Edit tour

Windows Analysis Report
rEzX7eqgfo.exe

Overview

General Information

Sample name:	rEzX7eqgfo.exe renamed because original name is a hash value
Original sample name:	8c6a99f240d978718d2f962619c23168.exe
Analysis ID:	1589015
MD5:	8c6a99f240d978718d2f962619c23168
SHA1:	cbee26a0553840d6f3cdb5fc306c3bc13cdbf7d4
SHA256:	240175a3a74b70fb9f6d0463042d6ef21223e2acc843e589d91ec607d52305a8
Tags:	AsyncRATexeuser-abuse_ch
Infos:

Detection

KeyLogger, StormKitty, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected BrowserPasswordDump

Yara detected Keylogger Generic

Yara detected Powershell download and execute

Yara detected StormKitty Stealer

Yara detected VenomRAT

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rEzX7eqgfo.exe (PID: 4900 cmdline: "C:\Users\user\Desktop\rEzX7eqgfo.exe" MD5: 8C6A99F240D978718D2F962619C23168)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, 404KeyLogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: VenomRAT

{"Host": ["62.60.226.26"], "Port": ["4449"], "Version": "RAT + hVNC  6.0.5", "Install": "false", "Mutex": "ahyttjzatffxeud", "Certificate": "MIICLjCCAZegAwIBAgIVAPBPXxep5LHy//3KuSIltMYfCHGFMA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDAzMDExNTE1MTZaFw0zNDEyMDkxNTE1MTZaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCCeUwNOg+0AZcPc0s4gmcK4Eni/3+DY0l45lVNKN0ddW0llXjiJbL0hqKpFdIVBh+3h2QTWbyOLwRM8Ct/nGBZTAG9YYA0RsfHEagU/ldxyA3z74NXaKrRDTncdq/nqig5/djsiWgmAkMTlyQ2XeHXMCHDu72Z79yJPCeGsfqxMQIDAQABozIwMDAdBgNVHQ4EFgQUOiSpmpnHxWJvh331ptHI08FPmpkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQBvwnIi5E7QmPobMpZMeXDyO+1W1jFAUEJDqBuW7izCZ69Yr/LcVTSfPfJJSJXa1zKf8+TMBPo/Sd2ajCceWmQuUz97G5Bq1oYrED8c9U0Wk6pLMIMAE01Fbl4R790/gBE14xYlzjT3BpJS8m6Nr47WmbtloVxtShR3L0i9niB1IQ==", "Server Signature": "fjw0lvS8s/tcJnmMFJ7edVbjUG8evoOVVUkVscDiiUVIhK2UDABNdbg8yar5sbo480hx86wqAKVABj/XspN5PKuyWVLKhdo6+8bgL09CrVVPS8mtUxvUVirga0uc6Rct8WZQzoTyo9Hir4tdEWyFpj40Vgm4TR92sJDwK7SbWM0="}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
rEzX7eqgfo.exe	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
rEzX7eqgfo.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
rEzX7eqgfo.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
rEzX7eqgfo.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
rEzX7eqgfo.exe	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
rEzX7eqgfo.exe	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
rEzX7eqgfo.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241408:$a1: havecamera 0x28c232:$a2: timeout 3 > NUL 0x28f5b5:$a3: START "" " 0x28faca:$a3: START "" " 0x28f9a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28fa42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
rEzX7eqgfo.exe	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x29292c:$str01: Processe: 0x2927e8:$str02: Compname: 0x2928e2:$str04: SandBoxie: 0x292878:$str08: WEBCAMS COUNT: 0x29289c:$str09: [Virtualization] 0x2930ea:$str10: [Open google maps]( 0x294b61:$str11: Remember password: 0x287c54:$str12: Target.Browsers.Firefox 0x26f3cf:$str13: Modules.Keylogger 0x277292:$str14: ClipperAddresses 0x279437:$str15: ChromiumPswPaths 0x279449:$str15: ChromiumPswPaths 0x27538c:$str16: DetectedBankingServices 0x2754f5:$str17: DetectCryptocurrencyServices 0x2833ee:$str18: CheckRemoteDebuggerPresent 0x284373:$str19: GetConnectedCamerasCount
rEzX7eqgfo.exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x5db:$sk01: LimerBoy/StormKitty 0x252952:$str01: set_sUsername 0x25fe84:$str03: set_sExpMonth 0x27523f:$str04: WritePasswords 0x275cf9:$str05: WriteCookies 0x279448:$str06: sChromiumPswPaths 0x279423:$str07: sGeckoBrowserPaths 0x28eacf:$str10: encrypted_key":"(.*?)"
rEzX7eqgfo.exe	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28fa42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x28bb12:$str04: Pac_ket 0x29b830:$str05: Perfor_mance 0x29b874:$str06: Install_ed 0x245f05:$str07: get_IsConnected 0x25c3ca:$str08: get_ActivatePo_ng 0x270305:$str09: isVM_by_wim_temper 0x29c122:$str10: save_Plugin 0x28c232:$str11: timeout 3 > NUL 0x29b410:$str12: ProcessHacker.exe 0x29b602:$str13: Select * from Win32_CacheMemory
rEzX7eqgfo.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28fa42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28f9a5:$s2: L2Mgc2NodGFza3MgL2
rEzX7eqgfo.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29b602:$q1: Select * from Win32_CacheMemory 0x29b642:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x29b690:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x29b6de:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
rEzX7eqgfo.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293806:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
rEzX7eqgfo.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2991a1:$s1: \VPN\NordVPN 0x299187:$s2: \VPN\OpenVPN 0x299169:$s3: \VPN\ProtonVPN
rEzX7eqgfo.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28e27b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
rEzX7eqgfo.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x27dff4:$s2: GetAntivirus 0x29405a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28d4a5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28eacd:$s6: "encrypted_key":"(.*?)"
rEzX7eqgfo.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28baa2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287c16:$s6: VirtualBox 0x297795:$s6: VirtualBox 0x2931b2:$s8: Win32_ComputerSystem 0x2976fb:$s8: Win32_ComputerSystem 0x2902de:$s9: Win32_Process Where ParentProcessID= 0x28fefb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ff98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2900ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290195:$cnc4: POST / HTTP/1.1
Click to see the 12 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241208:$a1: havecamera 0x28c032:$a2: timeout 3 > NUL 0x28f3b5:$a3: START "" " 0x28f8ca:$a3: START "" " 0x28f7a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28f842:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293606:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28b8a2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287a16:$s6: VirtualBox 0x297595:$s6: VirtualBox 0x292fb2:$s8: Win32_ComputerSystem 0x2974fb:$s8: Win32_ComputerSystem 0x2900de:$s9: Win32_Process Where ParentProcessID= 0x28fcfb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28fd98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28fead:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x28ff95:$cnc4: POST / HTTP/1.1
Process Memory Space: rEzX7eqgfo.exe PID: 4900	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: rEzX7eqgfo.exe PID: 4900	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: rEzX7eqgfo.exe PID: 4900	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: rEzX7eqgfo.exe PID: 4900	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rEzX7eqgfo.exe PID: 4900	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
Process Memory Space: rEzX7eqgfo.exe PID: 4900	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
Process Memory Space: rEzX7eqgfo.exe PID: 4900	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xd5c65:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: rEzX7eqgfo.exe PID: 4900	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x79a19:$s6: VirtualBox 0xd593b:$s8: Win32_ComputerSystem 0xd7b58:$s8: Win32_ComputerSystem 0xd4291:$s9: Win32_Process Where ParentProcessID= 0xd40a4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd40f2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd417c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd41f0:$cnc4: POST / HTTP/1.1
