbWgBAelIEbAV8FKZlwaY5dULWQhUUsFE6d+PVQ+cng8Um7t7YUvmpMwdCUhdJEJAXgs5unGr0YvDJdEhjroMLjGtwsmH+4r//IEp1xC3VQbtilPep2ltIwp/XxVB1N3z7KyTs5DQTJs9SJghI82SmXfYLHTdidHkewKpu8MlOlt7dxln6frGOSkVA0MM9WlzNY/LayNJJrMxSsAe/z3OXQYOYeFd5Jy/INRHtWyAWN7H8kv0b1DQTxzylS1/MVl937E+PV1LTnKUa7qexO+h1Onob2nm40DwHl16t344TN9xeb/N5Bq23deFY2Di+j4HQ6NZYhCZ9mWm9H4WJppoA+1IIf9EkyYG41EN/wX+e4SS+jEmXV0K54PGsqtHaXbVZ8VHtT25WFgdiyqEo8BdmBL0aj8pxzzRPM5tRrY7sAL7G9ldje+MBTaHJ2G08sRf+BVFL9ZzOKScYwrflZ+CcUC1nXA804C/2xPBoD1pnGRHa17UaF1e7t1b45l1tThoGoNpAeUGOy+iW+LL/AUhgtBfGcV+LsssW1bwpE05nr0tNAHADF2UQ9IjjuyVyMJEQXj6/AO6DyA5Kh3KJSBxhxZnRfDaBXUXOc5ST5rl0zrU40YTvqVwS/IqtHBwH7M4bbOgpzvrb6V0pI9O1nzcWJk8iwqQCC7rWX0nENf79/VAYv36Pehp/SwP2LLOcE8ELIluhNFOkZ5ddcPHfL30izEDekSPllHd9qj5tDlzeb3uNOfNUL1yGh99ewYc/Qk4089muWJoshjbbOcb3d2xx63PUyBEmY0pqxKSE+H5o597tkaalBCZAiwO8rVZcILaIH/OE2gzfW6QzXM9bLsHmQFZSQfZrSFp5V7xDmPOWyU11niAxlCvpoWSnW1F1d1VL1XqcuB/aDST35bGiU8aNqLlWb8OwGfT+M/IfNVWawZj7snVQG1KJ/jYPHzjnQKbPh9Y9HlZmgrz386eivSIEzTUU4Hc4GZfbFEG2QNxFR2SQNAdLI2uz1QLzXSND3fb+Hw+kqxS1AHfWD7WviGpEkcy48eeJmM8Nqg5aC9Gde8b/JNElmqwYQseoRuHHozSZ4E0SFrpu6RMPZ4cV4XjWnYE0SDAYknqXAeo0CZw57z2URlnsjmwZZ4nbi0aFNx/g7RZk3E3Wyiyylvwt+7FbOOEeMQ6y/xvb9IJZCSDOprU3JzKzUwKTx3rr5gtg8vEIan6AjEQNeCqQdXwySsQG9X6muZHgHaPJEh2NOth3pvIEAVn0qnMpL738nje4LA6PTtMQybBpXj+udLoLReG/gtCyMxFld00yXaCPKvVwqBW1iur3gb+UdBymX/LwDZFY3+X4hJ41xf9C/uguD9/WMiG1HDOB3MMz5QPIbFHYqmvmRUhMdzZjoyA1kTOca+OnyupU3Zkygi8gkKAi42ipfM/lEMNIhY+Vb4WVh99wQ37do2IEXCHN44drYNpMMskD5lvgGqx74XtNqpET1ziYYOsEfeyct9LWG+77SXZmMAbLPTw5qFMqPLsTtOBze1diRSiIp2WD0WYVI92YmK0tylYYMfglT5ceUuwX1x8qkshxf7xev3g8JxZyTYWidvX13f1RDafZctGt1G4OWjsYFr5XxN+USylDII3RiOtdJ5uFx8MLWVJIxR0k4QT7gq3/Z5jExT3vcN+z8dXS7a9n4gQXh4nKU3ZIFhmGP3Y/dH1S1enAXbvcWWkn5aOndSh9EDhhir6ZImGkIk2LWLeDS/nTIhwdoiFoZEiIboJYEiOEKtTu51+gEtwN5AwmWJ9lE1ZG7zOkgEgiglkZnEdJ1pEv0erxNVYM/4SHoHo4H9pjx8P3ixBLPOwEDM7St6faAeXPbd849Mnhx1oPcVEj8VyUZUxox28qwYcvEr9WpbkNMlZPrVVMaNaF+99z8n6y1EBStgmsMknjlPupUcYBj3hcLiv1nsq1Dg8HLPHSP039G8RvZrVrhdY2Bd4SHB+UEItEGXP31Lkoyusp/ADAP1T9QRBn9ej+9/MiwSuDDCzr1hpIBH8VGpruzTTEUeWpLHAECgCUYrHW/Vj7tKqE5htv1tBAFW4WjOUrnG49ipe/9ocu+YK9n1Bgd6IoWJEvugUj4r6ngo4gD6kq3ZJ1XaxKBMvzBQHLOitXBuLZEHVAdLwosZU7BVGN1RxPIPckKPNh7bwCcBeX+UisXwtIrdOxXcABxGCXyolYqM=', 'ZvHOPxoQdrnZygn3/GEMau/lB8ZPCqwTjRjm/+3psIY6gwNgJ+hFKA9OSwevvAJgP9TBlSU8o7+iYPhm2CglXAUCvMs+yXLOLoHDoTnm1qHgRsfaZl+aWjMf+Jos+zB/QLn9SXhOHF9N5hGyX4BoX4lHHtdlucv9JARafHel8YEsVqhXMmToafPBpi391HPYYOjjXSx5hCESJVqVvRgjQcRCBiwMVA05wqGi1bjva6mvDlJBAygEeuHTZVd8aAv6SfsHPAJeVGmn4o9uBXfZ6K/I7MVdkcnGqcQky4t2259FrAwnaNb6Q/uzotUYpzzReuRBoPfC0tTt9QXmQH06Tp4PXDPMX86MQ7yBMShfB+B/dgcKY7bLWcsKyR7eHDVLcDon7REeyMwtLLHULQM5j7OPPF5yY+OF1RtUi8jXijBevStxJSGGIrSkSESzJ/WGEy+BCfzHBA3yQvI

