Edit tour

Windows Analysis Report
Discord.exe

Overview

General Information

Sample name:	Discord.exe
Analysis ID:	1590493
MD5:	9dcd35fe3cafec7a25aa3cdd08ded1f4
SHA1:	13f199bfd3f8b2925536144a1b42424675d7c8e4
SHA256:	ce4f85d935fe68a1c92469367b945f26c40c71feb656ef844c30a5483dc5c0be
Tags:	AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Discord.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\Discord.exe" MD5: 9DCD35FE3CAFEC7A25AA3CDD08DED1F4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "2.tcp.eu.ngrok.io", "Ports": "19695", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "NqgX4cCmmE903Zi62xsKnekCElA9CS4M", "Mutex": "gonq3XlXWgiz", "Certificate": "MIIE8jCCAtqgAwIBAgIQAP0oyiOz3B6IlGmGQxDdOTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQxMjI3MTYwODExWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOL81KWlg/fnIqdbRhcZAWTJXSZyblsfdmVXtpoDKqUW3mZW6wAser7vp+5ZFOyoziZ07q+uPix+p8mU7pYPRk5AdXEE3etHPJsuF3vU89lwDU8EzLnFSqILEX27yUQDCczwhG8coxKU7+Etmj90VXH+GqBDAf0rhEEQ79pxnSxVsZrTVntMm150OmFaXglX80L1s1LbBW5k2U4kjR6MVsVr4++8kH3/1PQIl/9u4RxWSipRCC+0ko5YlGuMtDiURgAfWJaDqp55MyPJdaads/c5VpUKHgpp3QHYyKxwHfook/IxJv7F69mJIOGtIx0WoH/A5n6BC7GVoZBo10rJQ/K/PqxUZtLxtLPqb2tR1z4AbGcNJs1GJ65HnFZbl4JlRJSZUNkCloNollmUomImI61vsgvrX7eds+KAGnIR/FA3ZqcsGi0HOybcL7cLq/C53cxD6de6zjL6E3Y6cnOaJVcEZiL/Ht1DLvPjYi0oGYGYnrQmnfuvTMHXdENymDdkr5UzuzAmbLqfMoIr/VhYxFE2yFB58yfGgyCIIjq2f8CsnW4FVvBlj8wu9pgaLJDfaIt/kk10smBJrHmApWM2dBNfuAH81aOC5wH7D9NCJQsjI6t5Z8STEOUEieRlGSDGHYDD1V/mNz7W0quApyUzp2BxnNLbxwvI1i6QOUMwVf+LAgMBAAGjMjAwMB0GA1UdDgQWBBRXDQJGYiU2B9aIEfynLf86NKMKxDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQDgWGOa86eW1S706lfEMR3eHEOG8aheW1bclqFdCU//CEMTVj5y+jxgmdDi6D1VPyj6BY7xrRIc2dxK77fA3G6mnzf2NGatOUuWtfTQml2K6M8Lmsjut/G05hAM3R/DLalds1qmqmvs3+9jwguSd6FMDkZ1/we+yP3zPzByqJM2+cnAPKisGcimf/XTlImc86Qs1aCn1UW86vNsDFjHPeLKRkem23zZf1CGMxTrg1n5YWvYcLwoRK238te99h10XMVF4VzMAg6M0lMqsRcn+59P9SFNO2uHOXCpc5Z5u1b2ueP1YZ58jZMpxSyrRTByb5tomHR5C9MWdAR0Uf2KZvtN8QX0WmmxxjXzltoy9eunK57DJ7pYbFXw2WtIK31AObxL8k7d/Tj7tMtX0xD3PVT52sfdyL1B7VejcOGaia3IqmIyy3HmVaBWLqNaVLz02VTmMhfGgdufs2ElNstaIvkMVIr9sAdPhIcvi4so7oavxc3fFcZ5FMRBaOytYgmi4NIFKqdIOVWWKyKFyALDaI9ltTxeDDA9DGXFgaPWr+607z0suV4gi//RZNePt88/ofSKXJSzGHCwE+pVhMJPOT/s9Hxo/q4UtJ6sytT/10GNJ7t18uvtF5HeMXPLS3h4K/B47Zv2sjWfoApzSbGkcViHo8NRFRQkiudAt/u3zu3afQ==", "ServerSignature": "F16HEKRGmDveP59ZWNHrIKJnOoOgkTCqtfpo0YdfgUvZsl7RlghXY1RewN8Z9fOLS3grlsnbISI1AN8PbruBAbVYvKpFTE4BrcyAoPqcO7j0j3cYR/PGxs92VgHC08DV5LTssICTfAh3sCTLYfaxclSC+hO024lZ7JVPyyjYroqJ0N4z1QFz84orIFDeer44n9dT5nawSG+RU1dJggO/i9aBx873aYOsN4/3LAXOxeahVjsPuAzigBeQEuzf0yOGpR8KhZYCIxqpHzJwh//A57xeg5Wt0bV2Y/uey1D329GW7V0LCTIDZIGa3t1RAwl9AYaV7zwhciIceR6uh3AIlxY+FtGDDRGdoGXakkMOwVWUF7Ocmz8Eoh5U/pVJO2LiG3wE80BjbNM3QQWgmchqYErYCXLJAINgUsD36JBpllntov+v3PiPYcyESzNLSmuLWZ7rgAA1QB4RDii9i/teBfdh3lIfrbO9RjFukFqiCa8F+IwFB+fV8YNRUZhw2nEBjPxwDfOUB2snd/yhkHeLWDi6PMKR6InYEa4OeDqMaM5mB3tTLCQLRnj4/cvw6aJBLD7NCpcdSBNTQjZReoESPaFWVzccyCJMlMIuGIWqIYTKoNPhWVJyy3TOcwCDe5kFV+MYvN2rxJbXlCxDPP7VEgO+FWstUN12ef7Iy7A7Z5c=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Discord.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Discord.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Discord.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x991b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6703:$a3: get_ActivatePong 0x9b33:$a4: vmware 0x99ab:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7452:$a6: get_SslClient
Discord.exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6703:$str01: get_ActivatePong 0x7452:$str02: get_SslClient 0x746e:$str03: get_TcpClient 0x5d0e:$str04: get_SendSync 0x5d5e:$str05: get_IsConnected 0x6495:$str06: set_UseShellExecute 0x9c51:$str07: Pastebin 0x9cd3:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a2b:$str10: timeout 3 > NUL 0x991b:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x99ab:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
Discord.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ad:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1690024074.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1690024074.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x97ad:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: Discord.exe PID: 7504	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Discord.exe PID: 7504	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3c2f2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Discord.exe.ea0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.Discord.exe.ea0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Discord.exe.ea0000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x991b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x6703:$a3: get_ActivatePong 0x9b33:$a4: vmware 0x99ab:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7452:$a6: get_SslClient
0.0.Discord.exe.ea0000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6703:$str01: get_ActivatePong 0x7452:$str02: get_SslClient 0x746e:$str03: get_TcpClient 0x5d0e:$str04: get_SendSync 0x5d5e:$str05: get_IsConnected 0x6495:$str06: set_UseShellExecute 0x9c51:$str07: Pastebin 0x9cd3:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x9a2b:$str10: timeout 3 > NUL 0x991b:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x99ab:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.0.Discord.exe.ea0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99ad:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Discord.exe