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x11d67e:$a1: havecamera 0x1684a8:$a2: timeout 3 > NUL 0x16b82b:$a3: START "" " 0x16bd40:$a3: START "" " 0x16bc1b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16bcb8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x16eba2:$str01: Processe: 0x16ea5e:$str02: Compname: 0x16eb58:$str04: SandBoxie: 0x16eaee:$str08: WEBCAMS COUNT: 0x16eb12:$str09: [Virtualization] 0x16f360:$str10: [Open google maps]( 0x170dd7:$str11: Remember password: 0x163eca:$str12: Target.Browsers.Firefox 0x14b645:$str13: Modules.Keylogger 0x153508:$str14: ClipperAddresses 0x1556ad:$str15: ChromiumPswPaths 0x1556bf:$str15: ChromiumPswPaths 0x151602:$str16: DetectedBankingServices 0x15176b:$str17: DetectCryptocurrencyServices 0x15f664:$str18: CheckRemoteDebuggerPresent 0x1605e9:$str19: GetConnectedCamerasCount
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x12ebc8:$str01: set_sUsername 0x13c0fa:$str03: set_sExpMonth 0x1514b5:$str04: WritePasswords 0x151f6f:$str05: WriteCookies 0x1556be:$str06: sChromiumPswPaths 0x155699:$str07: sGeckoBrowserPaths 0x16ad45:$str10: encrypted_key":"(.*?)"
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x16bcb8:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x167d88:$str04: Pac_ket 0x177aa6:$str05: Perfor_mance 0x177aea:$str06: Install_ed 0x12217b:$str07: get_IsConnected 0x138640:$str08: get_ActivatePo_ng 0x14c57b:$str09: isVM_by_wim_temper 0x178398:$str10: save_Plugin 0x1684a8:$str11: timeout 3 > NUL 0x177686:$str12: ProcessHacker.exe 0x177878:$str13: Select * from Win32_CacheMemory
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x16bcb8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16bc1b:$s2: L2Mgc2NodGFza3MgL2
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x177878:$q1: Select * from Win32_CacheMemory 0x1778b8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x177906:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x177954:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x16fa7c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x175417:$s1: \VPN\NordVPN 0x1753fd:$s2: \VPN\OpenVPN 0x1753df:$s3: \VPN\ProtonVPN
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a161:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a1d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a25d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a2ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a359:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a3cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a461:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16a4f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167d18:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x163e8c:$s6: VirtualBox 0x173a0b:$s6: VirtualBox 0x16f428:$s8: Win32_ComputerSystem 0x173971:$s8: Win32_ComputerSystem 0x16c554:$s9: Win32_Process Where ParentProcessID= 0x16c171:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16c20e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16c323:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16c40b:$cnc4: POST / HTTP/1.1
0.0.rEzX7eqgfo.exe.850000.0.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
0.0.rEzX7eqgfo.exe.850000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.0.rEzX7eqgfo.exe.850000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.rEzX7eqgfo.exe.850000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.rEzX7eqgfo.exe.850000.0.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
0.0.rEzX7eqgfo.exe.850000.0.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
0.0.rEzX7eqgfo.exe.850000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241408:$a1: havecamera 0x28c232:$a2: timeout 3 > NUL 0x28f5b5:$a3: START "" " 0x28faca:$a3: START "" " 0x28f9a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28fa42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.rEzX7eqgfo.exe.850000.0.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x29292c:$str01: Processe: 0x2927e8:$str02: Compname: 0x2928e2:$str04: SandBoxie: 0x292878:$str08: WEBCAMS COUNT: 0x29289c:$str09: [Virtualization] 0x2930ea:$str10: [Open google maps]( 0x294b61:$str11: Remember password: 0x287c54:$str12: Target.Browsers.Firefox 0x26f3cf:$str13: Modules.Keylogger 0x277292:$str14: ClipperAddresses 0x279437:$str15: ChromiumPswPaths 0x279449:$str15: ChromiumPswPaths 0x27538c:$str16: DetectedBankingServices 0x2754f5:$str17: DetectCryptocurrencyServices 0x2833ee:$str18: CheckRemoteDebuggerPresent 0x284373:$str19: GetConnectedCamerasCount
0.0.rEzX7eqgfo.exe.850000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x5db:$sk01: LimerBoy/StormKitty 0x252952:$str01: set_sUsername 0x25fe84:$str03: set_sExpMonth 0x27523f:$str04: WritePasswords 0x275cf9:$str05: WriteCookies 0x279448:$str06: sChromiumPswPaths 0x279423:$str07: sGeckoBrowserPaths 0x28eacf:$str10: encrypted_key":"(.*?)"
0.0.rEzX7eqgfo.exe.850000.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28fa42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x28bb12:$str04: Pac_ket 0x29b830:$str05: Perfor_mance 0x29b874:$str06: Install_ed 0x245f05:$str07: get_IsConnected 0x25c3ca:$str08: get_ActivatePo_ng 0x270305:$str09: isVM_by_wim_temper 0x29c122:$str10: save_Plugin 0x28c232:$str11: timeout 3 > NUL 0x29b410:$str12: ProcessHacker.exe 0x29b602:$str13: Select * from Win32_CacheMemory
0.0.rEzX7eqgfo.exe.850000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28fa42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28f9a5:$s2: L2Mgc2NodGFza3MgL2
0.0.rEzX7eqgfo.exe.850000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29b602:$q1: Select * from Win32_CacheMemory 0x29b642:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x29b690:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x29b6de:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.rEzX7eqgfo.exe.850000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293806:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.rEzX7eqgfo.exe.850000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2991a1:$s1: \VPN\NordVPN 0x299187:$s2: \VPN\OpenVPN 0x299169:$s3: \VPN\ProtonVPN
0.0.rEzX7eqgfo.exe.850000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28e27b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.rEzX7eqgfo.exe.850000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x27dff4:$s2: GetAntivirus 0x29405a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28d4a5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28eacd:$s6: "encrypted_key":"(.*?)"
0.0.rEzX7eqgfo.exe.850000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28baa2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287c16:$s6: VirtualBox 0x297795:$s6: VirtualBox 0x2931b2:$s8: Win32_ComputerSystem 0x2976fb:$s8: Win32_ComputerSystem 0x2902de:$s9: Win32_Process Where ParentProcessID= 0x28fefb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ff98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2900ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290195:$cnc4: POST / HTTP/1.1
Click to see the 27 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rEzX7eqgfo.exe

