Edit tour

Windows Analysis Report
Client.exe

Overview

General Information

Sample name:	Client.exe
Analysis ID:	1587363
MD5:	b6811a1daca8cfda16da0f730c174133
SHA1:	92d67d3836def51f5a45389692292b2998a0c559
SHA256:	d5619e740a38ee0c894dd17051419306c4b35ad55a1558854ed82527a4aa736c
Tags:	AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Client.exe (PID: 3300 cmdline: "C:\Users\user\Desktop\Client.exe" MD5: B6811A1DACA8CFDA16DA0F730C174133)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "0.tcp.in.ngrok.io", "Ports": "10147", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "Listopener.exe", "Install_File": "aWVPNVFPYW9UOGdRNjZWQVFpNVZBaE44Rm9UbHlKaW8="}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Client.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Client.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Client.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9941:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b59:$a4: vmware 0x99d1:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
Client.exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66ff:$str01: get_ActivatePong 0x745a:$str02: get_SslClient 0x7476:$str03: get_TcpClient 0x5d0e:$str04: get_SendSync 0x5d5e:$str05: get_IsConnected 0x648d:$str06: set_UseShellExecute 0x9c77:$str07: Pastebin 0x9cf9:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a51:$str10: timeout 3 > NUL 0x9941:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x99d1:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
Client.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99d3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2118306306.0000000000C42000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2118306306.0000000000C42000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x97d3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.3365364432.0000000003161000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Client.exe PID: 3300	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Client.exe PID: 3300	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3b4b9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Client.exe.c40000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.Client.exe.c40000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Client.exe.c40000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9941:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b59:$a4: vmware 0x99d1:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
0.0.Client.exe.c40000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66ff:$str01: get_ActivatePong 0x745a:$str02: get_SslClient 0x7476:$str03: get_TcpClient 0x5d0e:$str04: get_SendSync 0x5d5e:$str05: get_IsConnected 0x648d:$str06: set_UseShellExecute 0x9c77:$str07: Pastebin 0x9cf9:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a51:$str10: timeout 3 > NUL 0x9941:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x99d1:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.0.Client.exe.c40000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99d3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Client.exe

Avira: detected

Antivirus detection for URL or domain

Source: 0.tcp.in.ngrok.io

Avira URL Cloud: Label: malware

Found malware configuration

Source: Client.exe

Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "0.tcp.in.ngrok.io", "Ports": "10147", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "Listopener.exe", "Install_File": "aWVPNVFPYW9UOGdRNjZWQVFpNVZBaE44Rm9UbHlKaW8="}

Multi AV Scanner detection for submitted file

Source: Client.exe	Virustotal: Detection: 73%			Perma Link
Source: Client.exe	ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Client.exe

Joe Sandbox ML: detected

Source: Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 0.tcp.in.ngrok.io

Yara detected Generic Downloader

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE

Source: global traffic	TCP traffic: 192.168.2.6:49710 -> 35.154.189.194:10147
Source: global traffic	TCP traffic: 192.168.2.6:57025 -> 13.202.226.61:10147

Source: global traffic

TCP traffic: 192.168.2.6:56839 -> 1.1.1.1:53

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 0.tcp.in.ngrok.io

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2118306306.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3365364432.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3300, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: Client.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: Client.exe, type: SAMPLE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: Client.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.2118306306.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Client.exe PID: 3300, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_01864958	0_2_01864958
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_01864088	0_2_01864088
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_01865B20	0_2_01865B20
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_01863D40	0_2_01863D40

Source: Client.exe, 00000000.00000000.2118325333.0000000000C4E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs Client.exe
Source: Client.exe	Binary or memory string: OriginalFilenameStub.exe" vs Client.exe

Source: Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: Client.exe, type: SAMPLE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: Client.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.2118306306.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Client.exe PID: 3300, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\Client.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Q52IWD1RYgpZ

Source: Client.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Client.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Client.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Client.exe	Virustotal: Detection: 73%
Source: Client.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Client.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2118306306.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3365364432.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3300, type: MEMORYSTR

Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2118306306.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3365364432.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3300, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Client.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 1860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 1A20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe TID: 5388

Thread sleep time: -80000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\Client.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: Client.exe	Binary or memory string: vmware
Source: Client.exe, 00000000.00000002.3366342123.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Client.exe

