Edit tour

Windows Analysis Report
SZf8I0IvEg.exe

Overview

General Information

Sample name:	SZf8I0IvEg.exe renamed because original name is a hash value
Original sample name:	ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33.exe
Analysis ID:	1650930
MD5:	c7c64687ae709d71b1440fd99a62f0f6
SHA1:	10e8a15dcf18d8752eced5ab22650cdc8e1e7309
SHA256:	ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33
Tags:	exegoodsvibes-dynuddns-netuser-JAMESWT_MHT
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected DcRat

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SZf8I0IvEg.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\SZf8I0IvEg.exe" MD5: C7C64687AE709D71B1440FD99A62F0F6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.AsyncRAT as delivered by MintsLoader includes a PowerShell module with a DGA. The DGA is similar to MintsLoader's DGA, but generates more domains and uses more than one TLD.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{
  "Server": "goodsvibes.dynuddns.net",
  "Port": "9852",
  "Version": " 1.0.7",
  "MutexName": "DcRatMutex_qGo",
  "Autorun": "false",
  "Group": "Marzo17-25"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SZf8I0IvEg.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
SZf8I0IvEg.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9ac4:$a2: timeout 3 > NUL 0x9ae4:$a3: START "" " 0x996f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a24:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
SZf8I0IvEg.exe	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xa11e:$str01: DcRatByqwqdanchun 0x9a24:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x97e0:$str03: Po_ng 0x97b6:$str04: Pac_ket 0x9ec2:$str05: Perfor_mance 0x9f06:$str06: Install_ed 0x66dd:$str07: get_IsConnected 0x7036:$str08: get_ActivatePo_ng 0x79be:$str09: isVM_by_wim_temper 0x97fc:$str10: save_Plugin 0x9ac4:$str11: timeout 3 > NUL 0x9b36:$str12: ProcessHacker.exe 0x9ca6:$str13: Select * from Win32_CacheMemory
SZf8I0IvEg.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a24:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x996f:$s2: L2Mgc2NodGFza3MgL2 0x98ee:$s3: QW1zaVNjYW5CdWZmZXI 0x993c:$s4: VmlydHVhbFByb3RlY3Q
SZf8I0IvEg.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9ca6:$q1: Select * from Win32_CacheMemory 0x9ce6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d34:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9d82:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
SZf8I0IvEg.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa11e:$s1: DcRatBy
Click to see the 1 entries

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x4c9:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63fb:$a1: havecamera 0x98c4:$a2: timeout 3 > NUL 0x98e4:$a3: START "" " 0x976f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9824:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000002.2428687312.000000001BC60000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x3818:$b2: DcRat By qwqdanchun1
00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x75f8:$b2: DcRat By qwqdanchun1 0xf31c:$b2: DcRat By qwqdanchun1 0xf56c:$b2: DcRat By qwqdanchun1
00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x458c:$b2: DcRat By qwqdanchun1 0x5adc:$b2: DcRat By qwqdanchun1 0x3b890:$b2: DcRat By qwqdanchun1
00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x5318:$b1: DcRatByqwqdanchun 0x3f294:$b2: DcRat By qwqdanchun1
00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x217f14:$b2: DcRat By qwqdanchun1
Process Memory Space: SZf8I0IvEg.exe PID: 7604	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: SZf8I0IvEg.exe PID: 7604	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: SZf8I0IvEg.exe PID: 7604	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x21150:$a1: havecamera 0x25d1f:$b1: DcRatByqwqdanchun 0x39bd2:$b1: DcRatByqwqdanchun 0xd2be:$b2: DcRat By qwqdanchun1 0x12d57:$b2: DcRat By qwqdanchun1 0x26289:$b2: DcRat By qwqdanchun1 0x3224b:$b2: DcRat By qwqdanchun1 0x45687:$b2: DcRat By qwqdanchun1
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SZf8I0IvEg.exe.e20000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.SZf8I0IvEg.exe.e20000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9ac4:$a2: timeout 3 > NUL 0x9ae4:$a3: START "" " 0x996f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a24:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.SZf8I0IvEg.exe.e20000.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xa11e:$str01: DcRatByqwqdanchun 0x9a24:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x97e0:$str03: Po_ng 0x97b6:$str04: Pac_ket 0x9ec2:$str05: Perfor_mance 0x9f06:$str06: Install_ed 0x66dd:$str07: get_IsConnected 0x7036:$str08: get_ActivatePo_ng 0x79be:$str09: isVM_by_wim_temper 0x97fc:$str10: save_Plugin 0x9ac4:$str11: timeout 3 > NUL 0x9b36:$str12: ProcessHacker.exe 0x9ca6:$str13: Select * from Win32_CacheMemory
0.0.SZf8I0IvEg.exe.e20000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a24:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x996f:$s2: L2Mgc2NodGFza3MgL2 0x98ee:$s3: QW1zaVNjYW5CdWZmZXI 0x993c:$s4: VmlydHVhbFByb3RlY3Q
0.0.SZf8I0IvEg.exe.e20000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9ca6:$q1: Select * from Win32_CacheMemory 0x9ce6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d34:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9d82:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.SZf8I0IvEg.exe.e20000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa11e:$s1: DcRatBy
Click to see the 1 entries