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\I6la3suRdt.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Mutant created: \Sessions\1\BaseNamedObjects\mndjZ3XYTW62

Source: I6la3suRdt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: I6la3suRdt.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\I6la3suRdt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: I6la3suRdt.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\I6la3suRdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: I6la3suRdt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: I6la3suRdt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: I6la3suRdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2023015610.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3263577740.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I6la3suRdt.exe PID: 4796, type: MEMORYSTR

Source: C:\Users\user\Desktop\I6la3suRdt.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: I6la3suRdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2023015610.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3263577740.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I6la3suRdt.exe PID: 4796, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: I6la3suRdt.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\I6la3suRdt.exe	Memory allocated: D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\I6la3suRdt.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\I6la3suRdt.exe	Window / User API: threadDelayed 2294			Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Window / User API: threadDelayed 7556			Jump to behavior

Source: C:\Users\user\Desktop\I6la3suRdt.exe TID: 6500	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe TID: 6648	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe TID: 6632	Thread sleep count: 2294 > 30	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe TID: 6632	Thread sleep count: 7556 > 30	Jump to behavior

Source: C:\Users\user\Desktop\I6la3suRdt.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\I6la3suRdt.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: I6la3suRdt.exe	Binary or memory string: vmware
Source: I6la3suRdt.exe, 00000000.00000002.3264500502.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3264692459.0000000004C31000.00000004.00000020.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3263326006.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\I6la3suRdt.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\I6la3suRdt.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002752000.00000004.00000800.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002782000.00000004.00000800.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3263577740.000000000275A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\]q
Source: I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002782000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]ql+x
Source: I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002752000.00000004.00000800.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002782000.00000004.00000800.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3263577740.000000000275A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: I6la3suRdt.exe, 00000000.00000002.3263577740.000000000275A000.00000004.00000800.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3263577740.000000000274E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]q`
Source: I6la3suRdt.exe, 00000000.00000002.3263577740.000000000274E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]q@
Source: I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002752000.00000004.00000800.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002782000.00000004.00000800.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3263577740.000000000275A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\]q%
Source: I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]qLCu
Source: I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002752000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]q,Eu
Source: I6la3suRdt.exe, 00000000.00000002.3263577740.000000000275A000.00000004.00000800.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002743000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]q
Source: I6la3suRdt.exe, 00000000.00000002.3263577740.0000000002782000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]qL-x

Source: C:\Users\user\Desktop\I6la3suRdt.exe	Queries volume information: C:\Users\user\Desktop\I6la3suRdt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I6la3suRdt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\I6la3suRdt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: I6la3suRdt.exe, type: SAMPLE
Source: Yara match	File source: 0.0.I6la3suRdt.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2023015610.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3263577740.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I6la3suRdt.exe PID: 4796, type: MEMORYSTR

Source: I6la3suRdt.exe, 00000000.00000002.3263254626.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, I6la3suRdt.exe, 00000000.00000002.3264500502.0000000004BEE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\I6la3suRdt.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
I6la3suRdt.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
I6la3suRdt.exe	100%	Avira	TR/Dropper.Gen
I6la3suRdt.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	I6la3suRdt.exe, 00000000.00000002.3263577740.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
38.240.58.195	unknown	United States		174	COGENT-174US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585657
Start date and time:	2025-01-07 23:56:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	I6la3suRdt.exe renamed because original name is a hash value
Original Sample Name:	f53df3d1d050644762fcb2b3a697c7d3.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 51 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target I6la3suRdt.exe, PID 4796 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: I6la3suRdt.exe

Simulations

Behavior and APIs

Time	Type	Description
17:57:03	API Interceptor	2x Sleep call for process: I6la3suRdt.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	c2.hta	Get hash	malicious	Remcos	Browse	199.232.210.172
	Sburkholder.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	U02LaPwnkd.exe	Get hash	malicious	ValleyRAT	Browse	199.232.210.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.210.172
	FACTURAMAIL.html	Get hash	malicious	Unknown	Browse	199.232.214.172
	3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69.exe	Get hash	malicious	AsyncRAT, GhostRat	Browse	199.232.214.172
	Kawpow new.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526	Get hash	malicious	Unknown	Browse	199.232.214.172
	Here is the completed and scanned document.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zip	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	miori.mips.elf	Get hash	malicious	Unknown	Browse	38.98.208.148
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	206.238.152.40
	miori.m68k.elf	Get hash	malicious	Unknown	Browse	38.215.10.156
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	38.193.71.68
	miori.arm.elf	Get hash	malicious	Unknown	Browse	206.144.205.178
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	38.89.204.123
	sora.mips.elf	Get hash	malicious	Mirai	Browse	38.30.217.225
	miori.arm.elf	Get hash	malicious	Unknown	Browse	38.95.31.42
	miori.x86.elf	Get hash	malicious	Unknown	Browse	154.46.181.203
	m-p.s-l.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	38.134.189.10