Code function: 0_2_01862D4C CheckRemoteDebuggerPresent,

0_2_01862D4C

Source: C:\Users\user\Desktop\Client.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Users\user\Desktop\Client.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2118306306.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3365364432.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 3300, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Scheduled Task/Job	4 Virtualization/Sandbox Evasion	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	4 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Client.exe	74%	Virustotal		Browse
Client.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
Client.exe	100%	Avira	TR/Dropper.Gen
Client.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
0.tcp.in.ngrok.io	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
0.tcp.in.ngrok.io	35.154.189.194	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0.tcp.in.ngrok.io	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
35.154.189.194	0.tcp.in.ngrok.io	United States		16509	AMAZON-02US	true
13.202.226.61	unknown	United States		7018	ATT-INTERNET4US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587363
Start date and time:	2025-01-10 09:20:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Client.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212, 172.202.163.200
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
0.tcp.in.ngrok.io	CV.vbs	Get hash	malicious	Xmrig	Browse	3.6.115.64
	RobloxCheats.exe	Get hash	malicious	Unknown	Browse	3.6.98.232
	kuEfaZxkiY.exe	Get hash	malicious	RedLine	Browse	3.6.115.182
	ae6T8jJueq.exe	Get hash	malicious	Njrat	Browse	3.6.115.64
	nOZ2Oqnzbz.exe	Get hash	malicious	Njrat	Browse	3.6.115.64
	iR2UtZj5vP.exe	Get hash	malicious	Njrat	Browse	3.6.122.107
	ZB7Ot9MOic.exe	Get hash	malicious	Njrat	Browse	3.6.30.85
	etJZk4UQhS.exe	Get hash	malicious	Njrat	Browse	3.6.122.107
	jango.exe	Get hash	malicious	XWorm	Browse	3.6.30.85
	cracksetup.exe	Get hash	malicious	Nanocore	Browse	3.6.98.232

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-INTERNET4US	5.elf	Get hash	malicious	Unknown	Browse	99.38.217.117
	3.elf	Get hash	malicious	Unknown	Browse	99.131.30.169
	5.elf	Get hash	malicious	Unknown	Browse	104.56.59.108
	5.elf	Get hash	malicious	Unknown	Browse	67.115.121.134
	6.elf	Get hash	malicious	Unknown	Browse	99.35.249.8
	armv4l.elf	Get hash	malicious	Unknown	Browse	12.189.0.235
	armv6l.elf	Get hash	malicious	Unknown	Browse	108.255.169.76
	armv5l.elf	Get hash	malicious	Unknown	Browse	107.194.28.41
	https://rachelfix-enum.staging-homes.rewiringamerica.org/	Get hash	malicious	Unknown	Browse	98.98.135.24
	3.elf	Get hash	malicious	Unknown	Browse	76.254.108.205
AMAZON-02US	1162-201.exe	Get hash	malicious	FormBook	Browse	76.223.67.189
	https://cdn.btmessage.com/	Get hash	malicious	HTMLPhisher	Browse	52.211.89.170
	3.elf	Get hash	malicious	Unknown	Browse	18.151.37.43
	http://www.jmclmedia.ph	Get hash	malicious	Unknown	Browse	13.32.121.98
	5.elf	Get hash	malicious	Unknown	Browse	34.248.106.44
	6.elf	Get hash	malicious	Unknown	Browse	13.213.186.124
	https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005	Get hash	malicious	Unknown	Browse	65.9.66.13
	armv6l.elf	Get hash	malicious	Unknown	Browse	3.65.161.32
	https://paybxss.716as7qy3nzyy2eo1omfskt9q0wrkj88.oastify.com/	Get hash	malicious	Unknown	Browse	3.248.33.252
	https://rachelfix-enum.staging-homes.rewiringamerica.org/	Get hash	malicious	Unknown	Browse	18.245.86.4