Suricata Signatures

ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-28T08:36:33.468392+0100	2034847	1	Domain Observed Used for C2 Detected	176.65.134.105	9852	192.168.2.4	49712	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-28T08:36:33.468392+0100	2842478	1	Malware Command and Control Activity Detected	176.65.134.105	9852	192.168.2.4	49712	TCP

ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-28T08:36:33.468392+0100	2848048	1	Domain Observed Used for C2 Detected	176.65.134.105	9852	192.168.2.4	49712	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SZf8I0IvEg.exe

Avira: detected

Antivirus detection for URL or domain

Source: goodsvibes.dynuddns.net

Avira URL Cloud: Label: malware

Found malware configuration

Source: SZf8I0IvEg.exe

Malware Configuration Extractor: AsyncRAT {"Server": "goodsvibes.dynuddns.net", "Port": "9852", "Version": " 1.0.7", "MutexName": "DcRatMutex_qGo", "Autorun": "false", "Group": "Marzo17-25"}

Multi AV Scanner detection for submitted file

Source: SZf8I0IvEg.exe	Virustotal: Detection: 79%			Perma Link
Source: SZf8I0IvEg.exe	ReversingLabs: Detection: 80%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 94.2%

Sample uses string decryption to hide its real strings

Source: SZf8I0IvEg.exe	String decryptor: 9852
Source: SZf8I0IvEg.exe	String decryptor: goodsvibes.dynuddns.net
Source: SZf8I0IvEg.exe	String decryptor: 1.0.7
Source: SZf8I0IvEg.exe	String decryptor: false
Source: SZf8I0IvEg.exe	String decryptor: DcRatMutex_qGo
Source: SZf8I0IvEg.exe	String decryptor: MIICMDCCAZmgAwIBAgIVAMaBeR9P3Ul+SdXWCbf4dEVfPoRFMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDIwNDE1MDcxN1oXDTMzMTExMzE1MDcxN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKc8o3jPsEuo8oWGV/dKkjetOpEe003VLgZvyH72e4hhVOKpVhCoXfNzypj62QwbJzZNiJEjKbHcMIBTj6FXTcN0crxDt9y9Zkqcv5bHQt7qEhSGlQDWusiPiFi/ZUm5aABL1L3ZDlEq0EomTSE+zogqLxeR4JBAsV0AR4buL7SRAgMBAAGjMjAwMB0GA1UdDgQWBBQmwIernSRvdh/MqJJVki/p4G9lwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAIQGk5vP6qdN4EaKNY/YrbRS91Tu9QPKlufTNOzSlJxuxr062vtdFPTQylkVTc+MeL3xUB8gBMAixsOc/vHhhjk6N+XsPz/AvA0eRze9Tje1kzVx/fH+uv1/dBFR0/I8hyBB6C1MxQ5E4tNT4z0yGxYsRw0P9j2sVHbmQKMh1R2n
Source: SZf8I0IvEg.exe	String decryptor: dGUVfcePaRwsym7gbgWOEl5IaDTRxXCExDI8PIraed/7TrK00iUi6nsUraCY49L05IVSiIK7QyhcHvWgSa4nLQQKgr+D92N15mK56C5OxzHEpIm9CnmLUnOid4ay546ky5OEWESt4hmV9OCCadz5oaOPcwIcPYRHHQ1KFsxOC2o=
Source: SZf8I0IvEg.exe	String decryptor: null
Source: SZf8I0IvEg.exe	String decryptor: Marzo17-25