Process:	C:\Users\user\Desktop\I6la3suRdt.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\I6la3suRdt.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.230292874842873
Encrypted:	false
SSDEEP:	6:kKm9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:BDImsLNkPlE99SNxAhUe/3
MD5:	E9C5AE268FF5D73FAFF2E4056EE0F2C5
SHA1:	83C7236EE3F4B94497D16494311A229F26A10256
SHA-256:	9328EA35F6B4246905C981A7B24B6393229CC1D0CC7B64ED91AECC9906185572
SHA-512:	26EAF9262BF3DEF7427C8A91353F8328F6F7644AE4E5FD0B57D5E8BBE5DD99E163CC690B562007C66F81D695BACA304E2F655AFD1B11115374ED2FB402DADBA4
Malicious:	false
Reputation:	low
Preview:	p...... ........zF.wWa..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.447426653942676
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	I6la3suRdt.exe
File size:	46'080 bytes
MD5:	f53df3d1d050644762fcb2b3a697c7d3
SHA1:	c1bccfdf62c6e55df6d7a203366f46ac3fca9917
SHA256:	60336b211d156dfd0502c00083c9e3b216e5c00046a8a1a066d6eff7e9cb0f87
SHA512:	0c895e341fb55baeec0582a435979e8d489c096248aa33ce95930435f57fc8b7ff219a2aab92d38e5e997649187e25b2e7be9d0df538e9d5468980e2ebc7bddd
SSDEEP:	768:Su/dRTUo0HQbWUnmjSmo2qMUwAvJKewy/PI3Qjb7gX3i7YoFBTtkmgNWNRaBDZGx:Su/dRTUPE2Ifv7o3YbEXS7tFFtkXSREu
TLSH:	43231A0037E8822BF2BF4F78ADF26155467AE2632603DA4D1CC451DB5613FC69A426FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40c6ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc698	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa6f4	0xa800	bea8d37c201cbdd9e6bdc729eef491a9	False	0.49839564732142855	data	5.502080923776777	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x7ff	0x800	0f68ce4dd77ed0bb9c1e6b31f6995d94	False	0.41748046875	data	4.88506844918463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	2ee534722734c2b7bc678b383d5b489d	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0xe36c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T23:57:03.634914+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	38.240.58.195	6606	192.168.2.5	49704	TCP
2025-01-07T23:57:03.634914+0100	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	38.240.58.195	6606	192.168.2.5	49704	TCP
2025-01-07T23:57:03.634914+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	38.240.58.195	6606	192.168.2.5	49704	TCP
2025-01-07T23:57:03.634914+0100	2035607	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	38.240.58.195	6606	192.168.2.5	49704	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 23:57:02.968019962 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:02.972975969 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:02.973077059 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:02.983599901 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:02.988360882 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:03.623733997 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:03.623759985 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:03.623929024 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:03.630117893 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:03.634913921 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:03.819106102 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:03.865262032 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:05.001626968 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:05.006920099 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:05.006984949 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:05.011770964 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:08.344141006 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:08.396522999 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:08.491194963 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:08.537134886 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:16.710067987 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:16.714886904 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:16.714940071 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:16.719666004 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:17.029259920 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:17.083998919 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:17.162302017 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:17.165750980 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:17.170564890 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:17.172856092 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:17.177586079 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:28.428694010 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:28.433497906 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:28.433554888 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:28.438318014 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:28.749077082 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:28.802783012 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:28.892544031 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:28.894174099 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:28.899521112 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:28.903053045 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:28.908468008 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:38.354295015 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:38.396522999 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:38.491286039 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:38.537168980 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:40.146933079 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:40.151706934 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:40.151773930 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:40.156538010 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:40.480088949 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:40.521533012 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:40.748779058 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:40.750451088 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:40.755186081 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:40.755230904 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:40.759964943 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:51.865798950 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:51.871527910 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:51.871598959 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:51.876449108 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:52.197181940 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:52.240302086 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:52.334747076 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:52.336231947 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:52.341037035 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:57:52.341089964 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:57:52.345843077 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:03.584378958 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:03.589168072 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:03.589238882 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:03.594019890 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:03.921777964 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:03.974678993 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:04.069335938 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:04.072218895 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:04.076978922 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:04.077032089 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:04.081923008 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:08.352484941 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:08.396608114 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:08.491321087 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:08.537215948 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:15.303186893 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:15.307992935 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:15.308063984 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:15.312813044 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:15.629865885 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:15.677974939 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:15.772717953 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:15.774156094 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:15.778966904 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:15.779071093 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:15.783906937 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:27.022072077 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:27.026874065 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:27.026945114 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:27.031951904 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:27.362596989 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:27.412198067 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:27.507491112 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:27.508956909 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:27.513757944 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:27.513825893 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:27.518600941 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:38.366065025 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:38.412198067 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:38.507802963 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:38.552823067 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:38.740660906 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:38.745558023 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:38.745616913 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:38.750392914 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:39.072859049 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:39.115349054 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:39.210697889 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:39.212786913 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:39.217557907 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:39.217645884 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:39.222443104 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:50.459449053 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:50.464359045 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:50.469027996 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:50.473803997 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:50.786326885 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:50.834078074 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:50.929645061 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:50.931739092 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:50.936584949 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:58:50.936665058 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:58:50.941416979 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:02.203257084 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:59:02.208158016 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:02.208226919 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:59:02.213011026 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:02.526679993 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:02.568480968 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:59:02.664472103 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:02.665956020 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:59:02.670811892 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:02.670866013 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:59:02.675574064 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:03.021836996 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:59:03.026679039 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:03.027247906 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:59:03.032007933 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:03.350944996 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:03.396610975 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:59:03.492583990 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:03.493196011 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:59:03.497951031 CET	6606	49704	38.240.58.195	192.168.2.5
Jan 7, 2025 23:59:03.498012066 CET	49704	6606	192.168.2.5	38.240.58.195
Jan 7, 2025 23:59:03.502793074 CET	6606	49704	38.240.58.195	192.168.2.5

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 23:57:04.160617113 CET	1.1.1.1	192.168.2.5	0x6f8a	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 7, 2025 23:57:04.160617113 CET	1.1.1.1	192.168.2.5	0x6f8a	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	17:56:57
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\I6la3suRdt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\I6la3suRdt.exe"
Imagebase:	0x3a0000
File size:	46'080 bytes
MD5 hash:	F53DF3D1D050644762FCB2B3A697C7D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2023015610.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.2023015610.00000000003A2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.3263577740.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00D75CF0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4735fb6be4edf8461e603650b60e0670a74cec34a182d9560d7aba9893d3f0
Instruction ID: fc69e80d62f2d0235a774c669024969e58d4e7797a410bd7410a3194cfb7cb1f
Opcode Fuzzy Hash: 8c4735fb6be4edf8461e603650b60e0670a74cec34a182d9560d7aba9893d3f0
Instruction Fuzzy Hash: A9B13F70E00609CFDF14CFA9D98579EBBF2AF88314F18C129E419A7258FB759845CB92