Avira: detected

Antivirus detection for URL or domain

Source: 2.tcp.eu.ngrok.io

Avira URL Cloud: Label: malware

Found malware configuration

Source: Discord.exe

Malware Configuration Extractor: AsyncRAT {"Server": "2.tcp.eu.ngrok.io", "Ports": "19695", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "NqgX4cCmmE903Zi62xsKnekCElA9CS4M", "Mutex": "gonq3XlXWgiz", "Certificate": "MIIE8jCCAtqgAwIBAgIQAP0oyiOz3B6IlGmGQxDdOTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQxMjI3MTYwODExWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOL81KWlg/fnIqdbRhcZAWTJXSZyblsfdmVXtpoDKqUW3mZW6wAser7vp+5ZFOyoziZ07q+uPix+p8mU7pYPRk5AdXEE3etHPJsuF3vU89lwDU8EzLnFSqILEX27yUQDCczwhG8coxKU7+Etmj90VXH+GqBDAf0rhEEQ79pxnSxVsZrTVntMm150OmFaXglX80L1s1LbBW5k2U4kjR6MVsVr4++8kH3/1PQIl/9u4RxWSipRCC+0ko5YlGuMtDiURgAfWJaDqp55MyPJdaads/c5VpUKHgpp3QHYyKxwHfook/IxJv7F69mJIOGtIx0WoH/A5n6BC7GVoZBo10rJQ/K/PqxUZtLxtLPqb2tR1z4AbGcNJs1GJ65HnFZbl4JlRJSZUNkCloNollmUomImI61vsgvrX7eds+KAGnIR/FA3ZqcsGi0HOybcL7cLq/C53cxD6de6zjL6E3Y6cnOaJVcEZiL/Ht1DLvPjYi0oGYGYnrQmnfuvTMHXdENymDdkr5UzuzAmbLqfMoIr/VhYxFE2yFB58yfGgyCIIjq2f8CsnW4FVvBlj8wu9pgaLJDfaIt/kk10smBJrHmApWM2dBNfuAH81aOC5wH7D9NCJQsjI6t5Z8STEOUEieRlGSDGHYDD1V/mNz7W0quApyUzp2BxnNLbxwvI1i6QOUMwVf+LAgMBAAGjMjAwMB0GA1UdDgQWBBRXDQJGYiU2B9aIEfynLf86NKMKxDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQDgWGOa86eW1S706lfEMR3eHEOG8aheW1bclqFdCU//CEMTVj5y+jxgmdDi6D1VPyj6BY7xrRIc2dxK77fA3G6mnzf2NGatOUuWtfTQml2K6M8Lmsjut/G05hAM3R/DLalds1qmqmvs3+9jwguSd6FMDkZ1/we+yP3zPzByqJM2+cnAPKisGcimf/XTlImc86Qs1aCn1UW86vNsDFjHPeLKRkem23zZf1CGMxTrg1n5YWvYcLwoRK238te99h10XMVF4VzMAg6M0lMqsRcn+59P9SFNO2uHOXCpc5Z5u1b2ueP1YZ58jZMpxSyrRTByb5tomHR5C9MWdAR0Uf2KZvtN8QX0WmmxxjXzltoy9eunK57DJ7pYbFXw2WtIK31AObxL8k7d/Tj7tMtX0xD3PVT52sfdyL1B7VejcOGaia3IqmIyy3HmVaBWLqNaVLz02VTmMhfGgdufs2ElNstaIvkMVIr9sAdPhIcvi4so7oavxc3fFcZ5FMRBaOytYgmi4NIFKqdIOVWWKyKFyALDaI9ltTxeDDA9DGXFgaPWr+607z0suV4gi//RZNePt88/ofSKXJSzGHCwE+pVhMJPOT/s9Hxo/q4UtJ6sytT/10GNJ7t18uvtF5HeMXPLS3h4K/B47Zv2sjWfoApzSbGkcViHo8NRFRQkiudAt/u3zu3afQ==", "ServerSignature": "F16HEKRGmDveP59ZWNHrIKJnOoOgkTCqtfpo0YdfgUvZsl7RlghXY1RewN8Z9fOLS3grlsnbISI1AN8PbruBAbVYvKpFTE4BrcyAoPqcO7j0j3cYR/PGxs92VgHC08DV5LTssICTfAh3sCTLYfaxclSC+hO024lZ7JVPyyjYroqJ0N4z1QFz84orIFDeer44n9dT5nawSG+RU1dJggO/i9aBx873aYOsN4/3LAXOxeahVjsPuAzigBeQEuzf0yOGpR8KhZYCIxqpHzJwh//A57xeg5Wt0bV2Y/uey1D329GW7V0LCTIDZIGa3t1RAwl9AYaV7zwhciIceR6uh3AIlxY+FtGDDRGdoGXakkMOwVWUF7Ocmz8Eoh5U/pVJO2LiG3wE80BjbNM3QQWgmchqYErYCXLJAINgUsD36JBpllntov+v3PiPYcyESzNLSmuLWZ7rgAA1QB4RDii9i/teBfdh3lIfrbO9RjFukFqiCa8F+IwFB+fV8YNRUZhw2nEBjPxwDfOUB2snd/yhkHeLWDi6PMKR6InYEa4OeDqMaM5mB3tTLCQLRnj4/cvw6aJBLD7NCpcdSBNTQjZReoESPaFWVzccyCJMlMIuGIWqIYTKoNPhWVJyy3TOcwCDe5kFV+MYvN2rxJbXlCxDPP7VEgO+FWstUN12ef7Iy7A7Z5c=", "BDOS": "false", "External_config_on_Pastebin": "null"}

Multi AV Scanner detection for submitted file

Source: Discord.exe	ReversingLabs: Detection: 86%
Source: Discord.exe	Virustotal: Detection: 80%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Discord.exe

Joe Sandbox ML: detected

Source: Discord.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Discord.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 2.tcp.eu.ngrok.io

Yara detected Generic Downloader

Source: Yara match	File source: Discord.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 18.156.13.209:19695
Source: global traffic	TCP traffic: 192.168.2.4:49797 -> 3.127.138.57:19695

Source: Joe Sandbox View	IP Address: 18.156.13.209 18.156.13.209
Source: Joe Sandbox View	IP Address: 3.127.138.57 3.127.138.57

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 2.tcp.eu.ngrok.io

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: Discord.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1690024074.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Discord.exe PID: 7504, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: Discord.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: Discord.exe, type: SAMPLE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: Discord.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1690024074.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Discord.exe PID: 7504, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: Discord.exe, 00000000.00000000.1690061826.0000000000EAE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs Discord.exe
Source: Discord.exe	Binary or memory string: OriginalFilenameStub.exe" vs Discord.exe

Source: Discord.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Discord.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: Discord.exe, type: SAMPLE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: Discord.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1690024074.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Discord.exe PID: 7504, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\Discord.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Discord.exe	Mutant created: \Sessions\1\BaseNamedObjects\gonq3XlXWgiz

Source: Discord.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Discord.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Discord.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Discord.exe	ReversingLabs: Detection: 86%
Source: Discord.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\Discord.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Section loaded: schannel.dll	Jump to behavior

Source: Discord.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Discord.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: Discord.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1690024074.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Discord.exe PID: 7504, type: MEMORYSTR

Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: Discord.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1690024074.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Discord.exe PID: 7504, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Discord.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Discord.exe	Memory allocated: 1430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Discord.exe	Memory allocated: 51D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Discord.exe TID: 7508

Thread sleep time: -70000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Discord.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Discord.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Discord.exe	Binary or memory string: vmware
Source: Discord.exe, 00000000.00000002.2933515051.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Discord.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Discord.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Discord.exe