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.44725937896768
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Client.exe
File size:	46'080 bytes
MD5:	b6811a1daca8cfda16da0f730c174133
SHA1:	92d67d3836def51f5a45389692292b2998a0c559
SHA256:	d5619e740a38ee0c894dd17051419306c4b35ad55a1558854ed82527a4aa736c
SHA512:	c1fe4b8edc38eef9ce12ae56f7874690b50519b12560620766c7e0b9f6a8cf1f9d00f648f6fa15b328320435e013bccae2dd2195985d8121ffc3c16b521b857d
SSDEEP:	768:9ujY21TUET1/WUT1V9mo2qz4KjPGaG6PIyzjbFgX3iaIqH5jdrK9APGuU2BDZzx:9ujY21TU0r21KTkDy3bCXSeHrKqPfdzx
TLSH:	6C232B003BE9812BF2BE8FB859F26145857AF6A33603D6491CC451D74B13FC69A426FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40c72e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc6dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa734	0xa800	e86074d5096089595a507d8316cbfea6	False	0.4995814732142857	data	5.502467597701495	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x7ff	0x800	0f68ce4dd77ed0bb9c1e6b31f6995d94	False	0.41748046875	data	4.88506844918463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	52e47f744a136ff1d37b341562dee345	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0xe36c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 09:21:06.529690981 CET	49710	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:06.534517050 CET	10147	49710	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:06.534599066 CET	49710	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:06.548561096 CET	49710	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:06.553401947 CET	10147	49710	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:08.511086941 CET	10147	49710	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:08.511199951 CET	49710	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:13.531625986 CET	49710	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:13.532346964 CET	49737	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:13.536427021 CET	10147	49710	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:13.537132025 CET	10147	49737	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:13.537214994 CET	49737	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:13.537472010 CET	49737	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:13.542220116 CET	10147	49737	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:15.540848970 CET	10147	49737	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:15.541054964 CET	49737	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:20.545392036 CET	49737	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:20.546441078 CET	49788	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:20.550307989 CET	10147	49737	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:20.551256895 CET	10147	49788	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:20.551352024 CET	49788	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:20.554559946 CET	49788	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:20.559305906 CET	10147	49788	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:22.534452915 CET	10147	49788	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:22.534534931 CET	49788	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:23.380961895 CET	56839	53	192.168.2.6	1.1.1.1
Jan 10, 2025 09:21:23.385740995 CET	53	56839	1.1.1.1	192.168.2.6
Jan 10, 2025 09:21:23.385803938 CET	56839	53	192.168.2.6	1.1.1.1
Jan 10, 2025 09:21:23.390590906 CET	53	56839	1.1.1.1	192.168.2.6
Jan 10, 2025 09:21:23.829401016 CET	56839	53	192.168.2.6	1.1.1.1
Jan 10, 2025 09:21:23.834428072 CET	53	56839	1.1.1.1	192.168.2.6
Jan 10, 2025 09:21:23.834481001 CET	56839	53	192.168.2.6	1.1.1.1
Jan 10, 2025 09:21:27.545145988 CET	49788	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:27.546076059 CET	56868	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:27.549992085 CET	10147	49788	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:27.550896883 CET	10147	56868	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:27.550982952 CET	56868	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:27.551214933 CET	56868	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:27.555986881 CET	10147	56868	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:29.518553019 CET	10147	56868	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:29.518632889 CET	56868	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:34.529583931 CET	56868	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:34.530606985 CET	56914	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:34.534409046 CET	10147	56868	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:34.535451889 CET	10147	56914	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:34.535547018 CET	56914	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:34.535856962 CET	56914	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:34.540685892 CET	10147	56914	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:36.504386902 CET	10147	56914	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:36.504455090 CET	56914	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:41.517461061 CET	56914	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:41.518214941 CET	56961	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:41.522447109 CET	10147	56914	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:41.522953033 CET	10147	56961	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:41.523037910 CET	56961	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:41.523317099 CET	56961	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:41.528115988 CET	10147	56961	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:43.502646923 CET	10147	56961	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:43.502762079 CET	56961	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:48.513797045 CET	56961	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:48.514578104 CET	57003	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:48.518631935 CET	10147	56961	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:48.519416094 CET	10147	57003	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:48.519494057 CET	57003	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:48.519763947 CET	57003	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:48.524547100 CET	10147	57003	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:50.503544092 CET	10147	57003	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:50.503599882 CET	57003	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:55.513854980 CET	57003	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:55.514570951 CET	57022	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:55.519434929 CET	10147	57003	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:55.519556999 CET	10147	57022	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:55.519618034 CET	57022	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:55.519891024 CET	57022	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:21:55.524641991 CET	10147	57022	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:57.484467983 CET	10147	57022	35.154.189.194	192.168.2.6
Jan 10, 2025 09:21:57.484546900 CET	57022	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:22:02.499814034 CET	57022	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:22:02.501030922 CET	57024	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:22:02.504697084 CET	10147	57022	35.154.189.194	192.168.2.6
Jan 10, 2025 09:22:02.505960941 CET	10147	57024	35.154.189.194	192.168.2.6
Jan 10, 2025 09:22:02.506066084 CET	57024	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:22:02.506342888 CET	57024	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:22:02.511185884 CET	10147	57024	35.154.189.194	192.168.2.6
Jan 10, 2025 09:22:04.485274076 CET	10147	57024	35.154.189.194	192.168.2.6
Jan 10, 2025 09:22:04.485333920 CET	57024	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:22:09.498575926 CET	57024	10147	192.168.2.6	35.154.189.194
Jan 10, 2025 09:22:09.503674984 CET	10147	57024	35.154.189.194	192.168.2.6
Jan 10, 2025 09:22:09.522717953 CET	57025	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:09.527863026 CET	10147	57025	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:09.527956963 CET	57025	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:09.528253078 CET	57025	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:09.533073902 CET	10147	57025	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:11.500252008 CET	10147	57025	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:11.500374079 CET	57025	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:16.513789892 CET	57025	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:16.514595985 CET	57027	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:16.519658089 CET	10147	57025	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:16.519710064 CET	10147	57027	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:16.519788027 CET	57027	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:16.520155907 CET	57027	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:16.527991056 CET	10147	57027	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:18.486495018 CET	10147	57027	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:18.486623049 CET	57027	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:23.498126030 CET	57027	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:23.503169060 CET	10147	57027	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:23.507267952 CET	57029	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:23.512208939 CET	10147	57029	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:23.512274981 CET	57029	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:23.512916088 CET	57029	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:23.518424988 CET	10147	57029	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:25.487967014 CET	10147	57029	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:25.488039017 CET	57029	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:30.498311996 CET	57029	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:30.499001980 CET	57030	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:30.503367901 CET	10147	57029	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:30.503987074 CET	10147	57030	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:30.504075050 CET	57030	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:30.505161047 CET	57030	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:30.509937048 CET	10147	57030	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:32.469597101 CET	10147	57030	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:32.469810009 CET	57030	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:37.482429028 CET	57030	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:37.483293056 CET	57031	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:37.487308979 CET	10147	57030	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:37.488116026 CET	10147	57031	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:37.488188028 CET	57031	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:37.488564968 CET	57031	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:37.493364096 CET	10147	57031	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:39.458899975 CET	10147	57031	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:39.458966970 CET	57031	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:44.466816902 CET	57031	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:44.467978001 CET	57033	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:44.471730947 CET	10147	57031	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:44.472771883 CET	10147	57033	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:44.472863913 CET	57033	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:44.473213911 CET	57033	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:44.477987051 CET	10147	57033	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:46.421953917 CET	10147	57033	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:46.422154903 CET	57033	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:51.438941002 CET	57033	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:51.439467907 CET	57034	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:51.443846941 CET	10147	57033	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:51.444287062 CET	10147	57034	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:51.444364071 CET	57034	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:51.444612980 CET	57034	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:51.449362040 CET	10147	57034	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:53.408312082 CET	10147	57034	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:53.408416986 CET	57034	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:58.420114994 CET	57034	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:58.420742989 CET	57035	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:58.425056934 CET	10147	57034	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:58.425580978 CET	10147	57035	13.202.226.61	192.168.2.6
Jan 10, 2025 09:22:58.425693035 CET	57035	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:58.425923109 CET	57035	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:22:58.430663109 CET	10147	57035	13.202.226.61	192.168.2.6
Jan 10, 2025 09:23:00.391057968 CET	10147	57035	13.202.226.61	192.168.2.6
Jan 10, 2025 09:23:00.391175032 CET	57035	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:23:05.404448032 CET	57035	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:23:05.405242920 CET	57036	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:23:05.409420967 CET	10147	57035	13.202.226.61	192.168.2.6
Jan 10, 2025 09:23:05.410079002 CET	10147	57036	13.202.226.61	192.168.2.6
Jan 10, 2025 09:23:05.410311937 CET	57036	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:23:05.410676003 CET	57036	10147	192.168.2.6	13.202.226.61
Jan 10, 2025 09:23:05.415498018 CET	10147	57036	13.202.226.61	192.168.2.6
Jan 10, 2025 09:23:07.375261068 CET	10147	57036	13.202.226.61	192.168.2.6
Jan 10, 2025 09:23:07.375370979 CET	57036	10147	192.168.2.6	13.202.226.61