Function 00D765C0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76c000eeec6fe51002451749b8f98e47248fdcd4256197e72c46816c67632ad
Instruction ID: 5123bce335babacec19eba595bf774b3e46cc4f0f485ba5659178aaa7eb7d8de
Opcode Fuzzy Hash: e76c000eeec6fe51002451749b8f98e47248fdcd4256197e72c46816c67632ad
Instruction Fuzzy Hash: D5B14A70E006098FDF14CFA9D98579DBBF2AF88354F28C129E419A7294FB74D845CBA1

Function 00D71727 Relevance: 5.4, Strings: 4, Instructions: 447COMMON

Download Yara Rule

Strings

a]q, xrefs: 00D71D3C
,, xrefs: 00D71870
xaq, xrefs: 00D71D76
a]q, xrefs: 00D71CDF

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: a]q$ a]q$,$xaq
API String ID: 0-452644037
Opcode ID: f96a710d92dca3637e93463b038a4c0d0a24e13f05d31bfe0a60059fdff4a373
Instruction ID: 17c4f7bac7984450eb52ac3f3c8d6cdec054b033958d2786bf3b49dbfe6ff631
Opcode Fuzzy Hash: f96a710d92dca3637e93463b038a4c0d0a24e13f05d31bfe0a60059fdff4a373
Instruction Fuzzy Hash: 3102AC747002049FC715EF68D894B6A7BE2FF84304F248A29E5059B3A9EF74ED46CB91

Function 00D71962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

a]q, xrefs: 00D71D3C
xaq, xrefs: 00D71D76
a]q, xrefs: 00D71CDF

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: a]q$ a]q$xaq
API String ID: 0-315583803
Opcode ID: e7fcab147f51744822dfda3cbfc178b8257bbfa7d829b19ba775b3c3edf7c59d
Instruction ID: b5a1e6837bd4ad0a337f1437b165a7a8c5c9e0ddff2dc9a553d83f8037b3739d
Opcode Fuzzy Hash: e7fcab147f51744822dfda3cbfc178b8257bbfa7d829b19ba775b3c3edf7c59d
Instruction Fuzzy Hash: 47619D747003048FD315AF39D844B2A7BE6FF84309F208929E1059B3A9EBB5ED46CB91

Function 00D70EB8 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

d6p, xrefs: 00D70F05
(aq, xrefs: 00D71192
Te]q, xrefs: 00D70EED

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: (aq$Te]q$d6p
API String ID: 0-967301506
Opcode ID: 9a0404c54985583c4fbd9709235e11204126dafca3d35d4531990a9ac7e7fb03
Instruction ID: 89b0580d24c103f1944846dd21ff60bbcd401fc3ffdc1ebbbccd1bc52c7ee1b5
Opcode Fuzzy Hash: 9a0404c54985583c4fbd9709235e11204126dafca3d35d4531990a9ac7e7fb03
Instruction Fuzzy Hash: 6D518D34B101148FCB54DF6DC458AAEBBF2FF88700F2581A9E906EB3A5DA75DD018B91

Function 00D79E10 Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

[, xrefs: 00D7A02E
xaq, xrefs: 00D7A156

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: xaq$[
API String ID: 0-3815502426
Opcode ID: 2d8f2590d1efe9312eb3c932b685c9f52ffe8078b60fee6cb49bab3f40ba1f52
Instruction ID: 312bd11b90919b6fe3bcaa65488ca347eb6383f242f161639d1d4d6acc7d2e7a
Opcode Fuzzy Hash: 2d8f2590d1efe9312eb3c932b685c9f52ffe8078b60fee6cb49bab3f40ba1f52
Instruction Fuzzy Hash: 8E919170528300CFE796CF2AE85471977E1F78431EF14A519E884C73A4F7709A86EBA2

Function 00D70D20 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

dLcq, xrefs: 00D70D5B
Haq, xrefs: 00D70E40

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: Haq$dLcq
API String ID: 0-1713614415
Opcode ID: 5add7302e2503f2b913b97babaf14d9c79e9ca0d37230e274456cc83577f50ad
Instruction ID: e54d9c91d0690528287fd13250d1390073efc983f41d5f623c614facc302c4e2
Opcode Fuzzy Hash: 5add7302e2503f2b913b97babaf14d9c79e9ca0d37230e274456cc83577f50ad
Instruction Fuzzy Hash: 8351B2317042448FCB15DF69D894AAEBFF6AF89300F1885AAE405DB3A2CB75DD05CB91

Function 00D79278 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

$]q, xrefs: 00D792AD
$]q, xrefs: 00D792B7

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: f308396d063aa7cede9d75113a0172f2ddfa4121f9731ed70f3fa8d478c36b88
Instruction ID: 2e51ea2064695893216fc57bb28dce9a507534f8883f263b8eb6c71bc289610a
Opcode Fuzzy Hash: f308396d063aa7cede9d75113a0172f2ddfa4121f9731ed70f3fa8d478c36b88
Instruction Fuzzy Hash: 94412631708401DBC7186F6D94A852DFBB7BB84B01778C959E04A8B3A8DF32DC12DBA5

Function 00D72DA8 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

p :, xrefs: 00D72DD8

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: p :
API String ID: 0-4164439122
Opcode ID: 5a667a84922c84932b7413adc47e045b952716dbb725e9140f5c1557531daa09
Instruction ID: 92ced6be09000a1c44897f3af8db2d33ec6e6a125d88dc7ee155358a8ae786c0
Opcode Fuzzy Hash: 5a667a84922c84932b7413adc47e045b952716dbb725e9140f5c1557531daa09
Instruction Fuzzy Hash: C491CD30A002459FCB15DF69D880AAEFBF6FF85310F548569D409AB356EB30ED46CBA1

Function 00D79BB8 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00D79C56

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 7097066dd12de87a09ebaf5ad0802735618044ac29a250f49b030e5d079db5a3
Instruction ID: dae265fdb838aea7245a25bdde5f354814445920162285f94980713cac8de098
Opcode Fuzzy Hash: 7097066dd12de87a09ebaf5ad0802735618044ac29a250f49b030e5d079db5a3
Instruction Fuzzy Hash: 3F51AA356002009FD725DF69C868BA9BBB2FF88714F208159E402AB3E5DBB1AC41CB50