Queries volume information: C:\Users\user\Desktop\Discord.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Discord.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: Discord.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Discord.exe.ea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1690024074.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Discord.exe PID: 7504, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Discord.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
Discord.exe	80%	Virustotal		Browse
Discord.exe	100%	Avira	TR/Dropper.Gen
Discord.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
2.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	18.156.13.209	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.156.13.209	2.tcp.eu.ngrok.io	United States		16509	AMAZON-02US	false
3.127.138.57	unknown	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590493
Start date and time:	2025-01-14 06:06:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Discord.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 20 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Discord.exe, PID 7504 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.156.13.209	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
3.127.138.57	f3aef511705f37f9792c6032b936ca61.exe	Get hash	malicious	Njrat	Browse
	En3e396wX1.exe	Get hash	malicious	Njrat	Browse
	ea1Wv7aq.posh.ps1	Get hash	malicious	Metasploit	Browse
	R3ov8eFFFP.exe	Get hash	malicious	Njrat	Browse
	b8UsrDOVGV.exe	Get hash	malicious	Njrat	Browse
	2G8CgDVl3K.exe	Get hash	malicious	Njrat	Browse
	tiodtk2cfy.exe	Get hash	malicious	Njrat	Browse
	QUuUm3J8x3.exe	Get hash	malicious	Njrat	Browse
	RWqHoCWEPI.exe	Get hash	malicious	Njrat	Browse
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2.tcp.eu.ngrok.io	oiA5KmV0f0.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	7166_output.vbs	Get hash	malicious	AsyncRAT	Browse	18.156.13.209
	fBpY1pYq34.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	f3aef511705f37f9792c6032b936ca61.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	W9UAjNR4L6.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	ULNZPn6D33.exe	Get hash	malicious	Sliver	Browse	18.197.239.5
	Injector.exe	Get hash	malicious	ZTrat	Browse	18.197.239.5
	7zFM.exe	Get hash	malicious	ZTrat	Browse	3.126.37.18
	Game Laucher.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	10.exe	Get hash	malicious	Unknown	Browse	18.192.93.86

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	http://locrmhelp.com	Get hash	malicious	Unknown	Browse	52.84.151.46
	https://imtcoken.im/	Get hash	malicious	Unknown	Browse	143.204.215.6
	http://www.toekan.im/	Get hash	malicious	Unknown	Browse	143.204.215.6
	http://bu9.fysou.web.id/webs6/cx.aktifkn.fiturr	Get hash	malicious	Unknown	Browse	108.138.26.27
	http://bu9.fysou.web.id/webs6/aktrfn.fitur.pylter	Get hash	malicious	Unknown	Browse	108.138.26.116
	http://pub-dfc04553e9094cfc93a2df6d57084097.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	3.75.10.80
	https://metahorizonsfacebooksupport.tempisite.com/italy39	Get hash	malicious	HTMLPhisher	Browse	54.229.247.168
	http://ubiquitous-twilight-c9292b.netlify.app/	Get hash	malicious	Unknown	Browse	3.75.10.80
	http://mattamaks_walletus.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	13.248.243.5
	http://quizzical-dubinsky-9105e4.netlify.app/	Get hash	malicious	Unknown	Browse	3.124.100.143
AMAZON-02US	http://locrmhelp.com	Get hash	malicious	Unknown	Browse	52.84.151.46
	https://imtcoken.im/	Get hash	malicious	Unknown	Browse	143.204.215.6
	http://www.toekan.im/	Get hash	malicious	Unknown	Browse	143.204.215.6
	http://bu9.fysou.web.id/webs6/cx.aktifkn.fiturr	Get hash	malicious	Unknown	Browse	108.138.26.27
	http://bu9.fysou.web.id/webs6/aktrfn.fitur.pylter	Get hash	malicious	Unknown	Browse	108.138.26.116
	http://pub-dfc04553e9094cfc93a2df6d57084097.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	3.75.10.80
	https://metahorizonsfacebooksupport.tempisite.com/italy39	Get hash	malicious	HTMLPhisher	Browse	54.229.247.168
	http://ubiquitous-twilight-c9292b.netlify.app/	Get hash	malicious	Unknown	Browse	3.75.10.80
	http://mattamaks_walletus.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	13.248.243.5
	http://quizzical-dubinsky-9105e4.netlify.app/	Get hash	malicious	Unknown	Browse	3.124.100.143