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 09:21:06.516405106 CET	64289	53	192.168.2.6	1.1.1.1
Jan 10, 2025 09:21:06.527724028 CET	53	64289	1.1.1.1	192.168.2.6
Jan 10, 2025 09:21:23.380461931 CET	53	50406	1.1.1.1	192.168.2.6
Jan 10, 2025 09:22:09.499696970 CET	62715	53	192.168.2.6	1.1.1.1
Jan 10, 2025 09:22:09.521939039 CET	53	62715	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 09:21:06.516405106 CET	192.168.2.6	1.1.1.1	0xc03a	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 10, 2025 09:22:09.499696970 CET	192.168.2.6	1.1.1.1	0xa22d	Standard query (0)	0.tcp.in.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 09:21:06.527724028 CET	1.1.1.1	192.168.2.6	0xc03a	No error (0)	0.tcp.in.ngrok.io		35.154.189.194	A (IP address)	IN (0x0001)	false
Jan 10, 2025 09:22:09.521939039 CET	1.1.1.1	192.168.2.6	0xa22d	No error (0)	0.tcp.in.ngrok.io		13.202.226.61	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:21:01
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\Client.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Client.exe"
Imagebase:	0xc40000
File size:	46'080 bytes
MD5 hash:	B6811A1DACA8CFDA16DA0F730C174133
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2118306306.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.2118306306.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.3365364432.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	27.3%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 01862D4C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0186532F