Function 00D71339 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00D7138B

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 721b2d87222bcd6933abd0a5f5da7bf61b99bf3c0ae861df3458d29d9af0e75f
Instruction ID: 88ca4726e7ed99cf61526c4ef48b90c228946d4ca799b94147233f6965424ce8
Opcode Fuzzy Hash: 721b2d87222bcd6933abd0a5f5da7bf61b99bf3c0ae861df3458d29d9af0e75f
Instruction Fuzzy Hash: 02310534F002168FCB04AB7C985596E7BF6EFC5310B14456EE54ADB3A5EE30CC028791

Function 00D79261 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

$]q, xrefs: 00D792AD

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: fd447ef4f19ab64ab41567b73e1e1440ebfbb3a4147d7f68d61f30db5b97c35b
Instruction ID: 9ab6f1475b9e3e0b1a64b32cbe9f60e07e237d3b04762c785c292bec69cf63cd
Opcode Fuzzy Hash: fd447ef4f19ab64ab41567b73e1e1440ebfbb3a4147d7f68d61f30db5b97c35b
Instruction Fuzzy Hash: 1E417932708501DBC7196F6D98A852DFBB2BB85B01378C949E08A86394DB31DC13DBA5

Function 00D70D10 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

dLcq, xrefs: 00D70D5B

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: dLcq
API String ID: 0-2236789282
Opcode ID: 44dcb0be8ff8b92ede42b5f27bbd3d5f4f0a6ce4003f119f3da04825e5f43b4b
Instruction ID: 51b3cc3bf6945b29ee0857b7f5fe7edc90f96cf8ba962250d16b6bbed28cd5c6
Opcode Fuzzy Hash: 44dcb0be8ff8b92ede42b5f27bbd3d5f4f0a6ce4003f119f3da04825e5f43b4b
Instruction Fuzzy Hash: 6E316E71A042048FCB15DF69C458BAEBFF1AF88300F18856AE405EB7A1DB75ED45CB91

Function 00D79190 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00D791AA

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: ea3f32d11484ed9cd4b3d4712df9827966f3c419a574894420ffdfef0e9ce8b8
Instruction ID: ea2de201eba3baa1ee45dedebaa5e17e6cb325a7c13dae559f45e60177667c4e
Opcode Fuzzy Hash: ea3f32d11484ed9cd4b3d4712df9827966f3c419a574894420ffdfef0e9ce8b8
Instruction Fuzzy Hash: A321A1317101149FCB04AF78C868BADBBF6AF88B11F648159E506EB3A1DF708C058B65

Function 00D73321 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

|, xrefs: 00D73380

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 55e24715e1ca0424abf8ad171759322d2aadeaf6a537a1cf389f02dea71e9276
Instruction ID: 3e4d6be1426654f0f98ad9162b80380479673cee86942e8081ef4f44ffc50b18
Opcode Fuzzy Hash: 55e24715e1ca0424abf8ad171759322d2aadeaf6a537a1cf389f02dea71e9276
Instruction Fuzzy Hash: 5C117C71B10214DFDB50DB78C915BAE7BF5AF48704F10846AE94AE73A0EB35AE009B90

Function 00D79697 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00D796C3

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: b41571db06ecb2daca4560fb5d7c67d895ab5d9aa82be41a128ca8ff79a5a287
Instruction ID: c0b3ac2f7425598b869c07ffe99db539e39bc4f3d6d64d3c2868d05b7693f13b
Opcode Fuzzy Hash: b41571db06ecb2daca4560fb5d7c67d895ab5d9aa82be41a128ca8ff79a5a287
Instruction Fuzzy Hash: 35118174B50101DFDB049F68C8A9B6DBBF6EF88710F14805AE506EB3A6DE719C45CB60

Function 00D796A8 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00D796C3

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: ff03d01e3120a65695e0c5dad11cfc6721935e069fb6447c1b787b836a499acb
Instruction ID: 3af787f6ce664242643b7ca136e2c0646ae5f91aaba1749741dd4a41f07be3df
Opcode Fuzzy Hash: ff03d01e3120a65695e0c5dad11cfc6721935e069fb6447c1b787b836a499acb
Instruction Fuzzy Hash: AB118270B50104CFDB089F29C899B6EBBE6EF88710F148059E506AB3A1DEB19C01CBA0

Function 00D7A5D0 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00D7A5FD

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: c165714501282bee4d93d8d91f5b0eca8bbe02ea08a9cd804aae1d6302534e18
Instruction ID: 2a9d3349abb8ec37db08fa455db314873eff59d47f2d7a8bad635365ab70ddd4
Opcode Fuzzy Hash: c165714501282bee4d93d8d91f5b0eca8bbe02ea08a9cd804aae1d6302534e18
Instruction Fuzzy Hash: A011AC317505049FCB049B2CD859BAEBBF2EF88700F248069E406E73A0CFB19D058BA2

Function 00D70E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Haq, xrefs: 00D70E40

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 9d558886bd8feecbe496a4f3942bdaf29b6b5a91274bb148ed54721dec823c85
Instruction ID: 3a52c3305638c5f3e4042814b05c90237c96b7cc421e31bf523c6d65cf62dd7e
Opcode Fuzzy Hash: 9d558886bd8feecbe496a4f3942bdaf29b6b5a91274bb148ed54721dec823c85
Instruction Fuzzy Hash: 2D01812070C2950FC3969B3D686446E6FA69FC625031A44FAE549CB3E3DD188D0A8396

Function 00D78CD8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00D78CED

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: e4369a11c835c74572e04de6773a9af615eafbb6197c4acd584429b6efe4bcba
Instruction ID: d0aba2071c5f6ecea2eb82622defac801f019a9c9c736aa10899c265ec5c996d
Opcode Fuzzy Hash: e4369a11c835c74572e04de6773a9af615eafbb6197c4acd584429b6efe4bcba
Instruction Fuzzy Hash: A7018171B401159FCB54EBB8D9166AE77F5FB88700F1080A9E50EDB290FB709E018BE1

Function 00D75CE4 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3681a9855c478bc89a7c936d748a79a191587f04704938de96acf3e532f65b4
Instruction ID: a1a6c754c3e5dbbc643b6eeaea11bbd2d8b92b454988bfa1ebe75879963f3854
Opcode Fuzzy Hash: f3681a9855c478bc89a7c936d748a79a191587f04704938de96acf3e532f65b4
Instruction Fuzzy Hash: 8CB12F70E00609CFDF10CFA9D98579EBBF2AF48704F18C129E419A7258FB759945CBA2