Avira: detected

Found malware configuration

Source: rEzX7eqgfo.exe

Malware Configuration Extractor: VenomRAT {"Host": ["62.60.226.26"], "Port": ["4449"], "Version": "RAT + hVNC 6.0.5", "Install": "false", "Mutex": "ahyttjzatffxeud", "Certificate": "MIICLjCCAZegAwIBAgIVAPBPXxep5LHy//3KuSIltMYfCHGFMA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDAzMDExNTE1MTZaFw0zNDEyMDkxNTE1MTZaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCCeUwNOg+0AZcPc0s4gmcK4Eni/3+DY0l45lVNKN0ddW0llXjiJbL0hqKpFdIVBh+3h2QTWbyOLwRM8Ct/nGBZTAG9YYA0RsfHEagU/ldxyA3z74NXaKrRDTncdq/nqig5/djsiWgmAkMTlyQ2XeHXMCHDu72Z79yJPCeGsfqxMQIDAQABozIwMDAdBgNVHQ4EFgQUOiSpmpnHxWJvh331ptHI08FPmpkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQBvwnIi5E7QmPobMpZMeXDyO+1W1jFAUEJDqBuW7izCZ69Yr/LcVTSfPfJJSJXa1zKf8+TMBPo/Sd2ajCceWmQuUz97G5Bq1oYrED8c9U0Wk6pLMIMAE01Fbl4R790/gBE14xYlzjT3BpJS8m6Nr47WmbtloVxtShR3L0i9niB1IQ==", "Server Signature": "fjw0lvS8s/tcJnmMFJ7edVbjUG8evoOVVUkVscDiiUVIhK2UDABNdbg8yar5sbo480hx86wqAKVABj/XspN5PKuyWVLKhdo6+8bgL09CrVVPS8mtUxvUVirga0uc6Rct8WZQzoTyo9Hir4tdEWyFpj40Vgm4TR92sJDwK7SbWM0="}

Multi AV Scanner detection for submitted file

Source: rEzX7eqgfo.exe	ReversingLabs: Detection: 87%
Source: rEzX7eqgfo.exe	Virustotal: Detection: 62%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: rEzX7eqgfo.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: 4449
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: 62.60.226.26
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: RAT + hVNC 6.0.5
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: false
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: ahyttjzatffxeud
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: MIICLjCCAZegAwIBAgIVAPBPXxep5LHy//3KuSIltMYfCHGFMA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDAzMDExNTE1MTZaFw0zNDEyMDkxNTE1MTZaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCCeUwNOg+0AZcPc0s4gmcK4Eni/3+DY0l45lVNKN0ddW0llXjiJbL0hqKpFdIVBh+3h2QTWbyOLwRM8Ct/nGBZTAG9YYA0RsfHEagU/ldxyA3z74NXaKrRDTncdq/nqig5/djsiWgmAkMTlyQ2XeHXMCHDu72Z79yJPCeGsfqxMQIDAQABozIwMDAdBgNVHQ4EFgQUOiSpmpnHxWJvh331ptHI08FPmpkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQBvwnIi5E7QmPobMpZMeXDyO+1W1jFAUEJDqBuW7izCZ69Yr/LcVTSfPfJJSJXa1zKf8+TMBPo/Sd2ajCceWmQuUz97G5Bq1oYrED8c9U0Wk6pLMIMAE01Fbl4R790/gBE14xYlzjT3BpJS8m6Nr47WmbtloVxtShR3L0i9niB1IQ==
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: fjw0lvS8s/tcJnmMFJ7edVbjUG8evoOVVUkVscDiiUVIhK2UDABNdbg8yar5sbo480hx86wqAKVABj/XspN5PKuyWVLKhdo6+8bgL09CrVVPS8mtUxvUVirga0uc6Rct8WZQzoTyo9Hir4tdEWyFpj40Vgm4TR92sJDwK7SbWM0=
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: null
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: false
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: false
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: Default
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: false
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack	String decryptor: false