Memory Dump Source

Source File: 00000000.00000002.3365143126.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1860000_Client.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 06ab4e18cfef33508ba577f87122e5b46523ab4ce988ab1d5412c864d4912579
Instruction ID: 85338d8a3f82a45e9cb96420d6464447af7d6ee9928bcf663e809183e8cb47e1
Opcode Fuzzy Hash: 06ab4e18cfef33508ba577f87122e5b46523ab4ce988ab1d5412c864d4912579
Instruction Fuzzy Hash: 822139B1801259CFDB10CF9AD4447EEBBF4EF49320F14846AE559A7240D778A944CF61

Function 01865B20 Relevance: .3, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3365143126.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1860000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3657cef8f405898c88ce32cab1fdc33182d099335f7b858bb3797cf99c860994
Instruction ID: b8e1e057c84946f1f64afa04602084201680d86830f8fba45ea699527a27be68
Opcode Fuzzy Hash: 3657cef8f405898c88ce32cab1fdc33182d099335f7b858bb3797cf99c860994
Instruction Fuzzy Hash: 13B1A434B042598FDB18AB79985467E7BF7BFC8750B05C86EE406DB388DE349D028792

Function 01864088 Relevance: .3, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3365143126.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1860000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a34f9718e73ca4fbacaf1dc4e289f8b7b8e980b4edded67705142c372d95e9
Instruction ID: 9e80e36d691fe8ad3fe313ed468c2e31e1c7a53e4471d6167af741c7409d82b5
Opcode Fuzzy Hash: 94a34f9718e73ca4fbacaf1dc4e289f8b7b8e980b4edded67705142c372d95e9
Instruction Fuzzy Hash: 58B16E70E00609CFDB14CFA9C985BAEBBF6BF88714F248129D815EB354EB749945CB81

Function 01864958 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3365143126.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1860000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9944255a30f0e049f31aaf522d569ef0410ae1d9f0c03fe60a611477fb683f
Instruction ID: 05b8157fc37e3fb471177c51d6ef5e397c0de2257c416bb9a528dff7d394ca35
Opcode Fuzzy Hash: 3b9944255a30f0e049f31aaf522d569ef0410ae1d9f0c03fe60a611477fb683f
Instruction Fuzzy Hash: 35B18C70E00209DFEB14CFA9C8817ADBBF6BF88714F248129D815E7398EB749945CB85

Function 018652B0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0186532F

Memory Dump Source

Source File: 00000000.00000002.3365143126.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1860000_Client.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 9680b84bd48d60ddcc561919f3676d3d57f7f3c360e91772f88eed1268ecb51d
Instruction ID: 92d5145c67d4b82e37318cc70c6c677178a0a045a3ed0cd7cc38061452e3e849
Opcode Fuzzy Hash: 9680b84bd48d60ddcc561919f3676d3d57f7f3c360e91772f88eed1268ecb51d
Instruction Fuzzy Hash: 262139B1C00259CFDB10CF9AD4847EEBBF4BF49320F24846AE855A3250D7789944CF61

Non-executed Functions

Function 01863D40 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3365143126.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1860000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa10e50b7f1c9a974ba64d9937f28ded87f7aa1c1ac67d797282f564eb1c9132
Instruction ID: d739a306050568ad336e3500d27d1f5accb57501d802dd17adf4e0a600107a99
Opcode Fuzzy Hash: aa10e50b7f1c9a974ba64d9937f28ded87f7aa1c1ac67d797282f564eb1c9132
Instruction Fuzzy Hash: F0918E70E00249CFDF10CFA9D9857AEBBF6BF88314F148529E809E7294EB749945CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Client.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Client.exe

Function 01862D4C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 01865B20 Relevance: .3, Instructions: 332
COMMON

Function 01864088 Relevance: .3, Instructions: 281
COMMON

Function 01864958 Relevance: .3, Instructions: 266
COMMON

Function 018652B0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON