Edit tour

Windows Analysis Report
SZf8I0IvEg.exe

Overview

General Information

Sample name:SZf8I0IvEg.exe
renamed because original name is a hash value
Original sample name:ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33.exe
Analysis ID:1650930
MD5:c7c64687ae709d71b1440fd99a62f0f6
SHA1:10e8a15dcf18d8752eced5ab22650cdc8e1e7309
SHA256:ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33
Tags:exegoodsvibes-dynuddns-netuser-JAMESWT_MHT
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected DcRat
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • SZf8I0IvEg.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\SZf8I0IvEg.exe" MD5: C7C64687AE709D71B1440FD99A62F0F6)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.AsyncRAT as delivered by MintsLoader includes a PowerShell module with a DGA. The DGA is similar to MintsLoader's DGA, but generates more domains and uses more than one TLD.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
{
  "Server": "goodsvibes.dynuddns.net",
  "Port": "9852",
  "Version": " 1.0.7",
  "MutexName": "DcRatMutex_qGo",
  "Autorun": "false",
  "Group": "Marzo17-25"
}
SourceRuleDescriptionAuthorStrings
SZf8I0IvEg.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    SZf8I0IvEg.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x65fb:$a1: havecamera
    • 0x9ac4:$a2: timeout 3 > NUL
    • 0x9ae4:$a3: START "" "
    • 0x996f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
    • 0x9a24:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    SZf8I0IvEg.exerat_win_dcrat_qwqdanchunFind DcRAT samples (qwqdanchun) based on specific stringsSekoia.io
    • 0xa11e:$str01: DcRatByqwqdanchun
    • 0x9a24:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    • 0x97e0:$str03: Po_ng
    • 0x97b6:$str04: Pac_ket
    • 0x9ec2:$str05: Perfor_mance
    • 0x9f06:$str06: Install_ed
    • 0x66dd:$str07: get_IsConnected
    • 0x7036:$str08: get_ActivatePo_ng
    • 0x79be:$str09: isVM_by_wim_temper
    • 0x97fc:$str10: save_Plugin
    • 0x9ac4:$str11: timeout 3 > NUL
    • 0x9b36:$str12: ProcessHacker.exe
    • 0x9ca6:$str13: Select * from Win32_CacheMemory
    SZf8I0IvEg.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x9a24:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x996f:$s2: L2Mgc2NodGFza3MgL2
    • 0x98ee:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x993c:$s4: VmlydHVhbFByb3RlY3Q
    SZf8I0IvEg.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x9ca6:$q1: Select * from Win32_CacheMemory
    • 0x9ce6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x9d34:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x9d82:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    Click to see the 1 entries
    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x4c9:$b2: DcRat By qwqdanchun1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x63fb:$a1: havecamera
      • 0x98c4:$a2: timeout 3 > NUL
      • 0x98e4:$a3: START "" "
      • 0x976f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x9824:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      00000000.00000002.2428687312.000000001BC60000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x3818:$b2: DcRat By qwqdanchun1
      00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
        00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x75f8:$b2: DcRat By qwqdanchun1
        • 0xf31c:$b2: DcRat By qwqdanchun1
        • 0xf56c:$b2: DcRat By qwqdanchun1
        Click to see the 7 entries
        SourceRuleDescriptionAuthorStrings
        0.0.SZf8I0IvEg.exe.e20000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.0.SZf8I0IvEg.exe.e20000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x65fb:$a1: havecamera
          • 0x9ac4:$a2: timeout 3 > NUL
          • 0x9ae4:$a3: START "" "
          • 0x996f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
          • 0x9a24:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
          0.0.SZf8I0IvEg.exe.e20000.0.unpackrat_win_dcrat_qwqdanchunFind DcRAT samples (qwqdanchun) based on specific stringsSekoia.io
          • 0xa11e:$str01: DcRatByqwqdanchun
          • 0x9a24:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
          • 0x97e0:$str03: Po_ng
          • 0x97b6:$str04: Pac_ket
          • 0x9ec2:$str05: Perfor_mance
          • 0x9f06:$str06: Install_ed
          • 0x66dd:$str07: get_IsConnected
          • 0x7036:$str08: get_ActivatePo_ng
          • 0x79be:$str09: isVM_by_wim_temper
          • 0x97fc:$str10: save_Plugin
          • 0x9ac4:$str11: timeout 3 > NUL
          • 0x9b36:$str12: ProcessHacker.exe
          • 0x9ca6:$str13: Select * from Win32_CacheMemory
          0.0.SZf8I0IvEg.exe.e20000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
          • 0x9a24:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
          • 0x996f:$s2: L2Mgc2NodGFza3MgL2
          • 0x98ee:$s3: QW1zaVNjYW5CdWZmZXI
          • 0x993c:$s4: VmlydHVhbFByb3RlY3Q
          0.0.SZf8I0IvEg.exe.e20000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x9ca6:$q1: Select * from Win32_CacheMemory
          • 0x9ce6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x9d34:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x9d82:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
          Click to see the 1 entries
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-28T08:36:33.468392+010020348471Domain Observed Used for C2 Detected176.65.134.1059852192.168.2.449712TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-28T08:36:33.468392+010028424781Malware Command and Control Activity Detected176.65.134.1059852192.168.2.449712TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-28T08:36:33.468392+010028480481Domain Observed Used for C2 Detected176.65.134.1059852192.168.2.449712TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: SZf8I0IvEg.exeAvira: detected
          Source: goodsvibes.dynuddns.netAvira URL Cloud: Label: malware
          Source: SZf8I0IvEg.exeMalware Configuration Extractor: AsyncRAT {"Server": "goodsvibes.dynuddns.net", "Port": "9852", "Version": " 1.0.7", "MutexName": "DcRatMutex_qGo", "Autorun": "false", "Group": "Marzo17-25"}
          Source: SZf8I0IvEg.exeVirustotal: Detection: 79%Perma Link
          Source: SZf8I0IvEg.exeReversingLabs: Detection: 80%
          Source: Submited SampleNeural Call Log Analysis: 94.2%
          Source: SZf8I0IvEg.exeString decryptor: 9852
          Source: SZf8I0IvEg.exeString decryptor: goodsvibes.dynuddns.net
          Source: SZf8I0IvEg.exeString decryptor: 1.0.7
          Source: SZf8I0IvEg.exeString decryptor: false
          Source: SZf8I0IvEg.exeString decryptor: DcRatMutex_qGo
          Source: SZf8I0IvEg.exeString decryptor: MIICMDCCAZmgAwIBAgIVAMaBeR9P3Ul+SdXWCbf4dEVfPoRFMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDIwNDE1MDcxN1oXDTMzMTExMzE1MDcxN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKc8o3jPsEuo8oWGV/dKkjetOpEe003VLgZvyH72e4hhVOKpVhCoXfNzypj62QwbJzZNiJEjKbHcMIBTj6FXTcN0crxDt9y9Zkqcv5bHQt7qEhSGlQDWusiPiFi/ZUm5aABL1L3ZDlEq0EomTSE+zogqLxeR4JBAsV0AR4buL7SRAgMBAAGjMjAwMB0GA1UdDgQWBBQmwIernSRvdh/MqJJVki/p4G9lwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAIQGk5vP6qdN4EaKNY/YrbRS91Tu9QPKlufTNOzSlJxuxr062vtdFPTQylkVTc+MeL3xUB8gBMAixsOc/vHhhjk6N+XsPz/AvA0eRze9Tje1kzVx/fH+uv1/dBFR0/I8hyBB6C1MxQ5E4tNT4z0yGxYsRw0P9j2sVHbmQKMh1R2n
          Source: SZf8I0IvEg.exeString decryptor: dGUVfcePaRwsym7gbgWOEl5IaDTRxXCExDI8PIraed/7TrK00iUi6nsUraCY49L05IVSiIK7QyhcHvWgSa4nLQQKgr+D92N15mK56C5OxzHEpIm9CnmLUnOid4ay546ky5OEWESt4hmV9OCCadz5oaOPcwIcPYRHHQ1KFsxOC2o=
          Source: SZf8I0IvEg.exeString decryptor: null
          Source: SZf8I0IvEg.exeString decryptor: Marzo17-25
          Source: SZf8I0IvEg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 176.65.134.105:9852 -> 192.168.2.4:49712
          Source: Network trafficSuricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 176.65.134.105:9852 -> 192.168.2.4:49712
          Source: Network trafficSuricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 176.65.134.105:9852 -> 192.168.2.4:49712
          Source: Malware configuration extractorURLs: goodsvibes.dynuddns.net
          Source: unknownDNS query: name: goodsvibes.dynuddns.net
          Source: global trafficTCP traffic: 192.168.2.4:49712 -> 176.65.134.105:9852
          Source: Joe Sandbox ViewASN Name: DIOGELO-ASGB DIOGELO-ASGB
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: goodsvibes.dynuddns.net
          Source: SZf8I0IvEg.exe, 00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: SZf8I0IvEg.exe, 00000000.00000002.2425638876.000000000132C000.00000004.00000020.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2428687312.000000001BC60000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: SZf8I0IvEg.exe, 00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: Yara matchFile source: SZf8I0IvEg.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR

          System Summary

          barindex
          Source: SZf8I0IvEg.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: SZf8I0IvEg.exe, type: SAMPLEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
          Source: SZf8I0IvEg.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: SZf8I0IvEg.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: SZf8I0IvEg.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
          Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2428687312.000000001BC60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeCode function: 0_2_00007FFC3DDB90F20_2_00007FFC3DDB90F2
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeCode function: 0_2_00007FFC3DDB308D0_2_00007FFC3DDB308D
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeCode function: 0_2_00007FFC3DDB83460_2_00007FFC3DDB8346
          Source: SZf8I0IvEg.exe, 00000000.00000000.1179051193.0000000000E2E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs SZf8I0IvEg.exe
          Source: SZf8I0IvEg.exeBinary or memory string: OriginalFilenameClient.exe" vs SZf8I0IvEg.exe
          Source: SZf8I0IvEg.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: SZf8I0IvEg.exe, type: SAMPLEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
          Source: SZf8I0IvEg.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: SZf8I0IvEg.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: SZf8I0IvEg.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
          Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2428687312.000000001BC60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: SZf8I0IvEg.exe, Settings.csBase64 encoded string: 'OAknEO0ilwBypamBm7kB4SyppLeTK3dM0HickL21OBBmEeGHqIaT/TRoIugwUU6n9gKFULkv87Ja0TxAyddtxA==', 'mwJlyJoCsJyIVXKEZNc7AndRl18vYBIzONbz87u/zs/uEnAiIy33VK+eJerBpugVTlvMY9M+EeLg7GGQH3ZKNw==', 'W8+ziyUP0dmTKPuQg497pHioJgJBESvFFWcy77FFbczRXjv1mtxO2w/mZBfHnUHJP8kqIJlT2GBoZ7JCEW+2l5fT8FReSzqX/GEpUJu/UVypXpvsc9LTxPkdo1c1lEnJLbQrrQC8oRsETaL1nJ7AQuacruuxlNhEL82/FFF9OJeHHcHBZmDzkP+7gVsQyGwQUe42uOa5WEbtq1FYZygsp8OiPoah+oSEugYqGxSpZgcY27gLt27FzJuSUVx/j9qQX0ZWibKAPNe2qXxR4JrnWoQHj9Hd+7XCWweqhmyWBuE=', 'Z7QvwinbzI0ryDAqU2ofVPjJq9+PSYiK7Cq1a8qjk5lm1Jb0YN8pMJiS0EoFj8mgcVX2W3F8KUKpxGpYx69jnQ==', 'LSAs76MwknLa+OiTtn/EEtCnqfXaaV2Ad0rYsA/24Iq9U3Dc7x7GL6L391thJoQMFVPNAB4RRZ5eUzVhLuNNMA==', 'YMTLGimZ2xR6igLGw3UPWZEzaeklvB3N8rPp6G0LN3CcGO6Rbh88A5q7rSk52wUlnL80h2uG3cuTg0/IphJZOw=='
          Source: SZf8I0IvEg.exe, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@1/1
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeMutant created: NULL
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qGo
          Source: SZf8I0IvEg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: SZf8I0IvEg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SZf8I0IvEg.exeVirustotal: Detection: 79%
          Source: SZf8I0IvEg.exeReversingLabs: Detection: 80%
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: devenum.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeSection loaded: msdmo.dllJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: SZf8I0IvEg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SZf8I0IvEg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeCode function: 0_2_00007FFC3DDB00BD pushad ; iretd 0_2_00007FFC3DDB00C1

          Boot Survival

          barindex
          Source: Yara matchFile source: SZf8I0IvEg.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: Yara matchFile source: SZf8I0IvEg.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR
          Source: SZf8I0IvEg.exeBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeMemory allocated: 1560000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeMemory allocated: 1B290000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeWindow / User API: threadDelayed 1844Jump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeWindow / User API: threadDelayed 8006Jump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exe TID: 7812Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exe TID: 7828Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exe TID: 7836Thread sleep count: 1844 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exe TID: 7836Thread sleep count: 8006 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: SZf8I0IvEg.exe, 00000000.00000002.2429043352.000000001BD55000.00000004.00000020.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: SZf8I0IvEg.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
          Source: SZf8I0IvEg.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: SZf8I0IvEg.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: SZf8I0IvEg.exe, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
          Source: SZf8I0IvEg.exe, 00000000.00000002.2426637563.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.00000000035C5000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.000000000330E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: SZf8I0IvEg.exe, 00000000.00000002.2426637563.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.00000000035C5000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.000000000330E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeQueries volume information: C:\Users\user\Desktop\SZf8I0IvEg.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Source: Yara matchFile source: SZf8I0IvEg.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR
          Source: SZf8I0IvEg.exe, 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MSASCui.exe
          Source: SZf8I0IvEg.exe, 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procexp.exe
          Source: SZf8I0IvEg.exe, 00000000.00000002.2428687312.000000001BCA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: SZf8I0IvEg.exe, 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MsMpEng.exe
          Source: C:\Users\user\Desktop\SZf8I0IvEg.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation
          1
          Scheduled Task/Job
          1
          Process Injection
          1
          Disable or Modify Tools
          OS Credential Dumping1
          Query Registry
          Remote Services1
          Archive Collected Data
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job
          1
          DLL Side-Loading
          1
          Scheduled Task/Job
          31
          Virtualization/Sandbox Evasion
          LSASS Memory121
          Security Software Discovery
          Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API
          Logon Script (Windows)1
          DLL Side-Loading
          1
          Process Injection
          Security Account Manager1
          Process Discovery
          SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
          Obfuscated Files or Information
          NTDS31
          Virtualization/Sandbox Evasion
          Distributed Component Object ModelInput Capture21
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading
          LSA Secrets1
          Application Window Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
          System Information Discovery
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650930 Sample: SZf8I0IvEg.exe Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 9 goodsvibes.dynuddns.net 2->9 11 bg.microsoft.map.fastly.net 2->11 15 Suricata IDS alerts for network traffic 2->15 17 Found malware configuration 2->17 19 Malicious sample detected (through community Yara rule) 2->19 23 10 other signatures 2->23 6 SZf8I0IvEg.exe 1 2 2->6         started        signatures3 21 Uses dynamic DNS services 9->21 process4 dnsIp5 13 goodsvibes.dynuddns.net 176.65.134.105, 49712, 9852 DIOGELO-ASGB Germany 6->13

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          SZf8I0IvEg.exe79%VirustotalBrowse
          SZf8I0IvEg.exe81%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
          SZf8I0IvEg.exe100%AviraHEUR/AGEN.1307404
          SAMPLE100%Joe Sandbox ML
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          goodsvibes.dynuddns.net100%Avira URL Cloudmalware

          Download Network PCAP: filteredfull

          NameIPActiveMaliciousAntivirus DetectionReputation
          bg.microsoft.map.fastly.net
          199.232.90.172
          truefalse
            high
            goodsvibes.dynuddns.net
            176.65.134.105
            truetrue
              unknown
              NameMaliciousAntivirus DetectionReputation
              goodsvibes.dynuddns.nettrue
              • Avira URL Cloud: malware
              unknown
              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSZf8I0IvEg.exe, 00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                176.65.134.105
                goodsvibes.dynuddns.netGermany
                56325DIOGELO-ASGBtrue
                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1650930
                Start date and time:2025-03-28 08:35:30 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 37s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:SZf8I0IvEg.exe
                renamed because original name is a hash value
                Original Sample Name:ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/2@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 6
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 199.232.90.172, 23.204.23.20, 172.202.163.200
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                TimeTypeDescription
                03:36:33API Interceptor1x Sleep call for process: SZf8I0IvEg.exe modified
                No context
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                bg.microsoft.map.fastly.net7NOT92-GmT6-1OjO9-R14.msiGet hashmaliciousUnknownBrowse
                • 151.101.46.172
                SOA.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 199.232.90.172
                MetroHealthNow.com.pdfGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                • 199.232.38.172
                PURCHASE ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                • 199.232.90.172
                SecuriteInfo.com.Trojan.Win32.32652.13367.exeGet hashmaliciousScreenConnect ToolBrowse
                • 199.232.38.172
                SecuriteInfo.com.Trojan.Win32.32652.13367.exeGet hashmaliciousScreenConnect ToolBrowse
                • 199.232.90.172
                https://webmail-oxcs.networksolutionsemail.com/appsuite/api/share/06aa762107b86ac26a9d4b37b86a49dfbc05657fa4e7fd74/1/8/MjYxGet hashmaliciousOrcusBrowse
                • 199.232.90.172
                New Order For 2000 Pieces.exeGet hashmaliciousAgentTeslaBrowse
                • 199.232.90.172
                XRealStats.xlamGet hashmaliciousUnknownBrowse
                • 199.232.38.172
                VerifiedAssetLinked.exeGet hashmaliciousAsyncRAT, KeyLogger, Quasar, XWormBrowse
                • 199.232.90.172
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                DIOGELO-ASGBZ9dgTYzz4x.exeGet hashmaliciousRHADAMANTHYSBrowse
                • 176.65.134.153
                killua.x86.elfGet hashmaliciousUnknownBrowse
                • 176.65.134.43
                a55fee51fe469b7ed4f23ef3753b380fb548d65f40306962.pptm.ps1Get hashmaliciousRHADAMANTHYSBrowse
                • 176.65.134.153
                sparc.nn.elfGet hashmaliciousMiraiBrowse
                • 176.65.134.15
                jae1h6e218.exeGet hashmaliciousRHADAMANTHYSBrowse
                • 176.65.134.145
                5IY8PW2nOl.exeGet hashmaliciousRHADAMANTHYSBrowse
                • 176.65.134.145
                tdm.jsGet hashmaliciousRemcosBrowse
                • 176.65.134.41
                morte.x64.elfGet hashmaliciousUnknownBrowse
                • 176.65.134.62
                morte.m68k.elfGet hashmaliciousUnknownBrowse
                • 176.65.134.62
                morte.mips.elfGet hashmaliciousUnknownBrowse
                • 176.65.134.62
                No context
                No context
                Process:C:\Users\user\Desktop\SZf8I0IvEg.exe
                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                Category:dropped
                Size (bytes):73305
                Entropy (8bit):7.996028107841645
                Encrypted:true
                SSDEEP:1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
                MD5:83142242E97B8953C386F988AA694E4A
                SHA1:833ED12FC15B356136DCDD27C61A50F59C5C7D50
                SHA-256:D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
                SHA-512:BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH*..M.KB."..rK.RQ*..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j|w..*.#.oU..Eq[..P..^..~.V...;..m...I|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8*E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....
                Process:C:\Users\user\Desktop\SZf8I0IvEg.exe
                File Type:data
                Category:dropped
                Size (bytes):330
                Entropy (8bit):3.2810756866948085
                Encrypted:false
                SSDEEP:6:kKW+El/ImcQRnSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:xEl/ImfZkPlE99SNxAhUeq8S
                MD5:0F6CF03C07D6738256627A2511FD0F7B
                SHA1:790CB09C170863837FEBD739484EF915228B69A4
                SHA-256:12E60DD2143D3102B0CD1F6DBE3B7CBDCEDD028B3C41F655D71F27191174AC85
                SHA-512:C1C6ACBC950BF6255F841ED10DD63712B6C5F5CDDF5BBB09C7E3B7AFA8280368E5F8ABD91A89D4B58313B7846E369C0C0A1EE18F3B99537E66142BDBD4C73CED
                Malicious:false
                Reputation:low
                Preview:p...... ........Z.V!....(....................................................... ..................(....c*.....Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...
                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.615977367376357
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:SZf8I0IvEg.exe
                File size:48'640 bytes
                MD5:c7c64687ae709d71b1440fd99a62f0f6
                SHA1:10e8a15dcf18d8752eced5ab22650cdc8e1e7309
                SHA256:ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33
                SHA512:a87b0bafac6ffbd3da6f9ac141b4d5f931921eb0e0874d1e45577c5466c906ea9cec4fe9eee5020639a19dae39c691b3ee9491d51aaa331c3b608c2a58678b1b
                SSDEEP:768:F6T3ILNCKi+DiW0jd3gLqRp8AoPiIjYb6geRBMcC4vEgK/JTZVc6KN:F6YmWGaPAKMbtkGV4nkJTZVclN
                TLSH:D9235D0037D8C536E2BD4BB4A9F3A245867AD65B1903CB5D6CC811EA2B13BC597036FE
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y................................. ........@.. ....................... ............@................................
                Icon Hash:90cececece8e8eb0
                Entrypoint:0x40cb8e
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x59E0C03F [Fri Oct 13 13:31:43 2017 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xcb400x4b.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xdf7.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000xab940xac0013b6fd928adbbf17905f9445ffffbb7fFalse0.5020666787790697data5.6411055835076525IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0xe0000xdf70xe002083376922615c09cdda9acfd9305376False0.4017857142857143data5.110607648061562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x100000xc0x200d2892f5e6b6d9366633263ebc642dea3False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_VERSION0xe0a00x2d4data0.4350828729281768
                RT_MANIFEST0xe3740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416
                DLLImport
                mscoree.dll_CorExeMain
                DescriptionData
                Translation0x0000 0x04b0
                Comments
                CompanyName
                FileDescription
                FileVersion1.0.7.0
                InternalNameClient.exe
                LegalCopyright
                LegalTrademarks
                OriginalFilenameClient.exe
                ProductName
                ProductVersion1.0.7.0
                Assembly Version1.0.7.0

                Download Network PCAP: filteredfull

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2025-03-28T08:36:33.468392+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1176.65.134.1059852192.168.2.449712TCP
                2025-03-28T08:36:33.468392+01002034847ET MALWARE Observed Malicious SSL Cert (AsyncRAT)1176.65.134.1059852192.168.2.449712TCP
                2025-03-28T08:36:33.468392+01002848048ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)1176.65.134.1059852192.168.2.449712TCP
                • Total Packets: 61
                • 9852 undefined
                • 53 (DNS)
                TimestampSource PortDest PortSource IPDest IP
                Mar 28, 2025 08:36:32.782290936 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:32.999496937 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:32.999584913 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:33.023610115 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:33.241775036 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:33.249274015 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:33.468391895 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:33.514615059 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:35.279212952 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:35.550524950 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:35.550596952 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:35.813688040 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:43.492635965 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:43.549308062 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:43.766552925 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:43.811594963 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:49.611891985 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:49.878794909 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:49.878895044 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:50.097817898 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:50.139758110 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:50.356828928 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:50.359478951 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:50.627507925 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:36:50.627720118 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:36:50.897155046 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:03.953352928 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:04.225284100 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:04.225465059 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:04.444715023 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:04.499382019 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:04.716440916 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:04.719259977 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:04.990417957 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:04.990528107 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:05.259885073 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:13.503560066 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:13.546361923 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:13.763428926 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:13.812110901 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:18.296783924 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:18.555951118 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:18.556046009 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:18.774236917 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:18.827574968 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:19.044760942 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:19.046873093 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:19.304815054 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:19.304935932 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:19.574788094 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:32.640603065 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:32.903593063 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:32.903737068 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:33.122117996 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:33.171549082 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:33.388748884 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:33.390563965 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:33.652355909 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:33.652503967 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:33.922261000 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:43.500463009 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:43.546610117 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:43.763645887 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:43.812284946 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:46.984745026 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:47.248507023 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:47.248599052 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:47.466850042 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:47.515454054 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:47.733261108 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:47.735548973 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:47.997478008 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:37:47.997658014 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:37:48.267261982 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:01.328677893 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:01.592648983 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:01.592799902 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:01.810553074 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:01.859275103 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:02.076349020 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:02.080697060 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:02.341337919 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:02.341411114 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:02.611247063 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:13.544761896 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:13.593789101 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:13.810815096 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:13.859358072 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:15.672322035 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:15.929752111 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:15.929893970 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:16.148021936 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:16.203219891 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:16.420456886 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:16.424508095 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:16.685946941 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:16.686058044 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:16.956486940 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:30.016247034 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:30.276899099 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:30.276984930 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:30.495111942 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:30.547096968 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:30.764434099 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:30.766429901 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:31.032849073 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:31.032951117 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:31.303227901 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:34.766093969 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:35.031045914 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:35.031119108 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:35.248857021 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:35.297032118 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:35.514193058 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:35.514837980 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:35.780775070 CET985249712176.65.134.105192.168.2.4
                Mar 28, 2025 08:38:35.780853033 CET497129852192.168.2.4176.65.134.105
                Mar 28, 2025 08:38:36.049657106 CET985249712176.65.134.105192.168.2.4
                TimestampSource PortDest PortSource IPDest IP
                Mar 28, 2025 08:36:32.629650116 CET6009553192.168.2.41.1.1.1
                Mar 28, 2025 08:36:32.776674032 CET53600951.1.1.1192.168.2.4
                Mar 28, 2025 08:37:10.880825996 CET5360395162.159.36.2192.168.2.4
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Mar 28, 2025 08:36:32.629650116 CET192.168.2.41.1.1.10xff9eStandard query (0)goodsvibes.dynuddns.netA (IP address)IN (0x0001)false
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Mar 28, 2025 08:36:32.776674032 CET1.1.1.1192.168.2.40xff9eNo error (0)goodsvibes.dynuddns.net176.65.134.105A (IP address)IN (0x0001)false
                Mar 28, 2025 08:36:33.674793005 CET1.1.1.1192.168.2.40xdb10No error (0)bg.microsoft.map.fastly.net199.232.90.172A (IP address)IN (0x0001)false
                050100s020406080100

                Click to jump to process

                050100s0.0010203040MB

                Click to jump to process

                • File
                • Registry
                • Network

                Click to dive into process behavior distribution

                Target ID:0
                Start time:03:36:28
                Start date:28/03/2025
                Path:C:\Users\user\Desktop\SZf8I0IvEg.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\SZf8I0IvEg.exe"
                Imagebase:0xe20000
                File size:48'640 bytes
                MD5 hash:C7C64687AE709D71B1440FD99A62F0F6
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2428687312.000000001BC60000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                Reputation:low
                Has exited:false
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                Execution Graph

                Execution Coverage

                Dynamic/Packed Code Coverage

                Signature Coverage

                Execution Coverage:18.9%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:9
                Total number of Limit Nodes:0
                Show Legend
                Hide Nodes/Edges
                execution_graph 4696 7ffc3ddb18c5 4697 7ffc3ddb2a00 LoadLibraryA 4696->4697 4699 7ffc3ddb2ad2 4697->4699 4692 7ffc3ddb2d3d 4693 7ffc3ddb2d4b VirtualProtect 4692->4693 4695 7ffc3ddb2e2b 4693->4695 4688 7ffc3ddb29e1 4689 7ffc3ddb29eb LoadLibraryA 4688->4689 4691 7ffc3ddb2ad2 4689->4691

                Executed Functions

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 227 7ffc3ddb308d-7ffc3ddb30b9 228 7ffc3ddb30f9-7ffc3ddb3114 227->228 229 7ffc3ddb30bc-7ffc3ddb30e3 227->229 234 7ffc3ddb311e-7ffc3ddb3142 228->234 229->228 237 7ffc3ddb3148-7ffc3ddb31ed 234->237 238 7ffc3ddb3381-7ffc3ddb33c2 call 7ffc3ddb1998 234->238 266 7ffc3ddb32b3 237->266 267 7ffc3ddb31f3-7ffc3ddb32a0 237->267 246 7ffc3ddb33d7-7ffc3ddb33e0 238->246 247 7ffc3ddb33c4-7ffc3ddb33d5 238->247 250 7ffc3ddb33e8-7ffc3ddb3404 246->250 247->250 256 7ffc3ddb3406-7ffc3ddb3417 250->256 257 7ffc3ddb3419-7ffc3ddb341e 250->257 260 7ffc3ddb3425-7ffc3ddb348b call 7ffc3ddb19a8 call 7ffc3ddb19b8 256->260 257->260 282 7ffc3ddb3512 260->282 283 7ffc3ddb3491-7ffc3ddb34dd 260->283 271 7ffc3ddb32b8-7ffc3ddb32df 266->271 267->266 307 7ffc3ddb32a2-7ffc3ddb32ad 267->307 290 7ffc3ddb32e1-7ffc3ddb32ef 271->290 287 7ffc3ddb3517-7ffc3ddb353f 282->287 283->282 309 7ffc3ddb34df-7ffc3ddb350b 283->309 312 7ffc3ddb3541-7ffc3ddb3558 call 7ffc3ddb38d5 287->312 296 7ffc3ddb3365-7ffc3ddb337c 290->296 297 7ffc3ddb32f1-7ffc3ddb32f2 290->297 305 7ffc3ddb3559-7ffc3ddb356a 296->305 301 7ffc3ddb32fa-7ffc3ddb330b 297->301 301->305 306 7ffc3ddb3311-7ffc3ddb332c 301->306 314 7ffc3ddb3570-7ffc3ddb365e call 7ffc3ddb19c8 call 7ffc3ddb19d8 305->314 315 7ffc3ddb3891 305->315 313 7ffc3ddb3334-7ffc3ddb3345 306->313 307->271 311 7ffc3ddb32af-7ffc3ddb32b1 307->311 309->287 320 7ffc3ddb350d-7ffc3ddb3510 309->320 311->290 312->305 322 7ffc3ddb3347 313->322 323 7ffc3ddb334c-7ffc3ddb335e 313->323 314->266 342 7ffc3ddb3664-7ffc3ddb367e 314->342 319 7ffc3ddb3898-7ffc3ddb38a4 315->319 320->312 322->305 323->306 326 7ffc3ddb3360 323->326 326->305 343 7ffc3ddb3684-7ffc3ddb36ab 342->343 346 7ffc3ddb36b2-7ffc3ddb36c5 call 7ffc3ddb1988 call 7ffc3ddb0628 343->346 350 7ffc3ddb36ca-7ffc3ddb3781 346->350 362 7ffc3ddb378b-7ffc3ddb379b call 7ffc3ddb2418 350->362 364 7ffc3ddb37a0-7ffc3ddb37a6 362->364 365 7ffc3ddb37ad-7ffc3ddb37b8 364->365 367 7ffc3ddb37a7 365->367 368 7ffc3ddb37ba-7ffc3ddb37e8 365->368 367->365 371 7ffc3ddb37ea-7ffc3ddb380a call 7ffc3ddb2418 368->371 373 7ffc3ddb380f-7ffc3ddb3866 371->373 377 7ffc3ddb3868-7ffc3ddb3889 373->377 378 7ffc3ddb388f 377->378 378->319
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd
                Similarity
                • API ID:
                • String ID: ,
                • API String ID: 0-3772416878
                • Opcode ID: 4947af660d2639eeb3181f00fe5b366387b13e88a4d0a7e20377f2972a72dde1
                • Instruction ID: 159b2984738df426fd9da66d66f07bf61422285d46af1ae7c1b893f7ceb8451a
                • Opcode Fuzzy Hash: 4947af660d2639eeb3181f00fe5b366387b13e88a4d0a7e20377f2972a72dde1
                • Instruction Fuzzy Hash: F3320630B1CA2E8FEB9CEB6880556B977D2EF98354F544179D04EC32D6EE28AC41D760

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 710 7ffc3ddb8346-7ffc3ddb8353 711 7ffc3ddb8355-7ffc3ddb835d 710->711 712 7ffc3ddb835e-7ffc3ddb8427 710->712 711->712 716 7ffc3ddb8429-7ffc3ddb8432 712->716 717 7ffc3ddb8493 712->717 716->717 718 7ffc3ddb8434-7ffc3ddb8440 716->718 719 7ffc3ddb8495-7ffc3ddb84ba 717->719 720 7ffc3ddb8479-7ffc3ddb8491 718->720 721 7ffc3ddb8442-7ffc3ddb8454 718->721 725 7ffc3ddb8526 719->725 726 7ffc3ddb84bc-7ffc3ddb84c5 719->726 720->719 723 7ffc3ddb8456 721->723 724 7ffc3ddb8458-7ffc3ddb846b 721->724 723->724 724->724 727 7ffc3ddb846d-7ffc3ddb8475 724->727 729 7ffc3ddb8528-7ffc3ddb85d0 725->729 726->725 728 7ffc3ddb84c7-7ffc3ddb84d3 726->728 727->720 730 7ffc3ddb84d5-7ffc3ddb84e7 728->730 731 7ffc3ddb850c-7ffc3ddb8524 728->731 740 7ffc3ddb863e 729->740 741 7ffc3ddb85d2-7ffc3ddb85dc 729->741 732 7ffc3ddb84eb-7ffc3ddb84fe 730->732 733 7ffc3ddb84e9 730->733 731->729 732->732 735 7ffc3ddb8500-7ffc3ddb8508 732->735 733->732 735->731 743 7ffc3ddb8640-7ffc3ddb8669 740->743 741->740 742 7ffc3ddb85de-7ffc3ddb85eb 741->742 744 7ffc3ddb8624-7ffc3ddb863c 742->744 745 7ffc3ddb85ed-7ffc3ddb85ff 742->745 750 7ffc3ddb866b-7ffc3ddb8676 743->750 751 7ffc3ddb86d3 743->751 744->743 746 7ffc3ddb8603-7ffc3ddb8616 745->746 747 7ffc3ddb8601 745->747 746->746 749 7ffc3ddb8618-7ffc3ddb8620 746->749 747->746 749->744 750->751 753 7ffc3ddb8678-7ffc3ddb8686 750->753 752 7ffc3ddb86d5-7ffc3ddb8766 751->752 761 7ffc3ddb876c-7ffc3ddb877b 752->761 754 7ffc3ddb8688-7ffc3ddb869a 753->754 755 7ffc3ddb86bf-7ffc3ddb86d1 753->755 756 7ffc3ddb869e-7ffc3ddb86b1 754->756 757 7ffc3ddb869c 754->757 755->752 756->756 759 7ffc3ddb86b3-7ffc3ddb86bb 756->759 757->756 759->755 762 7ffc3ddb877d 761->762 763 7ffc3ddb8783-7ffc3ddb87e8 call 7ffc3ddb8804 761->763 762->763 770 7ffc3ddb87ea 763->770 771 7ffc3ddb87ef-7ffc3ddb8803 763->771 770->771
                Memory Dump Source
                • Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6b2a57bc26eb6f800c2c0a5296bbb4ad4c092a99ade8943bf70ded9f28b9b237
                • Instruction ID: f7a601aa71c58e61da7ef223c1e6f43cf4242f3e661a6237e8981a719b77108b
                • Opcode Fuzzy Hash: 6b2a57bc26eb6f800c2c0a5296bbb4ad4c092a99ade8943bf70ded9f28b9b237
                • Instruction Fuzzy Hash: 19F19230908B8D8FEBA8DF28C8557E977E1FF58354F04426AE84DC7291EB34A945CB91

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 772 7ffc3ddb90f2-7ffc3ddb90ff 773 7ffc3ddb910a-7ffc3ddb91d7 772->773 774 7ffc3ddb9101-7ffc3ddb9109 772->774 778 7ffc3ddb91d9-7ffc3ddb91e2 773->778 779 7ffc3ddb9243 773->779 774->773 778->779 781 7ffc3ddb91e4-7ffc3ddb91f0 778->781 780 7ffc3ddb9245-7ffc3ddb926a 779->780 787 7ffc3ddb92d6 780->787 788 7ffc3ddb926c-7ffc3ddb9275 780->788 782 7ffc3ddb9229-7ffc3ddb9241 781->782 783 7ffc3ddb91f2-7ffc3ddb9204 781->783 782->780 785 7ffc3ddb9206 783->785 786 7ffc3ddb9208-7ffc3ddb921b 783->786 785->786 786->786 789 7ffc3ddb921d-7ffc3ddb9225 786->789 791 7ffc3ddb92d8-7ffc3ddb92fd 787->791 788->787 790 7ffc3ddb9277-7ffc3ddb9283 788->790 789->782 792 7ffc3ddb9285-7ffc3ddb9297 790->792 793 7ffc3ddb92bc-7ffc3ddb92d4 790->793 797 7ffc3ddb936b 791->797 798 7ffc3ddb92ff-7ffc3ddb9309 791->798 794 7ffc3ddb929b-7ffc3ddb92ae 792->794 795 7ffc3ddb9299 792->795 793->791 794->794 799 7ffc3ddb92b0-7ffc3ddb92b8 794->799 795->794 801 7ffc3ddb936d-7ffc3ddb939b 797->801 798->797 800 7ffc3ddb930b-7ffc3ddb9318 798->800 799->793 802 7ffc3ddb931a-7ffc3ddb932c 800->802 803 7ffc3ddb9351-7ffc3ddb9369 800->803 808 7ffc3ddb940b 801->808 809 7ffc3ddb939d-7ffc3ddb93a8 801->809 804 7ffc3ddb932e 802->804 805 7ffc3ddb9330-7ffc3ddb9343 802->805 803->801 804->805 805->805 807 7ffc3ddb9345-7ffc3ddb934d 805->807 807->803 810 7ffc3ddb940d-7ffc3ddb94e5 808->810 809->808 811 7ffc3ddb93aa-7ffc3ddb93b8 809->811 821 7ffc3ddb94eb-7ffc3ddb94fa 810->821 812 7ffc3ddb93ba-7ffc3ddb93cc 811->812 813 7ffc3ddb93f1-7ffc3ddb9409 811->813 815 7ffc3ddb93ce 812->815 816 7ffc3ddb93d0-7ffc3ddb93e3 812->816 813->810 815->816 816->816 817 7ffc3ddb93e5-7ffc3ddb93ed 816->817 817->813 822 7ffc3ddb94fc 821->822 823 7ffc3ddb9502-7ffc3ddb9564 call 7ffc3ddb9580 821->823 822->823 830 7ffc3ddb9566 823->830 831 7ffc3ddb956b-7ffc3ddb957f 823->831 830->831
                Memory Dump Source
                • Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1c5c3f79e7bc890a3867232ebab07357a070234c8fee47949c251468f9bbaf55
                • Instruction ID: a3bc8a29f560008c148778280e76efa8179c4ca443af865535f913b03bc2ecfb
                • Opcode Fuzzy Hash: 1c5c3f79e7bc890a3867232ebab07357a070234c8fee47949c251468f9bbaf55
                • Instruction Fuzzy Hash: 28E1C47090CA8D8FEBA8DF68C8557E977E1FF54350F04426ED84EC7291EA78A940CB91

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 599 7ffc3ddb29e1-7ffc3ddb2ad0 LoadLibraryA 605 7ffc3ddb2ad8-7ffc3ddb2b31 call 7ffc3ddb2b32 599->605 606 7ffc3ddb2ad2 599->606 606->605
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 106aae4e6ded05bb705cf24ea7299b7bc90c9d27f0cfc043657294afd95a6589
                • Instruction ID: 76bc0704e7fd3a4704afe1dc168aee2c7009e857c0b4ec5fe6a444db0d361b51
                • Opcode Fuzzy Hash: 106aae4e6ded05bb705cf24ea7299b7bc90c9d27f0cfc043657294afd95a6589
                • Instruction Fuzzy Hash: 88416E30908A1C8FDB98EF98D845BE9BBF1FF59310F0041AAD04DD7292DB74A945CB90

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 612 7ffc3ddb18c5-7ffc3ddb2ad0 LoadLibraryA 617 7ffc3ddb2ad8-7ffc3ddb2b31 call 7ffc3ddb2b32 612->617 618 7ffc3ddb2ad2 612->618 618->617
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 5da119261ecd33571ddd7af0ac3e2f68fda6e52f6f7d99b71bc10c5be4f9c26a
                • Instruction ID: c3f2b1fd61fd50b86a890bd1e3df236e40c2261aa14a3eae98173077dd7e241d
                • Opcode Fuzzy Hash: 5da119261ecd33571ddd7af0ac3e2f68fda6e52f6f7d99b71bc10c5be4f9c26a
                • Instruction Fuzzy Hash: 24415E30908A1C8FDB98EF98D449BADBBF1FB59310F10416AD04EE3291DB74A841CB90

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 624 7ffc3ddb2d3d-7ffc3ddb2d49 625 7ffc3ddb2d54-7ffc3ddb2d63 624->625 626 7ffc3ddb2d4b-7ffc3ddb2d53 624->626 627 7ffc3ddb2d65-7ffc3ddb2d6d 625->627 628 7ffc3ddb2d6e-7ffc3ddb2e29 VirtualProtect 625->628 626->625 627->628 633 7ffc3ddb2e2b 628->633 634 7ffc3ddb2e31-7ffc3ddb2e59 628->634 633->634
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 61479a998a6acf64abc2878190e20f1c0eb941f0e1b3fa8b94e22ef78a3ddfac
                • Instruction ID: 136e607afbd08b15313036deec1cb6f0f7652657abe44385ebbd8e6cc3fcb2c7
                • Opcode Fuzzy Hash: 61479a998a6acf64abc2878190e20f1c0eb941f0e1b3fa8b94e22ef78a3ddfac
                • Instruction Fuzzy Hash: 2A41063190CB9C4FDB1A9BA898466AD7FE0EF56321F0442AFD089D3192DA746806C7D2