Source: rEzX7eqgfo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 11.30.2024\HVNCDll\obj\Release\hvnc.pdbP source: rEzX7eqgfo.exe
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 11.30.2024\HVNCDll\obj\Release\hvnc.pdb source: rEzX7eqgfo.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:49700 -> 62.60.226.26:4449

Source: Joe Sandbox View

ASN Name: ASLINE-AS-APASLINELIMITEDHK ASLINE-AS-APASLINELIMITEDHK

Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.226.26

Source: rEzX7eqgfo.exe	String found in binary or memory: http://ipinfo.io/ip
Source: rEzX7eqgfo.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: rEzX7eqgfo.exe, 00000000.00000002.2526621090.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rEzX7eqgfo.exe	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: rEzX7eqgfo.exe	String found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
Source: rEzX7eqgfo.exe	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: rEzX7eqgfo.exe	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: rEzX7eqgfo.exe	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: rEzX7eqgfo.exe	String found in binary or memory: https://stackoverflow.com/q/14436606/23354cIt
Source: rEzX7eqgfo.exe	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: rEzX7eqgfo.exe	String found in binary or memory: https://urn.to/r/sds_see
Source: rEzX7eqgfo.exe	String found in binary or memory: https://urn.to/r/sds_seeaCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Keylogger Generic

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe

Code function: 0_2_00007FFAAC493ACE NtProtectVirtualMemory,

0_2_00007FFAAC493ACE

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Code function: 0_2_00007FFAAC493ACE	0_2_00007FFAAC493ACE
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Code function: 0_2_00007FFAAC492EF0	0_2_00007FFAAC492EF0
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Code function: 0_2_00007FFAAC4933DD	0_2_00007FFAAC4933DD

Source: rEzX7eqgfo.exe, 00000000.00000000.1256592085.0000000000B50000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs rEzX7eqgfo.exe
Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehvnc.exe" vs rEzX7eqgfo.exe
Source: rEzX7eqgfo.exe, 00000000.00000002.2525725857.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rEzX7eqgfo.exe
Source: rEzX7eqgfo.exe	Binary or memory string: OriginalFilenamehvnc.exe" vs rEzX7eqgfo.exe
Source: rEzX7eqgfo.exe	Binary or memory string: OriginalFilenameClientAny.exe" vs rEzX7eqgfo.exe

Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: rEzX7eqgfo.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe

File created: C:\Users\user\AppData\Roaming\7n5rJCiEX08cdKRQsT6vxkbuaZ

Jump to behavior

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Mutant created: \Sessions\1\BaseNamedObjects\aBqoXyRnK9b5jm5faX2ra7vXc+ikaHtqanL//jaSqv0DF2OLwpFG92uUkcY7yTmwqfyk3MsvFUoBMBK9TRk0Vg==
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Mutant created: NULL

Source: rEzX7eqgfo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rEzX7eqgfo.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.70%

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rEzX7eqgfo.exe	ReversingLabs: Detection: 87%
Source: rEzX7eqgfo.exe	Virustotal: Detection: 62%

Source: rEzX7eqgfo.exe	String found in binary or memory: /C -StartDelay : Sleeping ISetFileCreationDate : Changing file
Source: rEzX7eqgfo.exe	String found in binary or memory: maxBufferSize!CheckTaskNotNull/LoadIntoBufferAsyncCore
Source: rEzX7eqgfo.exe	String found in binary or memory: 9Task Scheduler 2.0 (1.2) does not support setting this property. You must use an InteractiveToken in order to have the task run in the current user session.#RunOnlyIfLoggedOn3RunOnlyIfNetworkAvailable-StopIfGoingOnBatteries
Source: rEzX7eqgfo.exe	String found in binary or memory: IF294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: rEzX7eqgfo.exe	String found in binary or memory: HasSubValue3Conflicting item/add type
Source: rEzX7eqgfo.exe	String found in binary or memory: U/configuration/appSettings/add[@key='{0}']
Source: rEzX7eqgfo.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: rEzX7eqgfo.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Section loaded: schannel.dll	Jump to behavior

Source: rEzX7eqgfo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rEzX7eqgfo.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: rEzX7eqgfo.exe

Static file information: File size 3136512 > 1048576

Source: rEzX7eqgfo.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2fca00

Source: rEzX7eqgfo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 11.30.2024\HVNCDll\obj\Release\hvnc.pdbP source: rEzX7eqgfo.exe
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 11.30.2024\HVNCDll\obj\Release\hvnc.pdb source: rEzX7eqgfo.exe

Boot Survival

Yara detected VenomRAT

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected VenomRAT

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rEzX7eqgfo.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Memory allocated: 1390000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe	Memory allocated: 1AD10000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe TID: 7260	Thread sleep count: 33 > 30			Jump to behavior
Source: C:\Users\user\Desktop\rEzX7eqgfo.exe TID: 7260	Thread sleep time: -99000s >= -30000s			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: rEzX7eqgfo.exe	Binary or memory string: vmware
Source: rEzX7eqgfo.exe	Binary or memory string: VMwareVBoxAAntiAnalysis : Hosting detected!AAntiAnalysis : Process detected!QAntiAnalysis : Virtual machine detected!AAntiAnalysis : SandBox detected!CAntiAnalysis : Debugger detected!
Source: rEzX7eqgfo.exe	Binary or memory string: VirtualMachine:
Source: rEzX7eqgfo.exe, 00000000.00000002.2528482104.000000001B853000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