Source: SZf8I0IvEg.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 176.65.134.105:9852 -> 192.168.2.4:49712
Source: Network traffic	Suricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 176.65.134.105:9852 -> 192.168.2.4:49712
Source: Network traffic	Suricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 176.65.134.105:9852 -> 192.168.2.4:49712

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: goodsvibes.dynuddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: goodsvibes.dynuddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49712 -> 176.65.134.105:9852

Source: Joe Sandbox View

ASN Name: DIOGELO-ASGB DIOGELO-ASGB

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: goodsvibes.dynuddns.net

Source: SZf8I0IvEg.exe, 00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: SZf8I0IvEg.exe, 00000000.00000002.2425638876.000000000132C000.00000004.00000020.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2428687312.000000001BC60000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: SZf8I0IvEg.exe, 00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: SZf8I0IvEg.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: SZf8I0IvEg.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: SZf8I0IvEg.exe, type: SAMPLE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: SZf8I0IvEg.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: SZf8I0IvEg.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: SZf8I0IvEg.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2428687312.000000001BC60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Code function: 0_2_00007FFC3DDB90F2	0_2_00007FFC3DDB90F2
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Code function: 0_2_00007FFC3DDB308D	0_2_00007FFC3DDB308D
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Code function: 0_2_00007FFC3DDB8346	0_2_00007FFC3DDB8346

Source: SZf8I0IvEg.exe, 00000000.00000000.1179051193.0000000000E2E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs SZf8I0IvEg.exe
Source: SZf8I0IvEg.exe	Binary or memory string: OriginalFilenameClient.exe" vs SZf8I0IvEg.exe

Source: SZf8I0IvEg.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: SZf8I0IvEg.exe, type: SAMPLE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: SZf8I0IvEg.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: SZf8I0IvEg.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: SZf8I0IvEg.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2428687312.000000001BC60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: SZf8I0IvEg.exe, Settings.cs	Base64 encoded string: 'OAknEO0ilwBypamBm7kB4SyppLeTK3dM0HickL21OBBmEeGHqIaT/TRoIugwUU6n9gKFULkv87Ja0TxAyddtxA==', 'mwJlyJoCsJyIVXKEZNc7AndRl18vYBIzONbz87u/zs/uEnAiIy33VK+eJerBpugVTlvMY9M+EeLg7GGQH3ZKNw==', 'W8+ziyUP0dmTKPuQg497pHioJgJBESvFFWcy77FFbczRXjv1mtxO2w/mZBfHnUHJP8kqIJlT2GBoZ7JCEW+2l5fT8FReSzqX/GEpUJu/UVypXpvsc9LTxPkdo1c1lEnJLbQrrQC8oRsETaL1nJ7AQuacruuxlNhEL82/FFF9OJeHHcHBZmDzkP+7gVsQyGwQUe42uOa5WEbtq1FYZygsp8OiPoah+oSEugYqGxSpZgcY27gLt27FzJuSUVx/j9qQX0ZWibKAPNe2qXxR4JrnWoQHj9Hd+7XCWweqhmyWBuE=', 'Z7QvwinbzI0ryDAqU2ofVPjJq9+PSYiK7Cq1a8qjk5lm1Jb0YN8pMJiS0EoFj8mgcVX2W3F8KUKpxGpYx69jnQ==', 'LSAs76MwknLa+OiTtn/EEtCnqfXaaV2Ad0rYsA/24Iq9U3Dc7x7GL6L391thJoQMFVPNAB4RRZ5eUzVhLuNNMA==', 'YMTLGimZ2xR6igLGw3UPWZEzaeklvB3N8rPp6G0LN3CcGO6Rbh88A5q7rSk52wUlnL80h2uG3cuTg0/IphJZOw=='
Source: SZf8I0IvEg.exe, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qGo

Source: SZf8I0IvEg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SZf8I0IvEg.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SZf8I0IvEg.exe	Virustotal: Detection: 79%
Source: SZf8I0IvEg.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Section loaded: msdmo.dll	Jump to behavior

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: SZf8I0IvEg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SZf8I0IvEg.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

Code function: 0_2_00007FFC3DDB00BD pushad ; iretd

0_2_00007FFC3DDB00C1

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: SZf8I0IvEg.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: SZf8I0IvEg.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SZf8I0IvEg.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Memory allocated: 1560000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Memory allocated: 1B290000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Window / User API: threadDelayed 1844			Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe	Window / User API: threadDelayed 8006			Jump to behavior

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe TID: 7812	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe TID: 7828	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe TID: 7836	Thread sleep count: 1844 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SZf8I0IvEg.exe TID: 7836	Thread sleep count: 8006 > 30	Jump to behavior

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: SZf8I0IvEg.exe, 00000000.00000002.2429043352.000000001BD55000.00000004.00000020.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: SZf8I0IvEg.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: SZf8I0IvEg.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: SZf8I0IvEg.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: SZf8I0IvEg.exe, Amsi.cs	Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)

Source: SZf8I0IvEg.exe, 00000000.00000002.2426637563.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.00000000035C5000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.000000000330E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SZf8I0IvEg.exe, 00000000.00000002.2426637563.00000000032F6000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.00000000035C5000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.000000000330E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

Queries volume information: C:\Users\user\Desktop\SZf8I0IvEg.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: SZf8I0IvEg.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SZf8I0IvEg.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR

Source: SZf8I0IvEg.exe, 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: SZf8I0IvEg.exe, 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: SZf8I0IvEg.exe, 00000000.00000002.2428687312.000000001BCA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: SZf8I0IvEg.exe, 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\SZf8I0IvEg.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SZf8I0IvEg.exe PID: 7604, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SZf8I0IvEg.exe	79%	Virustotal		Browse
SZf8I0IvEg.exe	81%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
SZf8I0IvEg.exe	100%	Avira	HEUR/AGEN.1307404
SAMPLE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
goodsvibes.dynuddns.net	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.90.172	true	false		high
goodsvibes.dynuddns.net	176.65.134.105	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
goodsvibes.dynuddns.net	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SZf8I0IvEg.exe, 00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp, SZf8I0IvEg.exe, 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.65.134.105	goodsvibes.dynuddns.net	Germany		56325	DIOGELO-ASGB	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1650930
Start date and time:	2025-03-28 08:35:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SZf8I0IvEg.exe renamed because original name is a hash value
Original Sample Name:	ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.90.172, 23.204.23.20, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:36:33	API Interceptor	1x Sleep call for process: SZf8I0IvEg.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	7NOT92-GmT6-1OjO9-R14.msi	Get hash	malicious	Unknown	Browse	151.101.46.172
	SOA.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	199.232.90.172
	MetroHealthNow.com.pdf	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	199.232.38.172
	PURCHASE ORDER 517-2025.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.90.172
	SecuriteInfo.com.Trojan.Win32.32652.13367.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.38.172
	SecuriteInfo.com.Trojan.Win32.32652.13367.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.90.172
	https://webmail-oxcs.networksolutionsemail.com/appsuite/api/share/06aa762107b86ac26a9d4b37b86a49dfbc05657fa4e7fd74/1/8/MjYx	Get hash	malicious	Orcus	Browse	199.232.90.172
	New Order For 2000 Pieces.exe	Get hash	malicious	AgentTesla	Browse	199.232.90.172
	XRealStats.xlam	Get hash	malicious	Unknown	Browse	199.232.38.172
	VerifiedAssetLinked.exe	Get hash	malicious	AsyncRAT, KeyLogger, Quasar, XWorm	Browse	199.232.90.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIOGELO-ASGB	Z9dgTYzz4x.exe	Get hash	malicious	RHADAMANTHYS	Browse	176.65.134.153
	killua.x86.elf	Get hash	malicious	Unknown	Browse	176.65.134.43
	a55fee51fe469b7ed4f23ef3753b380fb548d65f40306962.pptm.ps1	Get hash	malicious	RHADAMANTHYS	Browse	176.65.134.153
	sparc.nn.elf	Get hash	malicious	Mirai	Browse	176.65.134.15
	jae1h6e218.exe	Get hash	malicious	RHADAMANTHYS	Browse	176.65.134.145
	5IY8PW2nOl.exe	Get hash	malicious	RHADAMANTHYS	Browse	176.65.134.145
	tdm.js	Get hash	malicious	Remcos	Browse	176.65.134.41
	morte.x64.elf	Get hash	malicious	Unknown	Browse	176.65.134.62
	morte.m68k.elf	Get hash	malicious	Unknown	Browse	176.65.134.62
	morte.mips.elf	Get hash	malicious	Unknown	Browse	176.65.134.62

Process:	C:\Users\user\Desktop\SZf8I0IvEg.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	73305
Entropy (8bit):	7.996028107841645
Encrypted:	true
SSDEEP:	1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
MD5:	83142242E97B8953C386F988AA694E4A
SHA1:	833ED12FC15B356136DCDD27C61A50F59C5C7D50
SHA-256:	D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
SHA-512:	BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH..M.KB."..rK.RQ..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j\|w...#.oU..Eq[..P..^..~.V...;..m...I\|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.\|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\SZf8I0IvEg.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.2810756866948085
Encrypted:	false
SSDEEP:	6:kKW+El/ImcQRnSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:xEl/ImfZkPlE99SNxAhUeq8S
MD5:	0F6CF03C07D6738256627A2511FD0F7B
SHA1:	790CB09C170863837FEBD739484EF915228B69A4
SHA-256:	12E60DD2143D3102B0CD1F6DBE3B7CBDCEDD028B3C41F655D71F27191174AC85
SHA-512:	C1C6ACBC950BF6255F841ED10DD63712B6C5F5CDDF5BBB09C7E3B7AFA8280368E5F8ABD91A89D4B58313B7846E369C0C0A1EE18F3B99537E66142BDBD4C73CED
Malicious:	false
Reputation:	low
Preview:	p...... ........Z.V!....(....................................................... ..................(....c*.....Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.615977367376357
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SZf8I0IvEg.exe
File size:	48'640 bytes
MD5:	c7c64687ae709d71b1440fd99a62f0f6
SHA1:	10e8a15dcf18d8752eced5ab22650cdc8e1e7309
SHA256:	ad254af84174663ff1da12477b8f970338853f93cff1c04ac29c0ed72087fc33
SHA512:	a87b0bafac6ffbd3da6f9ac141b4d5f931921eb0e0874d1e45577c5466c906ea9cec4fe9eee5020639a19dae39c691b3ee9491d51aaa331c3b608c2a58678b1b
SSDEEP:	768:F6T3ILNCKi+DiW0jd3gLqRp8AoPiIjYb6geRBMcC4vEgK/JTZVc6KN:F6YmWGaPAKMbtkGV4nkJTZVclN
TLSH:	D9235D0037D8C536E2BD4BB4A9F3A245867AD65B1903CB5D6CC811EA2B13BC597036FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40cb8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59E0C03F [Fri Oct 13 13:31:43 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb40	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xab94	0xac00	13b6fd928adbbf17905f9445ffffbb7f	False	0.5020666787790697	data	5.6411055835076525	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0xdf7	0xe00	2083376922615c09cdda9acfd9305376	False	0.4017857142857143	data	5.110607648061562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	d2892f5e6b6d9366633263ebc642dea3	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2d4	data			0.4350828729281768
RT_MANIFEST	0xe374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription
FileVersion	1.0.7.0
InternalName	Client.exe
LegalCopyright
LegalTrademarks
OriginalFilename	Client.exe
ProductName
ProductVersion	1.0.7.0
Assembly Version	1.0.7.0

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-28T08:36:33.468392+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	176.65.134.105	9852	192.168.2.4	49712	TCP
2025-03-28T08:36:33.468392+0100	2034847	ET MALWARE Observed Malicious SSL Cert (AsyncRAT)	1	176.65.134.105	9852	192.168.2.4	49712	TCP
2025-03-28T08:36:33.468392+0100	2848048	ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)	1	176.65.134.105	9852	192.168.2.4	49712	TCP

Network Port Distribution

Total Packets: 61
• 9852 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2025 08:36:32.782290936 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:32.999496937 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:32.999584913 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:33.023610115 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:33.241775036 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:33.249274015 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:33.468391895 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:33.514615059 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:35.279212952 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:35.550524950 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:35.550596952 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:35.813688040 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:43.492635965 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:43.549308062 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:43.766552925 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:43.811594963 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:49.611891985 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:49.878794909 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:49.878895044 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:50.097817898 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:50.139758110 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:50.356828928 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:50.359478951 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:50.627507925 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:36:50.627720118 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:36:50.897155046 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:03.953352928 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:04.225284100 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:04.225465059 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:04.444715023 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:04.499382019 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:04.716440916 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:04.719259977 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:04.990417957 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:04.990528107 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:05.259885073 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:13.503560066 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:13.546361923 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:13.763428926 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:13.812110901 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:18.296783924 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:18.555951118 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:18.556046009 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:18.774236917 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:18.827574968 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:19.044760942 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:19.046873093 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:19.304815054 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:19.304935932 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:19.574788094 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:32.640603065 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:32.903593063 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:32.903737068 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:33.122117996 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:33.171549082 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:33.388748884 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:33.390563965 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:33.652355909 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:33.652503967 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:33.922261000 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:43.500463009 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:43.546610117 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:43.763645887 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:43.812284946 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:46.984745026 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:47.248507023 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:47.248599052 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:47.466850042 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:47.515454054 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:47.733261108 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:47.735548973 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:47.997478008 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:37:47.997658014 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:37:48.267261982 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:01.328677893 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:01.592648983 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:01.592799902 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:01.810553074 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:01.859275103 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:02.076349020 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:02.080697060 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:02.341337919 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:02.341411114 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:02.611247063 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:13.544761896 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:13.593789101 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:13.810815096 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:13.859358072 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:15.672322035 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:15.929752111 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:15.929893970 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:16.148021936 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:16.203219891 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:16.420456886 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:16.424508095 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:16.685946941 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:16.686058044 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:16.956486940 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:30.016247034 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:30.276899099 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:30.276984930 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:30.495111942 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:30.547096968 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:30.764434099 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:30.766429901 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:31.032849073 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:31.032951117 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:31.303227901 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:34.766093969 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:35.031045914 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:35.031119108 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:35.248857021 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:35.297032118 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:35.514193058 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:35.514837980 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:35.780775070 CET	9852	49712	176.65.134.105	192.168.2.4
Mar 28, 2025 08:38:35.780853033 CET	49712	9852	192.168.2.4	176.65.134.105
Mar 28, 2025 08:38:36.049657106 CET	9852	49712	176.65.134.105	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2025 08:36:32.629650116 CET	60095	53	192.168.2.4	1.1.1.1
Mar 28, 2025 08:36:32.776674032 CET	53	60095	1.1.1.1	192.168.2.4
Mar 28, 2025 08:37:10.880825996 CET	53	60395	162.159.36.2	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 28, 2025 08:36:32.629650116 CET	192.168.2.4	1.1.1.1	0xff9e	Standard query (0)	goodsvibes.dynuddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 28, 2025 08:36:32.776674032 CET	1.1.1.1	192.168.2.4	0xff9e	No error (0)	goodsvibes.dynuddns.net		176.65.134.105	A (IP address)	IN (0x0001)	false
Mar 28, 2025 08:36:33.674793005 CET	1.1.1.1	192.168.2.4	0xdb10	No error (0)	bg.microsoft.map.fastly.net		199.232.90.172	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• SZf8I0IvEg.exe

Click to jump to process

Memory Usage

• SZf8I0IvEg.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	03:36:28
Start date:	28/03/2025
Path:	C:\Users\user\Desktop\SZf8I0IvEg.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SZf8I0IvEg.exe"
Imagebase:	0xe20000
File size:	48'640 bytes
MD5 hash:	C7C64687AE709D71B1440FD99A62F0F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1179022219.0000000000E22000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2428687312.000000001BC60000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2426637563.0000000003584000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2426105604.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2426637563.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2426637563.0000000003317000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00007FFC3DDB308D Relevance: 2.0, Strings: 1, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 00007FFC3DDB321A

Memory Dump Source

Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 4947af660d2639eeb3181f00fe5b366387b13e88a4d0a7e20377f2972a72dde1
Instruction ID: 159b2984738df426fd9da66d66f07bf61422285d46af1ae7c1b893f7ceb8451a
Opcode Fuzzy Hash: 4947af660d2639eeb3181f00fe5b366387b13e88a4d0a7e20377f2972a72dde1
Instruction Fuzzy Hash: F3320630B1CA2E8FEB9CEB6880556B977D2EF98354F544179D04EC32D6EE28AC41D760

Function 00007FFC3DDB8346 Relevance: .5, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2a57bc26eb6f800c2c0a5296bbb4ad4c092a99ade8943bf70ded9f28b9b237
Instruction ID: f7a601aa71c58e61da7ef223c1e6f43cf4242f3e661a6237e8981a719b77108b
Opcode Fuzzy Hash: 6b2a57bc26eb6f800c2c0a5296bbb4ad4c092a99ade8943bf70ded9f28b9b237
Instruction Fuzzy Hash: 19F19230908B8D8FEBA8DF28C8557E977E1FF58354F04426AE84DC7291EB34A945CB91

Function 00007FFC3DDB90F2 Relevance: .5, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5c3f79e7bc890a3867232ebab07357a070234c8fee47949c251468f9bbaf55
Instruction ID: a3bc8a29f560008c148778280e76efa8179c4ca443af865535f913b03bc2ecfb
Opcode Fuzzy Hash: 1c5c3f79e7bc890a3867232ebab07357a070234c8fee47949c251468f9bbaf55
Instruction Fuzzy Hash: 28E1C47090CA8D8FEBA8DF68C8557E977E1FF54350F04426ED84EC7291EA78A940CB91

Function 00007FFC3DDB29E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FFC3DDB2ABF

Memory Dump Source

Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 106aae4e6ded05bb705cf24ea7299b7bc90c9d27f0cfc043657294afd95a6589
Instruction ID: 76bc0704e7fd3a4704afe1dc168aee2c7009e857c0b4ec5fe6a444db0d361b51
Opcode Fuzzy Hash: 106aae4e6ded05bb705cf24ea7299b7bc90c9d27f0cfc043657294afd95a6589
Instruction Fuzzy Hash: 88416E30908A1C8FDB98EF98D845BE9BBF1FF59310F0041AAD04DD7292DB74A945CB90

Function 00007FFC3DDB18C5 Relevance: 1.6, APIs: 1, Instructions: 141
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FFC3DDB2ABF

Memory Dump Source

Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5da119261ecd33571ddd7af0ac3e2f68fda6e52f6f7d99b71bc10c5be4f9c26a
Instruction ID: c3f2b1fd61fd50b86a890bd1e3df236e40c2261aa14a3eae98173077dd7e241d
Opcode Fuzzy Hash: 5da119261ecd33571ddd7af0ac3e2f68fda6e52f6f7d99b71bc10c5be4f9c26a
Instruction Fuzzy Hash: 24415E30908A1C8FDB98EF98D449BADBBF1FB59310F10416AD04EE3291DB74A841CB90

Function 00007FFC3DDB2D3D Relevance: 1.6, APIs: 1, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFC3DDB2E1A

Memory Dump Source

Source File: 00000000.00000002.2430683331.00007FFC3DDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc3ddb0000_SZf8I0IvEg.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 61479a998a6acf64abc2878190e20f1c0eb941f0e1b3fa8b94e22ef78a3ddfac
Instruction ID: 136e607afbd08b15313036deec1cb6f0f7652657abe44385ebbd8e6cc3fcb2c7
Opcode Fuzzy Hash: 61479a998a6acf64abc2878190e20f1c0eb941f0e1b3fa8b94e22ef78a3ddfac
Instruction Fuzzy Hash: 2A41063190CB9C4FDB1A9BA898466AD7FE0EF56321F0442AFD089D3192DA746806C7D2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SZf8I0IvEg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Windows Analysis Report
SZf8I0IvEg.exe