Function 00D765B6 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c37bbf1e33ddebc69f226d85e53c4d9ec7821cae7a61cc8602266ba30b454f2
Instruction ID: 365e2c8bf5f46e6e532b240d22351d22c7490a7f0effed9732ffd121a220932b
Opcode Fuzzy Hash: 1c37bbf1e33ddebc69f226d85e53c4d9ec7821cae7a61cc8602266ba30b454f2
Instruction Fuzzy Hash: 6BA14B70E006098FDF14CFA9D98579DBBF1AF48354F288129D419A7294FB74D885CBA2

Function 00D7A208 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95eba987d0cbfd36043eb3733b5362c0d3e4b356a14d0dc83e027f188186a168
Instruction ID: 6b7f902197effa4e2242020757732da291e3e2119c40cdecaca92305625b9537
Opcode Fuzzy Hash: 95eba987d0cbfd36043eb3733b5362c0d3e4b356a14d0dc83e027f188186a168
Instruction Fuzzy Hash: 46A15A747006058FCB09EF78E49496D77B2EFC9304B108969E80ADB359EF75DD068BA2

Function 00D72A20 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca8de612171778f4367139b033c31dfd51faaf1930fe64af283282ba8c3016d
Instruction ID: 03ef658ff3714a0affe957e2208ca7bd9662d178612e752723ba50eacae4d3b5
Opcode Fuzzy Hash: bca8de612171778f4367139b033c31dfd51faaf1930fe64af283282ba8c3016d
Instruction Fuzzy Hash: B6A1A1B4600741DFCB05EF34E86491EBBB2FF84345B208A69D5068B369DB34990ACFD0

Function 00D72A30 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4616813d704b30de0ea62084270d5577dd429a7b017c3a9a19a90777746258e0
Instruction ID: 52c41bfae5ef2e12ebe60a33ab2f34a37bcf62975d4e55ea8476b5cf3402e8c8
Opcode Fuzzy Hash: 4616813d704b30de0ea62084270d5577dd429a7b017c3a9a19a90777746258e0
Instruction Fuzzy Hash: 05A18FB4604741DFCB05EF74E86491EBBB2FF84345B208A69D5068B369DB35990ACFD0

Function 00D7942A Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595d44b6c6b27c33bb619bd0716d01aca06ee54e8f4a3ef2b9a1abc703689206
Instruction ID: 1585b24f707bd8a0403fc8487e24ddfae382453c7030513619585cfd02a4a359
Opcode Fuzzy Hash: 595d44b6c6b27c33bb619bd0716d01aca06ee54e8f4a3ef2b9a1abc703689206
Instruction Fuzzy Hash: 1B51D175600115DFCB04EF68C894AAEFBB2FF44315F1185A9E809AB3A6D730EC01CB60

Function 00D737F8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a17876ba83bea1c1f518860df4db064f1a3f74feb953b1c7a332b3ab111266e
Instruction ID: be1ea67a9885bea7bf2743ed5746d021589cd03a6163f32d346e75ac33da176d
Opcode Fuzzy Hash: 4a17876ba83bea1c1f518860df4db064f1a3f74feb953b1c7a332b3ab111266e
Instruction Fuzzy Hash: 5741BF30A002448FCB24EBBDD4556AEBBE6EFC9710F14882DD10AD7341DF349D469BA1

Function 00D70AA0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48d362974538af41b6fcdc977ed0daf31021478d3aed689fbf83b35e3370196
Instruction ID: 47b35520f7f5005b762619222724d5a5656ec6c38941de0035165c9b516a2d87
Opcode Fuzzy Hash: a48d362974538af41b6fcdc977ed0daf31021478d3aed689fbf83b35e3370196
Instruction Fuzzy Hash: CE5106B8215205CFCB06EF38F9549697776FFC4305321A668D4058B36DEB35A90ADF90

Function 00D711D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c60b3a19e86db33e3b0f2dafa72ded58481200e42f3778549dd654bf6e370a
Instruction ID: d992f9df421fc395f7eb36e641728303813c2065793062d8ad09ea4cde6550cc
Opcode Fuzzy Hash: c1c60b3a19e86db33e3b0f2dafa72ded58481200e42f3778549dd654bf6e370a
Instruction Fuzzy Hash: A3418270B00209AFCB04DFBD845566EBBFAFF84300F24C569D449D7346EA349A42CBA5

Function 00D74206 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04e86c20e3b85697b2b9c14998d146d6dacec2a8d1692ea2c8188a6e8330dea
Instruction ID: 34f9108ebb5aafe17418c0cf3a26d7aee8970d007ceb94e034792ef81b8f23b2
Opcode Fuzzy Hash: b04e86c20e3b85697b2b9c14998d146d6dacec2a8d1692ea2c8188a6e8330dea
Instruction Fuzzy Hash: 0C410FB1D01248DFCB10DF99C984ADEBFB5FF48314F248429E809AB254DB759945CB90

Function 00D74210 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d27b135789233f65a486cd50754f7c64818e4854ff9f03ea9d594716ceb127e
Instruction ID: 940aa5341ec604ec963d4196ac7249b628e47ca4f458f70c6002a063491a52ab
Opcode Fuzzy Hash: 5d27b135789233f65a486cd50754f7c64818e4854ff9f03ea9d594716ceb127e
Instruction Fuzzy Hash: 4241EEB0D00349DFCB14DFA9C584ADEBFB5FF48314F248429E809AB254DB75A945CBA0

Function 008FD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263045568.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8fd000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee58de7e2301c0c82f8b9aa7d3134f25e484025182b418704434b7977047221
Instruction ID: 820c68bff08be0ba51f8ed50eb12f2ad0d0e0de74cea61d3ae0dc3e8b66bf989
Opcode Fuzzy Hash: 0ee58de7e2301c0c82f8b9aa7d3134f25e484025182b418704434b7977047221
Instruction Fuzzy Hash: 09210671504308DFDB05DF24D9C0B26BF66FB98318F20C569DB098B256C33AD816D7A2

Function 00D70998 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39db5a0139a4d272adc2ac78a06fb53d211ea0b2c84ef7a8dce100e3bc541017
Instruction ID: b6ddba7f13a6b0e1dc4df6f45a4a5fdfd38e21a28265aa0e2b146cdb1f8aa53d
Opcode Fuzzy Hash: 39db5a0139a4d272adc2ac78a06fb53d211ea0b2c84ef7a8dce100e3bc541017
Instruction Fuzzy Hash: 56214830A28342DFDB58AB76981863E3FA4AF50306F19D42D944FC21D2FB208940EB61

Function 00D78FF2 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a2302e4d26180ce5df2b072bf2532d20c27c0b3b7fbeaea56e3b4669ad1459
Instruction ID: 21bccfd82e165c617c890e5b72cf4b30a9fb95b57d71aa0adbf612f453a1b443
Opcode Fuzzy Hash: 96a2302e4d26180ce5df2b072bf2532d20c27c0b3b7fbeaea56e3b4669ad1459
Instruction Fuzzy Hash: 7A21A131600615CFCB18EB78D4646AE77F6EF89304F149428D406EB368EF319C42DBA2

Function 00D709A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e154e8a931fea5cebd38729b0fabedebe699103294aba9a4700bc5d3c513f1
Instruction ID: 95d13ae1bf776d3adf47d344dc754dc232136b845ad223c1553eedbe36c0ff82
Opcode Fuzzy Hash: 00e154e8a931fea5cebd38729b0fabedebe699103294aba9a4700bc5d3c513f1
Instruction Fuzzy Hash: 50212930624307DFDB54AB76A82863E7EA4AF50346F199429944FC62D2FB30C941EB72

Function 00D79E6B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0bce666a587ffa0ace6d6f68df176a79fa1dfaf089298665df40c4196105ba
Instruction ID: 3048243fe4f6a2bc13dcf62ace5af7bdd4d2902ad8bdf0fde7f6d25e9bbe8d08
Opcode Fuzzy Hash: fa0bce666a587ffa0ace6d6f68df176a79fa1dfaf089298665df40c4196105ba
Instruction Fuzzy Hash: D821BF359283008FD396CF2AFC5475477B1F78430AF14A51AE884C7269F7708A86EBA2

Function 00D7A1FA Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b6a2f62ba6fac54753dd68d061efeeec398fb66cb0ff1b15edc867dae765d8
Instruction ID: 6e4e417cfa509f739b0437a26e44026416e285edb84140456bcc6ecc4295d97e
Opcode Fuzzy Hash: a8b6a2f62ba6fac54753dd68d061efeeec398fb66cb0ff1b15edc867dae765d8
Instruction Fuzzy Hash: 5311C1357002044BCB09ABB8E9A056D37EAEFC4714B008979C909D734AFF71DD0A87E2

Function 00D71431 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de33fffc54c4be31fa8fa0ee3192752e85ae77d346aebeead261027acf1ebcc
Instruction ID: 9443fa6dd95c47ff38151afd7d6a1816244de7583bce91be53fd5e61b6fc450b
Opcode Fuzzy Hash: 5de33fffc54c4be31fa8fa0ee3192752e85ae77d346aebeead261027acf1ebcc
Instruction Fuzzy Hash: 28119E74A052169FCB55EF7898049AE7BE1EF8930472449BDD409CB395EB30DD06DB90

Function 00D7B5B0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0748fb84a8a14b8519cde10ec5cd09c549ddc414f99d5f174b0031628c3c616
Instruction ID: 117d3097fc7ea9a6d659da1f2ed0cecb4892d2067e417b9eff3dd4a50a40ed0a
Opcode Fuzzy Hash: b0748fb84a8a14b8519cde10ec5cd09c549ddc414f99d5f174b0031628c3c616
Instruction Fuzzy Hash: B611B770A002454FCB41FB78E8519ADBBB1EF81314F10866DD509CB29AEB71990ACBE1

Function 008FD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263045568.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8fd000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 60d0ee8c42683bb0ef33efb164b3d922a203c3e7532496375345706530a97aa0
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: F411D676504344CFDB16CF14D5C4B26BF72FB98314F24C5A9DA054B256C336D856CBA2

Function 00D71440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2360760f3e3ee688d82f71af0dee67cc8f7b506d42d78a437e7fa5af8c3ed5ae
Instruction ID: e9598f23b076fc50db96b1dd7f663599b92b0a8277f802c6693bae5e1c025d1b
Opcode Fuzzy Hash: 2360760f3e3ee688d82f71af0dee67cc8f7b506d42d78a437e7fa5af8c3ed5ae
Instruction Fuzzy Hash: 51115B78B012059FCB54EBBDD51466A7BE6FF8830572449B9D50ADB358EA31DC01CBA0

Function 00D7B5C0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ce67936c9b9dcd8a71f6713a82a2391692229f8aec3cefa1e1e65ccf89d385
Instruction ID: 132f329fe202e24e8efbf41a985e7f880614955046441ca98588aa1587decfd1
Opcode Fuzzy Hash: c1ce67936c9b9dcd8a71f6713a82a2391692229f8aec3cefa1e1e65ccf89d385
Instruction Fuzzy Hash: B111B2706002458FCB45FB38E451A6EBBB5EF81314F108A69D1098B24AEF719A0ACBE1

Function 00D737E9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fe0b810343202cfd0c008e34d3922dd823b5d799813811e59845668a6cd248
Instruction ID: 4e051462129890e6648596c4eb5ed60f797c1444e388454046a8164c9b2b3da4
Opcode Fuzzy Hash: 82fe0b810343202cfd0c008e34d3922dd823b5d799813811e59845668a6cd248
Instruction Fuzzy Hash: 3F01B1313006408BC725A67899A467E76D7ABC5355B18883DE00AC7746DF34CC46A752