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.449594665780697
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Discord.exe
File size:	46'080 bytes
MD5:	9dcd35fe3cafec7a25aa3cdd08ded1f4
SHA1:	13f199bfd3f8b2925536144a1b42424675d7c8e4
SHA256:	ce4f85d935fe68a1c92469367b945f26c40c71feb656ef844c30a5483dc5c0be
SHA512:	9a4293b2f2d0f1b86f116c5560a238ea5910454d5235aedb60695254d7cc2c3b1cd9dd1b890b9f94249ee0ca25a9fb457a66ca52398907a6d5775b0d2e2b70d3
SSDEEP:	768:KuPfZTg4pYiWUU9jjmo2qrGQ6vincPI9rjbQgX3i6cPlSZ8OoriBDZSx:KuPfZTgKa2AKU9/bXXS6ckUrcdSx
TLSH:	0F232B003BE9C127F2BF5B78ADF26105467AF2632A03D64E1CC4519B5613FC68A526FA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40c70e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc6b4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa714	0xa800	9d24fb5c6d931052766ec9573fb3764c	False	0.49923270089285715	data	5.504696129609637	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x7ff	0x800	0f68ce4dd77ed0bb9c1e6b31f6995d94	False	0.41748046875	data	4.88506844918463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	f65a5e081190af50315d9bc15ce55ce3	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0xe36c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 06:07:05.332602978 CET	49730	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:05.337646008 CET	19695	49730	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:05.337779045 CET	49730	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:05.349502087 CET	49730	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:05.355328083 CET	19695	49730	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:06.984033108 CET	19695	49730	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:06.984270096 CET	49730	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:12.021197081 CET	49730	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:12.022241116 CET	49731	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:12.026304960 CET	19695	49730	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:12.027439117 CET	19695	49731	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:12.027661085 CET	49731	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:12.028069973 CET	49731	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:12.033030987 CET	19695	49731	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:13.688561916 CET	19695	49731	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:13.688767910 CET	49731	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:18.691102982 CET	49731	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:18.692384958 CET	49735	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:18.696106911 CET	19695	49731	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:18.697300911 CET	19695	49735	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:18.697499037 CET	49735	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:18.698009968 CET	49735	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:18.702960014 CET	19695	49735	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:20.340380907 CET	19695	49735	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:20.344280958 CET	49735	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:25.347954988 CET	49735	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:25.350455999 CET	49739	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:25.352952957 CET	19695	49735	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:25.355343103 CET	19695	49739	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:25.355432034 CET	49739	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:25.357460022 CET	49739	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:25.362302065 CET	19695	49739	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:26.998084068 CET	19695	49739	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:26.998207092 CET	49739	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:32.003309965 CET	49739	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:32.004503012 CET	49740	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:32.008378029 CET	19695	49739	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:32.009388924 CET	19695	49740	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:32.009473085 CET	49740	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:32.009865046 CET	49740	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:32.014729977 CET	19695	49740	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:33.654287100 CET	19695	49740	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:33.654376030 CET	49740	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:38.659298897 CET	49740	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:38.660160065 CET	49741	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:38.664360046 CET	19695	49740	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:38.664979935 CET	19695	49741	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:38.665055990 CET	49741	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:38.665385962 CET	49741	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:38.670191050 CET	19695	49741	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:40.310528040 CET	19695	49741	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:40.310669899 CET	49741	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:45.315799952 CET	49741	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:45.317064047 CET	49742	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:45.320624113 CET	19695	49741	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:45.321866035 CET	19695	49742	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:45.321947098 CET	49742	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:45.322321892 CET	49742	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:45.327205896 CET	19695	49742	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:46.970494032 CET	19695	49742	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:46.970611095 CET	49742	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:51.971903086 CET	49742	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:51.972966909 CET	49743	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:51.976839066 CET	19695	49742	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:51.977910995 CET	19695	49743	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:51.978002071 CET	49743	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:51.978347063 CET	49743	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:51.983185053 CET	19695	49743	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:53.625164032 CET	19695	49743	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:53.625303984 CET	49743	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:58.628204107 CET	49743	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:58.629220963 CET	49751	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:58.633107901 CET	19695	49743	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:58.634176016 CET	19695	49751	18.156.13.209	192.168.2.4