Source: rEzX7eqgfo.exe	Binary or memory string: Shell_TrayWnd
Source: rEzX7eqgfo.exe	Binary or memory string: ProgMan
Source: rEzX7eqgfo.exe	Binary or memory string: Shell_TrayWnd!SHELLDLL_DefView

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe

Queries volume information: C:\Users\user\Desktop\rEzX7eqgfo.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\rEzX7eqgfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected VenomRAT

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected BrowserPasswordDump

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: exodus
Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: rEzX7eqgfo.exe, 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.975b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: rEzX7eqgfo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rEzX7eqgfo.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rEzX7eqgfo.exe PID: 4900, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rEzX7eqgfo.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.CryoMarte
rEzX7eqgfo.exe	62%	Virustotal		Browse
rEzX7eqgfo.exe	100%	Avira	HEUR/AGEN.1357486
rEzX7eqgfo.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
https://stackoverflow.com/q/14436606/23354cIt	rEzX7eqgfo.exe	false	high
https://urn.to/r/sds_see	rEzX7eqgfo.exe	false	high
http://ipinfo.io/ip	rEzX7eqgfo.exe	false	high
https://github.com/LimerBoy/StormKitty	rEzX7eqgfo.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rEzX7eqgfo.exe, 00000000.00000002.2526621090.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	rEzX7eqgfo.exe	false	high
https://stackoverflow.com/q/2152978/23354	rEzX7eqgfo.exe	false	high
https://urn.to/r/sds_seeaCould	rEzX7eqgfo.exe	false	high
http://james.newtonking.com/projects/json	rEzX7eqgfo.exe	false	high
https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5	rEzX7eqgfo.exe	false	high
http://www.newtonsoft.com/jsonschema	rEzX7eqgfo.exe	false	high
https://discordapp.com/api/v6/users/	rEzX7eqgfo.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.60.226.26	unknown	Iran (ISLAMIC Republic Of)		18013	ASLINE-AS-APASLINELIMITEDHK	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589015
Start date and time:	2025-01-11 08:26:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rEzX7eqgfo.exe renamed because original name is a hash value
Original Sample Name:	8c6a99f240d978718d2f962619c23168.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:59:46	API Interceptor	24x Sleep call for process: rEzX7eqgfo.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLINE-AS-APASLINELIMITEDHK	6.elf	Get hash	malicious	Unknown	Browse	62.60.239.47
	fYT3jJZgOX.exe	Get hash	malicious	Njrat	Browse	154.197.69.14
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	180.223.114.199
	pTvHtQDXio.exe	Get hash	malicious	Amadey	Browse	62.60.226.15
	IGz.arm7.elf	Get hash	malicious	Mirai	Browse	213.176.118.46
	sh4.xxx.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.177.25.107
	i586.xxx.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.177.25.107
	x86.xxx.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.177.25.107
	x32.xxx.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.177.25.107
	arm5.xxx.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.177.25.107