Function 00D78D60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5198d9eabecc1368fafa9df918dd0641bdb3c3b121e87f3d41c15f47171883f
Instruction ID: ac3bb4d3a85480d5b174e108bb423e0839e773c555382cd057afb615702312bc
Opcode Fuzzy Hash: a5198d9eabecc1368fafa9df918dd0641bdb3c3b121e87f3d41c15f47171883f
Instruction Fuzzy Hash: 031100B58002488FCB20DF99D589BDEBBF4EB08314F20840AD529A3250D378A544CFA0

Function 00D78D68 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74def2761bfb72787ab41673aaa0fa7d569aa3c5d15f781f333209cf4822bfb7
Instruction ID: 440a214c664f30a8403f994527fec543d15fa6bb3714b8fd7bc2c934172c1a32
Opcode Fuzzy Hash: 74def2761bfb72787ab41673aaa0fa7d569aa3c5d15f781f333209cf4822bfb7
Instruction Fuzzy Hash: F41120B48003488FCB20DF9AC588BDEBBF4FB48324F20841AD519A3340D779A944CFA1

Function 00D7887F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05ff69dbdd3dc43b2d9b4f494ff1bdb443e7d3bd5efc69829ce9be16c99fdca
Instruction ID: cd08c8848b04b08ef999685c18331e231f7f2389b6ee44c0587980028497b95b
Opcode Fuzzy Hash: c05ff69dbdd3dc43b2d9b4f494ff1bdb443e7d3bd5efc69829ce9be16c99fdca
Instruction Fuzzy Hash: 3AF05522B041484BC711A6B8D86DB6D37C49FC2740FEC04E8D64ADB3A9EE11DD0153E2

Function 00D70E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af9d5b096816caf5b58a6694f9ef7876c4fd08a1cc707d0ba8670aaea756e0d
Instruction ID: e9f66d920cf94d183e05e05fcd3ac8d8ad9856d284d95114f72cd9bc82d4775e
Opcode Fuzzy Hash: 1af9d5b096816caf5b58a6694f9ef7876c4fd08a1cc707d0ba8670aaea756e0d
Instruction Fuzzy Hash: B4E0C2313002045F83449B3EB88485BB7DFEFC912535544B9F10DC7321DD60DC024390

Function 00D725F1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37ee2bfa7be43912d92a25c921a2a05b44f1f7f0ed59b20c4f255cfb86827b6
Instruction ID: e45002dff2955ac45069238e8b638d2c34ba16ea32c37a6bcfbf2c1d53ab08a8
Opcode Fuzzy Hash: a37ee2bfa7be43912d92a25c921a2a05b44f1f7f0ed59b20c4f255cfb86827b6
Instruction Fuzzy Hash: D2D05E756581808FC302CE64D8E4C997F75EF6520431600DED442CB763C610D406DB21

Function 00D70A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68102c9dc6800e28741d2d70526d024a9da1c28051ebd34fc8ba33514531bde
Instruction ID: 58c8172351559b1d84ca9ed8bc7775120fa8b38acdebdfc2f4f84cbc77e2442e
Opcode Fuzzy Hash: c68102c9dc6800e28741d2d70526d024a9da1c28051ebd34fc8ba33514531bde
Instruction Fuzzy Hash: 0EC08C2013C307CFD31023B1D92C62C3E109B4030BF059151A08B040F3AEB40941B33B

Function 00D70A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1394cd614b1cea01b2b5e0839a66d94d28bf4a716701b508e8490cf6caf5899f
Instruction ID: 68d7178accbb6a5844090ecd37f9f53976e932a3ed90864ace36c372c33042c7
Opcode Fuzzy Hash: 1394cd614b1cea01b2b5e0839a66d94d28bf4a716701b508e8490cf6caf5899f
Instruction Fuzzy Hash: 15C08C2013C74ACFD7101371D92C62C3F109B4030BF059156A08B040F3AEB40981B73B

Function 00D72600 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84205d7383dd1e68a6be31427904abc202afc0842c55051126b34c2ace9524fd
Instruction ID: abc809a85dffd585171953c6392fca54b9b65dc304bde1d92e123635f257c3a9
Opcode Fuzzy Hash: 84205d7383dd1e68a6be31427904abc202afc0842c55051126b34c2ace9524fd
Instruction Fuzzy Hash: 15C09239260208CFC344EF99E588C22B7ECFF98B003511099E5018B736CB21FC10DB61

Non-executed Functions

Function 00D76EC0 Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

$]q, xrefs: 00D76ED6
Xaq, xrefs: 00D76EEF

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: e026b8b150a2bcb09eeb6866b09aabcf585d1b82ee9349f09c246164f04f8370
Instruction ID: 1c4c6e390fc3d7e7dcb6b1de2e45db39fa91a0388fd2601a81e77d2e1b2a6dbd
Opcode Fuzzy Hash: e026b8b150a2bcb09eeb6866b09aabcf585d1b82ee9349f09c246164f04f8370
Instruction Fuzzy Hash: A6817534B082189BDB089F79986467E7BB7BFC4750B14C92DE44AE7394DE34DC0297A1

Function 00D7A7A8 Relevance: 1.0, Instructions: 1024COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff904fe7d32f1ad4d8c821c69a062933dfcda9189ec31b1a1253904ebd24bd1
Instruction ID: 016953ba58bb1b79dd3ebdeef0149452f8510e9dc3f218414652f3317f54af84
Opcode Fuzzy Hash: dff904fe7d32f1ad4d8c821c69a062933dfcda9189ec31b1a1253904ebd24bd1
Instruction Fuzzy Hash: 76826A707002058FDB18DF69D894B2EBAE2FF84304F64C469E54A8B3A6DF75DD068B61

Function 00D759A8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263482162.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_I6la3suRdt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0613bd46ef2502c98cbb107bf4f987ab8a9385de7691b3db1d970dde688903
Instruction ID: 3b616099ec0656e0801384aaf3f6f9401f1dc81a78bd859d6e17fb4b7e709f16
Opcode Fuzzy Hash: 3b0613bd46ef2502c98cbb107bf4f987ab8a9385de7691b3db1d970dde688903
Instruction Fuzzy Hash: 3D915170E00709DFDF14CFA9D9817ADBBF2AF88704F28C129D419A7258EBB49845CB52

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report I6la3suRdt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

DNS Answers

Statistics

Windows Analysis Report
I6la3suRdt.exe