Jan 14, 2025 06:07:58.634290934 CET	49751	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:58.634751081 CET	49751	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:07:58.639636040 CET	19695	49751	18.156.13.209	192.168.2.4
Jan 14, 2025 06:08:00.280348063 CET	19695	49751	18.156.13.209	192.168.2.4
Jan 14, 2025 06:08:00.280440092 CET	49751	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:08:05.285882950 CET	49751	19695	192.168.2.4	18.156.13.209
Jan 14, 2025 06:08:05.290786028 CET	19695	49751	18.156.13.209	192.168.2.4
Jan 14, 2025 06:08:05.297043085 CET	49797	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:05.302000046 CET	19695	49797	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:05.302087069 CET	49797	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:05.302545071 CET	49797	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:05.307400942 CET	19695	49797	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:06.955172062 CET	19695	49797	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:06.955363989 CET	49797	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:11.956192970 CET	49797	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:11.956924915 CET	49832	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:11.961025953 CET	19695	49797	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:11.961910963 CET	19695	49832	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:11.963957071 CET	49832	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:11.964227915 CET	49832	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:11.969106913 CET	19695	49832	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:13.591449976 CET	19695	49832	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:13.591572046 CET	49832	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:18.596910000 CET	49832	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:18.598440886 CET	49877	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:18.601799965 CET	19695	49832	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:18.603285074 CET	19695	49877	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:18.603363037 CET	49877	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:18.603703022 CET	49877	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:18.608468056 CET	19695	49877	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:20.251400948 CET	19695	49877	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:20.251477957 CET	49877	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:25.253062963 CET	49877	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:25.253880024 CET	49922	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:25.257884979 CET	19695	49877	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:25.258737087 CET	19695	49922	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:25.258825064 CET	49922	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:25.259079933 CET	49922	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:25.263866901 CET	19695	49922	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:26.940983057 CET	19695	49922	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:26.941346884 CET	49922	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:31.956110954 CET	49922	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:31.956996918 CET	49961	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:31.961069107 CET	19695	49922	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:31.961819887 CET	19695	49961	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:31.961941957 CET	49961	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:31.962507010 CET	49961	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:31.967302084 CET	19695	49961	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:33.628348112 CET	19695	49961	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:33.628484011 CET	49961	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:38.643721104 CET	49961	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:38.644591093 CET	50005	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:38.648629904 CET	19695	49961	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:38.649422884 CET	19695	50005	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:38.649504900 CET	50005	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:38.650104046 CET	50005	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:38.656948090 CET	19695	50005	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:40.279841900 CET	19695	50005	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:40.280035973 CET	50005	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:45.284337997 CET	50005	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:45.285201073 CET	50017	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:45.289159060 CET	19695	50005	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:45.290154934 CET	19695	50017	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:45.290241957 CET	50017	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:45.290599108 CET	50017	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:45.295403957 CET	19695	50017	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:47.811255932 CET	19695	50017	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:47.811480999 CET	50017	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:47.813889027 CET	19695	50017	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:47.813972950 CET	19695	50017	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:47.814054966 CET	50017	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:47.814054966 CET	50017	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:47.814477921 CET	19695	50017	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:47.814610004 CET	50017	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:52.815524101 CET	50017	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:52.816584110 CET	50018	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:52.820370913 CET	19695	50017	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:52.821461916 CET	19695	50018	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:52.821579933 CET	50018	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:52.822000980 CET	50018	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:52.826761007 CET	19695	50018	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:54.450695992 CET	19695	50018	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:54.450776100 CET	50018	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:59.456098080 CET	50018	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:59.457019091 CET	50019	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:59.460901022 CET	19695	50018	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:59.461889982 CET	19695	50019	3.127.138.57	192.168.2.4
Jan 14, 2025 06:08:59.461987019 CET	50019	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:59.462294102 CET	50019	19695	192.168.2.4	3.127.138.57
Jan 14, 2025 06:08:59.467058897 CET	19695	50019	3.127.138.57	192.168.2.4
Jan 14, 2025 06:09:01.092858076 CET	19695	50019	3.127.138.57	192.168.2.4
Jan 14, 2025 06:09:01.092976093 CET	50019	19695	192.168.2.4	3.127.138.57

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 06:07:05.320638895 CET	55583	53	192.168.2.4	1.1.1.1
Jan 14, 2025 06:07:05.330457926 CET	53	55583	1.1.1.1	192.168.2.4
Jan 14, 2025 06:08:05.287142992 CET	61625	53	192.168.2.4	1.1.1.1
Jan 14, 2025 06:08:05.296385050 CET	53	61625	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 06:07:05.320638895 CET	192.168.2.4	1.1.1.1	0x66a9	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 14, 2025 06:08:05.287142992 CET	192.168.2.4	1.1.1.1	0x390a	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 06:07:05.330457926 CET	1.1.1.1	192.168.2.4	0x66a9	No error (0)	2.tcp.eu.ngrok.io		18.156.13.209	A (IP address)	IN (0x0001)	false
Jan 14, 2025 06:08:05.296385050 CET	1.1.1.1	192.168.2.4	0x390a	No error (0)	2.tcp.eu.ngrok.io		3.127.138.57	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:07:00
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\Discord.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Discord.exe"
Imagebase:	0xea0000
File size:	46'080 bytes
MD5 hash:	9DCD35FE3CAFEC7A25AA3CDD08DED1F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1690024074.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1690024074.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 01431727 Relevance: 5.4, Strings: 4, Instructions: 443COMMON

Download Yara Rule

Strings

a^q, xrefs: 01431CDF
,, xrefs: 01431870
xbq, xrefs: 01431D76
a^q, xrefs: 01431D3C

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID: a^q$ a^q$,$xbq
API String ID: 0-2180861429
Opcode ID: 3ef7a0c4cf24dcc2abc3bdb3271289a083ae00bfcafb3a0e2c07cdd43dcdc53e
Instruction ID: 12c9207bdd9ac87dc0bf4f8eb35bf62916988ae20cb233a794050aa539fe4d77
Opcode Fuzzy Hash: 3ef7a0c4cf24dcc2abc3bdb3271289a083ae00bfcafb3a0e2c07cdd43dcdc53e
Instruction Fuzzy Hash: 6002ADB07012049FC715DF29D444B2E7BE2FF98705F148A69E4169F3A5DB74AC86CB82

Function 01431962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

a^q, xrefs: 01431CDF
xbq, xrefs: 01431D76
a^q, xrefs: 01431D3C

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID: a^q$ a^q$xbq
API String ID: 0-2081302502
Opcode ID: 4972cd715cde34188d1cb9d8abaa980e48e0549fa0326a6ff0a19c9b4e353b42
Instruction ID: cfacd9563e3f5caadff5f0fba3154050d9f970ebeb688f013092b484003ce267
Opcode Fuzzy Hash: 4972cd715cde34188d1cb9d8abaa980e48e0549fa0326a6ff0a19c9b4e353b42
Instruction Fuzzy Hash: 07617AB07003048FD7259F29D444B6A7BE2FB98705F108A69E5169F3A4DBB1AD86CB81

Function 01430EBC Relevance: 3.9, Strings: 3, Instructions: 159COMMON

Download Yara Rule

Strings

Te^q, xrefs: 01430EED
d7p, xrefs: 01430F05
(bq, xrefs: 01431192

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID: (bq$Te^q$d7p
API String ID: 0-1699803613
Opcode ID: 9c11f169796b012e0ac03aed44eae8518472299941e1c452956f91fecae5252d
Instruction ID: 64f88ac103c0239e314ee273462c298495d78199fa5945410cc3db28962ce656
Opcode Fuzzy Hash: 9c11f169796b012e0ac03aed44eae8518472299941e1c452956f91fecae5252d
Instruction Fuzzy Hash: 2A519D74B102148FCB54DF6DD458A5EBBF6FF89710F2581AAE802DB3A5CA759C01CB80

Function 01430D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

dLdq, xrefs: 01430D5B
Hbq, xrefs: 01430E40

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID: Hbq$dLdq
API String ID: 0-411705877
Opcode ID: b443507dcfd1a702e781d4f460b5d0cc008ecf8baea6f64dea717ebb354f6074
Instruction ID: ff23265e82b5dcb36fe3c4971ac1265f4ed5342e31263fc460ebba7899ad2541
Opcode Fuzzy Hash: b443507dcfd1a702e781d4f460b5d0cc008ecf8baea6f64dea717ebb354f6074
Instruction Fuzzy Hash: 5741D331B042148FCB19DF6CD458A9EBBF2BF88310F1445AAE406EB3A2CB759C05CB91

Function 01431339 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0143138B

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: ef5b3bd7c63dc5c881a9bb8b726ed82e9abf9e5abc90f90cbca4eca5babb34a7
Instruction ID: db2244af32def377af7f81cf61eb2cc00218396d1d6b152d87e0c12d774feb08
Opcode Fuzzy Hash: ef5b3bd7c63dc5c881a9bb8b726ed82e9abf9e5abc90f90cbca4eca5babb34a7
Instruction Fuzzy Hash: 8D31E174F002168FDB14AB7C945096FBBF6EFC9614B14416EE54ADB3A1EE308C028792

Function 01430D10 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

dLdq, xrefs: 01430D5B

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: 95dc2ae487ba17d70b7a444598443b183716b30bab9031501d15fdcdb2bcd41e
Instruction ID: 9063a083a32ce97e0c54601e9a247a699a8e26fe29136172d4b4d09e47283728
Opcode Fuzzy Hash: 95dc2ae487ba17d70b7a444598443b183716b30bab9031501d15fdcdb2bcd41e
Instruction Fuzzy Hash: 36316D71A002158FDB14DF69D488BAEBBF2BF88300F14856AE406AB361CB75ED45CF91

Function 01430E3F Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01430E40

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 3af0d0d4936838ecffdfe9a91e03fe16afa88b249cdcfb5245c4142145232502
Instruction ID: 5917a884fac4c71239c90076ee9b848f552851d5d430168c7d5e433e35340494
Opcode Fuzzy Hash: 3af0d0d4936838ecffdfe9a91e03fe16afa88b249cdcfb5245c4142145232502
Instruction Fuzzy Hash: B6F02231B043904FC3969B3CA41446E3FE3AFDA22032508FAE10ACB3A2DD2C8C068761

Function 01430AA0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dd6d2be9d105c7da1b43afd794b52346505570de3f0f16bd3a1290c34a18d1
Instruction ID: 94d4a187521a2425aefeb631dffd1149685eb37f4935c66f4bd563101ba4bbf0
Opcode Fuzzy Hash: 25dd6d2be9d105c7da1b43afd794b52346505570de3f0f16bd3a1290c34a18d1
Instruction Fuzzy Hash: 895109B4503319CFC725DF26E44454A77B6FB8430AB108A69D8168B298DB39AD86CF92

Function 014311D0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c4effa8d81d94eeb19ce0f92beff78f755231bc04c7b67d82de92c5fbf2e23
Instruction ID: 3346e21254bde9753fe2b4d469a70e0b3b6aa3058ed5befe5bb1d72c1b0df4f0
Opcode Fuzzy Hash: a6c4effa8d81d94eeb19ce0f92beff78f755231bc04c7b67d82de92c5fbf2e23
Instruction Fuzzy Hash: 9F4168B1E00209AFCB44EFB9854466EBBFAFFC8701F20856AD54AD7345DB349D428B91

Function 01431030 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81ba6ee1402ddc0f0cdc4dc986ab10479a8dbbb52c89d0ccb8aea2db4d55bdf
Instruction ID: b3dd97323b1085ba4d7df6758de4277378641eb1bbcf1c335f738f34d7bce9d9
Opcode Fuzzy Hash: a81ba6ee1402ddc0f0cdc4dc986ab10479a8dbbb52c89d0ccb8aea2db4d55bdf
Instruction Fuzzy Hash: AB212B75B001059FD714DB69C594BAEBBF2BF8CB20F248159E901EB3A5CB719C01CB80