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.849737654893876
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.70% Win32 Executable (generic) a (10002005/4) 49.65% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win32 EXE PECompact compressed (generic) (41571/9) 0.21% Windows Screen Saver (13104/52) 0.07%
File name:	rEzX7eqgfo.exe
File size:	3'136'512 bytes
MD5:	8c6a99f240d978718d2f962619c23168
SHA1:	cbee26a0553840d6f3cdb5fc306c3bc13cdbf7d4
SHA256:	240175a3a74b70fb9f6d0463042d6ef21223e2acc843e589d91ec607d52305a8
SHA512:	7044b7909f48f4ff5b58b0412b573a7fef145d8c3dd24bee76c5fd215aa7addd4af9f6818426409055a7ab99cbca7d619f92205dae21de2ea108e063b269e6b0
SSDEEP:	49152:XPCQNqtCSmdatQdsgUBX3B3kNC3H6vUZikr/Nxe:XPVlSmdatQSN
TLSH:	21E55A917BE4DE1AE1AF2771E4B101152BB1E419A732DB8F56C0E2B82C53740AD463BF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.Ng................../.........../.. ....0...@.. .......................@0...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6fe8be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674EEA4B [Tue Dec 3 11:23:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2fe870	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x300000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x302000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2fc8c4	0x2fca00	94460e26a95e13fb78a51e6f2211338f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x300000	0xdf7	0xe00	f0879fac534efcb99739407818b71fe1	False	0.40345982142857145	data	5.115505372139322	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x302000	0xc	0x200	5297018feaf5ee2a10b3faa00fedc2e6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3000a0	0x2d4	data			0.44751381215469616
RT_MANIFEST	0x300374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:26:59.169018984 CET	49700	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:26:59.174130917 CET	4449	49700	62.60.226.26	192.168.2.7
Jan 11, 2025 08:26:59.174412012 CET	49700	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:26:59.184755087 CET	49700	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:26:59.189630985 CET	4449	49700	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:00.819358110 CET	4449	49700	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:00.819443941 CET	49700	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:04.016324043 CET	49700	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:04.020239115 CET	49701	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:04.021177053 CET	4449	49700	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:04.025130033 CET	4449	49701	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:04.025222063 CET	49701	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:04.030643940 CET	49701	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:04.035485029 CET	4449	49701	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:05.658785105 CET	4449	49701	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:05.660598040 CET	49701	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:08.689038992 CET	49701	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:08.689944983 CET	49723	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:08.693872929 CET	4449	49701	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:08.694818974 CET	4449	49723	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:08.694899082 CET	49723	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:08.699002028 CET	49723	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:08.703949928 CET	4449	49723	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:10.331609011 CET	4449	49723	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:10.331686974 CET	49723	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:13.342421055 CET	49723	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:13.342808962 CET	49751	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:13.347451925 CET	4449	49723	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:13.347661972 CET	4449	49751	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:13.347757101 CET	49751	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:13.348144054 CET	49751	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:13.353075981 CET	4449	49751	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:14.993275881 CET	4449	49751	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:14.996845961 CET	49751	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:18.017153978 CET	49751	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:18.017646074 CET	49780	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:18.022028923 CET	4449	49751	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:18.022485971 CET	4449	49780	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:18.022607088 CET	49780	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:18.022995949 CET	49780	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:18.027770996 CET	4449	49780	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:19.678870916 CET	4449	49780	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:19.679073095 CET	49780	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:22.775563002 CET	49780	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:22.776139975 CET	49806	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:22.780421972 CET	4449	49780	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:22.781044960 CET	4449	49806	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:22.781106949 CET	49806	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:22.781933069 CET	49806	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:22.787424088 CET	4449	49806	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:24.427892923 CET	4449	49806	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:24.427992105 CET	49806	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:27.435830116 CET	49806	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:27.436233997 CET	49838	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:27.440907001 CET	4449	49806	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:27.441226959 CET	4449	49838	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:27.441334963 CET	49838	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:27.441704035 CET	49838	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:27.446561098 CET	4449	49838	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:29.081294060 CET	4449	49838	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:29.081470966 CET	49838	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:32.092215061 CET	49838	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:32.092622042 CET	49869	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:32.097011089 CET	4449	49838	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:32.097470999 CET	4449	49869	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:32.097569942 CET	49869	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:32.097913027 CET	49869	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:32.102720022 CET	4449	49869	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:33.736779928 CET	4449	49869	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:33.736845970 CET	49869	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:36.749922991 CET	49869	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:36.750291109 CET	49900	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:36.754735947 CET	4449	49869	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:36.755119085 CET	4449	49900	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:36.755192041 CET	49900	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:36.755570889 CET	49900	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:36.760305882 CET	4449	49900	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:38.431489944 CET	4449	49900	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:38.433255911 CET	49900	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:41.451653957 CET	49900	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:41.452064037 CET	49931	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:41.456439972 CET	4449	49900	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:41.456861019 CET	4449	49931	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:41.456938982 CET	49931	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:41.457299948 CET	49931	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:41.462021112 CET	4449	49931	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:43.099104881 CET	4449	49931	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:43.099195957 CET	49931	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:46.107820988 CET	49931	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:46.108357906 CET	49958	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:46.112930059 CET	4449	49931	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:46.113343000 CET	4449	49958	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:46.113449097 CET	49958	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:46.113910913 CET	49958	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:46.118750095 CET	4449	49958	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:47.755249023 CET	4449	49958	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:47.755311012 CET	49958	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:50.763658047 CET	49958	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:50.764136076 CET	49980	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:50.768469095 CET	4449	49958	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:50.769038916 CET	4449	49980	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:50.769118071 CET	49980	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:50.769489050 CET	49980	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:50.774223089 CET	4449	49980	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:52.409806013 CET	4449	49980	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:52.409910917 CET	49980	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:55.420672894 CET	49980	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:55.421106100 CET	49982	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:55.427345037 CET	4449	49980	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:55.427817106 CET	4449	49982	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:55.427921057 CET	49982	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:55.428322077 CET	49982	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:55.435095072 CET	4449	49982	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:57.066284895 CET	4449	49982	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:57.066385984 CET	49982	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:59.969552994 CET	49982	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:59.970608950 CET	49983	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:59.974589109 CET	4449	49982	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:59.975605965 CET	4449	49983	62.60.226.26	192.168.2.7
Jan 11, 2025 08:27:59.975698948 CET	49983	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:59.981000900 CET	49983	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:27:59.985872030 CET	4449	49983	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:01.613312960 CET	4449	49983	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:01.613600016 CET	49983	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:04.060858011 CET	49983	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:04.061120987 CET	49984	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:04.065969944 CET	4449	49983	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:04.065994978 CET	4449	49984	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:04.066106081 CET	49984	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:04.066483974 CET	49984	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:04.071239948 CET	4449	49984	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:05.728984118 CET	4449	49984	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:05.729290009 CET	49984	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:07.920123100 CET	49984	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:07.920542002 CET	49985	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:07.925132990 CET	4449	49984	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:07.925508976 CET	4449	49985	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:07.925736904 CET	49985	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:07.926069021 CET	49985	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:07.930896997 CET	4449	49985	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:09.567099094 CET	4449	49985	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:09.567322016 CET	49985	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:11.546518087 CET	49985	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:11.547195911 CET	49986	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:11.551429033 CET	4449	49985	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:11.552134991 CET	4449	49986	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:11.552222013 CET	49986	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:11.552936077 CET	49986	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:11.557868958 CET	4449	49986	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:13.193325043 CET	4449	49986	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:13.193464041 CET	49986	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:14.982530117 CET	49986	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:14.982930899 CET	49987	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:14.987482071 CET	4449	49986	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:14.987816095 CET	4449	49987	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:14.987894058 CET	49987	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:14.988357067 CET	49987	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:14.993175030 CET	4449	49987	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:16.632613897 CET	4449	49987	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:16.632850885 CET	49987	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:18.233457088 CET	49987	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:18.233906031 CET	49988	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:18.367882967 CET	4449	49987	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:18.367907047 CET	4449	49988	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:18.368071079 CET	49988	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:18.368500948 CET	49988	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:18.373352051 CET	4449	49988	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:20.023488998 CET	4449	49988	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:20.023735046 CET	49988	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:21.466939926 CET	49988	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:21.467330933 CET	49989	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:21.471859932 CET	4449	49988	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:21.472103119 CET	4449	49989	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:21.472189903 CET	49989	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:21.472592115 CET	49989	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:21.477416039 CET	4449	49989	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:23.121670961 CET	4449	49989	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:23.121900082 CET	49989	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:24.420829058 CET	49989	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:24.421204090 CET	49990	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:24.425899029 CET	4449	49989	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:24.425997972 CET	4449	49990	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:24.426064014 CET	49990	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:24.426466942 CET	49990	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:24.431247950 CET	4449	49990	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:26.086555004 CET	4449	49990	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:26.086807966 CET	49990	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:27.263802052 CET	49990	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:27.264343977 CET	49991	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:27.268716097 CET	4449	49990	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:27.269202948 CET	4449	49991	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:27.269295931 CET	49991	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:27.269714117 CET	49991	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:27.274522066 CET	4449	49991	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:28.910717010 CET	4449	49991	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:28.910866976 CET	49991	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:29.967483997 CET	49991	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:29.967947960 CET	49992	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:29.972430944 CET	4449	49991	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:29.972775936 CET	4449	49992	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:29.972887993 CET	49992	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:29.973479986 CET	49992	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:29.978245974 CET	4449	49992	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:31.635339022 CET	4449	49992	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:31.635543108 CET	49992	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:32.592071056 CET	49992	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:32.592446089 CET	49993	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:32.596957922 CET	4449	49992	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:32.597240925 CET	4449	49993	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:32.597381115 CET	49993	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:32.597673893 CET	49993	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:32.602397919 CET	4449	49993	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:34.240513086 CET	4449	49993	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:34.240642071 CET	49993	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:35.092076063 CET	49993	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:35.092434883 CET	49994	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:35.097104073 CET	4449	49993	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:35.097387075 CET	4449	49994	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:35.097548008 CET	49994	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:35.097831011 CET	49994	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:35.102742910 CET	4449	49994	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:36.760363102 CET	4449	49994	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:36.760473967 CET	49994	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:37.530555010 CET	49994	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:37.531001091 CET	49995	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:37.535784960 CET	4449	49994	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:37.535887957 CET	4449	49995	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:37.536015987 CET	49995	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:37.536381006 CET	49995	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:37.541265011 CET	4449	49995	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:39.178669930 CET	4449	49995	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:39.178828955 CET	49995	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:39.938617945 CET	49995	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:39.939465046 CET	49996	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:39.943696022 CET	4449	49995	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:39.944268942 CET	4449	49996	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:39.944438934 CET	49996	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:39.944802999 CET	49996	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:39.949620008 CET	4449	49996	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:41.584633112 CET	4449	49996	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:41.584881067 CET	49996	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:42.298502922 CET	49996	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:42.298923969 CET	49997	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:42.303502083 CET	4449	49996	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:42.303818941 CET	4449	49997	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:42.303900957 CET	49997	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:42.304299116 CET	49997	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:42.309060097 CET	4449	49997	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:43.941713095 CET	4449	49997	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:43.941891909 CET	49997	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:44.514466047 CET	49997	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:44.514837027 CET	49998	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:44.519517899 CET	4449	49997	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:44.519938946 CET	4449	49998	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:44.520036936 CET	49998	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:44.520514011 CET	49998	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:44.525336981 CET	4449	49998	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:46.178276062 CET	4449	49998	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:46.178455114 CET	49998	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:46.687628031 CET	49998	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:46.688293934 CET	49999	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:46.692713976 CET	4449	49998	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:46.693274975 CET	4449	49999	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:46.693423033 CET	49999	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:46.694175005 CET	49999	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:46.698997974 CET	4449	49999	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:48.336357117 CET	4449	49999	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:48.336575985 CET	49999	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:48.795085907 CET	49999	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:48.795512915 CET	50000	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:48.799993992 CET	4449	49999	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:48.800410032 CET	4449	50000	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:48.800503969 CET	50000	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:48.800899029 CET	50000	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:48.805651903 CET	4449	50000	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:50.443106890 CET	4449	50000	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:50.443439960 CET	50000	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:50.860651970 CET	50000	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:50.861469030 CET	50001	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:50.865529060 CET	4449	50000	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:50.866350889 CET	4449	50001	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:50.866652012 CET	50001	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:50.867036104 CET	50001	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:50.871906996 CET	4449	50001	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:52.504744053 CET	4449	50001	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:52.504906893 CET	50001	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:52.873172045 CET	50001	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:52.873528957 CET	50002	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:52.878051996 CET	4449	50001	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:52.878386021 CET	4449	50002	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:52.878464937 CET	50002	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:52.878844023 CET	50002	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:52.883646965 CET	4449	50002	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:54.520421982 CET	4449	50002	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:54.520479918 CET	50002	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:54.861531973 CET	50002	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:54.862051010 CET	50003	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:54.866594076 CET	4449	50002	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:54.867017984 CET	4449	50003	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:54.867149115 CET	50003	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:54.867764950 CET	50003	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:54.872668028 CET	4449	50003	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:56.529556036 CET	4449	50003	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:56.529632092 CET	50003	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:56.842573881 CET	50003	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:56.843041897 CET	50004	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:56.847583055 CET	4449	50003	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:56.847978115 CET	4449	50004	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:56.848088980 CET	50004	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:56.848494053 CET	50004	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:56.853337049 CET	4449	50004	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:58.524656057 CET	4449	50004	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:58.524736881 CET	50004	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:59.503711939 CET	50004	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:59.504276991 CET	50005	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:59.508635044 CET	4449	50004	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:59.509104013 CET	4449	50005	62.60.226.26	192.168.2.7
Jan 11, 2025 08:28:59.509166956 CET	50005	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:59.510303974 CET	50005	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:28:59.515038967 CET	4449	50005	62.60.226.26	192.168.2.7
Jan 11, 2025 08:29:01.145795107 CET	4449	50005	62.60.226.26	192.168.2.7
Jan 11, 2025 08:29:01.146064043 CET	50005	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:29:01.388915062 CET	50005	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:29:01.389378071 CET	50006	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:29:01.393826008 CET	4449	50005	62.60.226.26	192.168.2.7
Jan 11, 2025 08:29:01.394187927 CET	4449	50006	62.60.226.26	192.168.2.7
Jan 11, 2025 08:29:01.394332886 CET	50006	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:29:01.394651890 CET	50006	4449	192.168.2.7	62.60.226.26
Jan 11, 2025 08:29:01.399435997 CET	4449	50006	62.60.226.26	192.168.2.7
Jan 11, 2025 08:29:03.055938959 CET	4449	50006	62.60.226.26	192.168.2.7
Jan 11, 2025 08:29:03.056036949 CET	50006	4449	192.168.2.7	62.60.226.26

Target ID:	0
Start time:	02:26:53
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\rEzX7eqgfo.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\rEzX7eqgfo.exe"
Imagebase:	0x850000
File size:	3'136'512 bytes
MD5 hash:	8C6A99F240D978718D2F962619C23168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic_3, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1256211306.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	62.5%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFAAC492EF0 Relevance: 10.6, Strings: 8, Instructions: 619
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 00007FFAAC494D54
0&, xrefs: 00007FFAAC494C29
/, xrefs: 00007FFAAC494CA1
,, xrefs: 00007FFAAC494D6A
r6, xrefs: 00007FFAAC4951E7
/, xrefs: 00007FFAAC494D00
/, xrefs: 00007FFAAC494DB3
/, xrefs: 00007FFAAC49517B

Memory Dump Source

Source File: 00000000.00000002.2529050999.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac490000_rEzX7eqgfo.jbxd

Similarity

API ID:
String ID: ,$0&$r6$/$/$/$/$/
API String ID: 0-1463716740
Opcode ID: 127f10f63b0fb4ec0d6362727d9181ba144c972373bba9fa99b05ca762b1a36c
Instruction ID: c6f0462361aa46e60a4de685d1f5e56240c71ca5c0bbbc36ca4de94771f0618d
Opcode Fuzzy Hash: 127f10f63b0fb4ec0d6362727d9181ba144c972373bba9fa99b05ca762b1a36c
Instruction Fuzzy Hash: 8D12B571A199198FEB98EB28C459AB973E1FF99304F148679D00FC32D6DE29EC4587C0

Function 00007FFAAC493ACE Relevance: 1.9, APIs: 1, Instructions: 443
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FFAAC493E24

Memory Dump Source

Source File: 00000000.00000002.2529050999.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac490000_rEzX7eqgfo.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: da1c88ba6d917e8f0a6c99478f724ac6a434ae48f8574d8ec1fbb888ae426d12
Instruction ID: fb71744ccb5fa88d29e5f0b5059a21cd5cf26217c7509c05c4f46e878e46fdd4
Opcode Fuzzy Hash: da1c88ba6d917e8f0a6c99478f724ac6a434ae48f8574d8ec1fbb888ae426d12
Instruction Fuzzy Hash: 43C1497190CB494FE71DE778D85A5F97BE5EF96310F0485BED08AC7193DD28A80A8381

Function 00007FFAAC4945FD Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFAAC4946D1

Memory Dump Source

Source File: 00000000.00000002.2529050999.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac490000_rEzX7eqgfo.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 8b022c3732784b66e9f35cdf574ecbeadded6896f7f43ede0d9bb5f49c370f4f
Instruction ID: cc09551dcf6c1c824f9d2ae080c0941a9647a6cac860010f407e93d3fc0b2791
Opcode Fuzzy Hash: 8b022c3732784b66e9f35cdf574ecbeadded6896f7f43ede0d9bb5f49c370f4f
Instruction Fuzzy Hash: 3841097190CA588FD709DF68C809AF97BE5EF9A310F04427EE049C3252CA69A816C7D1

Non-executed Functions

Function 00007FFAAC4933DD Relevance: 2.9, Strings: 2, Instructions: 417COMMON

Download Yara Rule

Strings

mR_H, xrefs: 00007FFAAC493591
6, xrefs: 00007FFAAC49367D

Memory Dump Source

Source File: 00000000.00000002.2529050999.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac490000_rEzX7eqgfo.jbxd

Similarity

API ID:
String ID: 6$mR_H
API String ID: 0-3072342643
Opcode ID: 0057795f13dad8150650533ee6b0533738a34152d7735bb641374bd4dc373ded
Instruction ID: 9bbbca92d992dad6e32b48e421f7f593ade1a2cf25b689ecf5892cfbe6cd958a
Opcode Fuzzy Hash: 0057795f13dad8150650533ee6b0533738a34152d7735bb641374bd4dc373ded
Instruction Fuzzy Hash: EFB14A62A1DA094FF31CA738D85A5F577D5EFAA224B14817ED04EC3693DC2CA8068381

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rEzX7eqgfo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VenomRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
rEzX7eqgfo.exe

Function 00007FFAAC492EF0 Relevance: 10.6, Strings: 8, Instructions: 619
COMMON

Function 00007FFAAC493ACE Relevance: 1.9, APIs: 1, Instructions: 443
nativeCOMMON

Function 00007FFAAC4945FD Relevance: 1.6, APIs: 1, Instructions: 150
COMMON