Function 013DD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933227477.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13dd000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8274b7fbf2e406868ea08d3692ab5b34949df7065caf7ba8c17d46b4dff4bee
Instruction ID: 7dae0e504fbddb09f8fd96af6fc4c7bc60e7c38dce3209ce03a25b63cb6db9c7
Opcode Fuzzy Hash: e8274b7fbf2e406868ea08d3692ab5b34949df7065caf7ba8c17d46b4dff4bee
Instruction Fuzzy Hash: 402128B2504204DFDB06DF98E9C0B26BF66FB94328F64C56DE90A0B296C336D416C7A1

Function 01430998 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546b5f425413e42fdbf4bd2b595f4823f46d30136742233e3ea895c1b21e2128
Instruction ID: b90ab25c0bbca18faa19ad296cbeef72c5eae327ce8dc4f38dad18d8e06f5608
Opcode Fuzzy Hash: 546b5f425413e42fdbf4bd2b595f4823f46d30136742233e3ea895c1b21e2128
Instruction Fuzzy Hash: 712153707013068FDB79AB79A55427F3AE8AFA8305F10472EF847D72A4EA348942CB55

Function 014309A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6283052732121da592004c88e3df8b462fa2f43498d8fc805fa17003ac3c012b
Instruction ID: 4e665edb283a6f6fb861562096a33737c71793c023edbbf31a44cb6b03e4fac8
Opcode Fuzzy Hash: 6283052732121da592004c88e3df8b462fa2f43498d8fc805fa17003ac3c012b
Instruction Fuzzy Hash: A32136707112068FDF74BBB9B51462F3AE8AF98705F00472AB507C7295EE34C942CB56

Function 013DD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933227477.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13dd000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 0b25cd185515732551ae1dfffb2a7cba7405c351976663c387b8784d4f965f94
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 9611D376904240DFDB16CF58D9C4B16BF72FB84328F24C5A9D9090B297C336D45ACBA2

Function 01431431 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879da8792fd059b2bc852c87e1e3e78cba130909eae282e8f3a69bfdb78cfb79
Instruction ID: 3c600ab2758d684d5de99ca7789f583441d2e7a08a040dec1d5680d590a8bed7
Opcode Fuzzy Hash: 879da8792fd059b2bc852c87e1e3e78cba130909eae282e8f3a69bfdb78cfb79
Instruction Fuzzy Hash: 8A11CE70A01309DFCB54DFB9C50466A77F5EF88710B0004BAD405CB360EA35DC42CB81

Function 01431440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ad7204e38d1991f6a3907682077c666981fdaefb6519ac10e9211310fc20ec
Instruction ID: a521e93aa1f583841a32464e2f45d935a0bb981f2651463672da7d115fc0798b
Opcode Fuzzy Hash: f7ad7204e38d1991f6a3907682077c666981fdaefb6519ac10e9211310fc20ec
Instruction Fuzzy Hash: 0511A1B0B01209DFCB54DBB9D504A2B7BE6EF8C605B1004B9D409CB360EA35DC42CB91

Function 014316A0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adbef34ad0304c8a4426f209e3ddb7763fbf6d976dbd748d092b21302a60d94
Instruction ID: cc942d488663d7129692f738cef9e00506c6c5dbca4a301f67d54b8b734145ff
Opcode Fuzzy Hash: 5adbef34ad0304c8a4426f209e3ddb7763fbf6d976dbd748d092b21302a60d94
Instruction Fuzzy Hash: DE015A70B02215CFEB58DFA990006BE77B4EF98614F08416EC81997361DB345D428B82

Function 01430E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812b902ec87fc426a089568bb4b83489314e356802ec89804d10e58894af653b
Instruction ID: 0f4d2ec66aeeda6c14b21f0065e29cc10f1e1c9631b389024f41835ed0579200
Opcode Fuzzy Hash: 812b902ec87fc426a089568bb4b83489314e356802ec89804d10e58894af653b
Instruction Fuzzy Hash: 3AE08C363002045F87549A2EF88885AB7DAEBC862432408B9E10AC7365DD60CC014390

Function 01430A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0060946c11d271e6d234d574d8ce81f9c1531ddf462113e2e304fa7fcd6c934
Instruction ID: fb28cf89966f819fab31223f6200de48630bdc0068311f13703ec4e2171cc4e8
Opcode Fuzzy Hash: b0060946c11d271e6d234d574d8ce81f9c1531ddf462113e2e304fa7fcd6c934
Instruction Fuzzy Hash: 87C0122410534ACADB3223E4A008A283AA8A7E830AF00030BF1024A9E58E340803871A

Function 01430A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2933495710.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564fd0803b757f38fdae702064076fa9d076a371376fa903b6b0f05f0c1d4cd4
Instruction ID: 2a78c0bba50ec6c940567cdaf7f74fdca3da3c857ad5d5b65d01168d1dc2a5e4
Opcode Fuzzy Hash: 564fd0803b757f38fdae702064076fa9d076a371376fa903b6b0f05f0c1d4cd4
Instruction Fuzzy Hash: 9CC0122810530ACED33233E4A008A2C39A8ABE830AF000306F1024A9E58E340803431A

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Discord.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
Discord.exe