Edit tour

Windows Analysis Report
Zexo.exe

Overview

General Information

Sample name:	Zexo.exe
Analysis ID:	1651678
MD5:	fe21311e262630af1a54520f55ca8c69
SHA1:	1d595196ae495436868b9b6d5f0d17d04a5ff8ef
SHA256:	62ab616a986ed8d7725c5c37122c385b7ad30b9e02d659e950fa099c9b8d9ed3
Tags:	exeuser-zhuzhu0009
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected DcRat

Binary or sample is protected by dotNetProtector

Connects to many ports of the same IP (likely port scanning)

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Zexo.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\Zexo.exe" MD5: FE21311E262630AF1A54520F55CA8C69)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.AsyncRAT as delivered by MintsLoader includes a PowerShell module with a DGA. The DGA is similar to MintsLoader's DGA, but generates more domains and uses more than one TLD.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{
  "Server": "147.185.221.21",
  "Port": "27180",
  "Version": "",
  "MutexName": "YΒb2VDSoAΖjAΔX8D杰f",
  "Autorun": "false",
  "Group": "Default"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Zexo.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Zexo.exe	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xd7a4:$str01: DcRatByqwqdanchun 0xccdc:$str03: Po_ng 0xccb2:$str04: Pac_ket 0xd384:$str05: Perfor_mance 0xd3c8:$str06: Install_ed 0x886a:$str07: get_IsConnected 0x9965:$str08: get_ActivatePo_ng 0xccf8:$str10: save_Plugin 0xceb8:$str11: timeout 3 > NUL 0xcf4e:$str12: ProcessHacker.exe
Zexo.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd1a8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1f6:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd244:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
Zexo.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd7a4:$s1: DcRatBy

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x19782:$b2: DcRat By qwqdanchun1 0x19c34:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xc35:$b2: DcRat By qwqdanchun1 0x19e19:$b2: DcRat By qwqdanchun1
00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000001.00000002.2471678534.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1d95:$b2: DcRat By qwqdanchun1
00000001.00000002.2471678534.0000000000762000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x42549:$b2: DcRat By qwqdanchun1
00000001.00000002.2472987250.0000000002477000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x5518d:$b2: DcRat By qwqdanchun1
00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x52e8:$b1: DcRatByqwqdanchun 0x3f5a5:$b2: DcRat By qwqdanchun1
Process Memory Space: Zexo.exe PID: 7364	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Zexo.exe PID: 7364	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: Zexo.exe PID: 7364	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x21729:$a1: havecamera 0x292ef:$b1: DcRatByqwqdanchun 0x3c714:$b1: DcRatByqwqdanchun 0x7833:$b2: DcRat By qwqdanchun1 0x34a7c:$b2: DcRat By qwqdanchun1 0x3a2a6:$b2: DcRat By qwqdanchun1 0x481bc:$b2: DcRat By qwqdanchun1 0x4d8dc:$b2: DcRat By qwqdanchun1
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.Zexo.exe.110000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.0.Zexo.exe.110000.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xd7a4:$str01: DcRatByqwqdanchun 0xccdc:$str03: Po_ng 0xccb2:$str04: Pac_ket 0xd384:$str05: Perfor_mance 0xd3c8:$str06: Install_ed 0x886a:$str07: get_IsConnected 0x9965:$str08: get_ActivatePo_ng 0xccf8:$str10: save_Plugin 0xceb8:$str11: timeout 3 > NUL 0xcf4e:$str12: ProcessHacker.exe
1.0.Zexo.exe.110000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd1a8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1f6:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd244:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
1.0.Zexo.exe.110000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd7a4:$s1: DcRatBy

Suricata Signatures

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-29T13:37:27.436783+0100	2842478	1	Malware Command and Control Activity Detected	147.185.221.21	27180	192.168.2.6	49703	TCP
2025-03-29T13:37:38.815344+0100	2842478	1	Malware Command and Control Activity Detected	147.185.221.21	27180	192.168.2.6	49705	TCP

Base64 encoded string: 'xgbm1YJNIMbgj7WRz7kOEOoPdqEYmCovvDSAzUma42qlroy0BTBDxtAe76eG1UQhMIFLEHLcRUsf54rZSzivvg==', 'hZnHTMPEo2F7dzSM8SakDgRmmNjaF6m10ZiE8LdSmgKNzFcy4Pd9y8gCCAwte6PCgarLHF5uugzvmlmKA0J8Ug==', 'NAt47R7LZ5jBTNOPwF2jK2JD0xT/ssZ5uf5zJ36bTgE6G2B1M59i7pUcJg2XQAMvOrgZ7l+gfnQDYtE+quPWLcg2FLSihhN8gezoyzQAGv0=', 'X822lMthSzgbF/AfX3i0uH3tYnV4eRoYiVTBmYrNSsOJUsGkjerX97jCOESJCy3REn9vJISvtBb8KYc5Pkg5OBud8rIfGRZqxE23jLJKL3ILFH6FXaOu6+xFm6OPC8w4s8kF9FcR9+IcELabfP8j7OPPV9MvJZMcwRCh3eDhbez9+sPu5pUh5BfwgOK3t7KN0BMtYivijycoVx3O7i/DFgYm/qqo90+5LVjkXFFmUKYomTZDVwUXifGgJLrcc1v+KLpX9cPQQ0V3PMqukGjtzB1HP4T4ak5cIx0fN0No2t4uYfHgj2vzUltDfqGvB8tuRcbN8OexuuimpmudxP8/abBrq4eI0U7CyY1eZxaxvpoV0LBvE8Kau+ml/3oljA1yMgWS2kc8bPVGnHDWG06pvrOYQH7lk61Z07vIz7NT4CwyGDXUU8Zoha6tavFG/xX8qPIIcuEnc2WIFft7nK4ohbvDMfdS/FpOdfcHGJ8s3Yen7XY4hSaHeoconbHJ2vublCn36uNt0JiL2hKbhVQvSF5ymA0GF8J6BWi6urCzqx/HEiBvKMMmwG7YXSJBdbGdSb/qe9QzMnLKULjO4jkKT2oTQGXYSFXPHWdxHeygsybE2uWOATB7gd9l6uogsyvj7EPEzz2L+XgbMVNiazyBLwmMkgFdkcmjgDD7FxwNdik3oK3LLz30Ef+fcO+UANE6cPS+bzoqLZ2eePHVY16gUQlGjg4H0AtxlJz0ISLjM6DFNUnVUyPAtsdWTaCUawpcvN+zfP7jlr7l7KvvSJMBBNUXNYj+W8P62RMezGR0MyGStFyB37iu1Q1nUwCXaOn/N8lL0CT6SxtB6yXDP5+J5+5dcaeIfeEEKzZ7p3TW85r+4Mho0hmk5I0cGluv7bshytWLBG8mtR0pQZS5dwbJ1Luo8qBCkIyi1sDSkjKBE+WX0P898SMvxNQADF50q7iQVNUoZeGXggFYbvA/AQO74pc5+QDNEsDFtt+q3gHDX0KRlBPxuac08ueKT86IUdm8pfNiaDkb8pkEtkqUVGLYMerdMpYSBBZZ3IvRQT5Xk2g=', '+XszIBQcqNxpULKlxQWbScaxHUM6QRu4004m4TkZ7Gsy0hJoWi3pKAUndHQ2inuP8ggY/GnF5CEpFwMSk7FKbmuv6Cm0X7ftiS76bYAzWUQccIP01TJHdWARm9VwRJoHc7i3m8t5D4nkah5/esdqYCNpmchiUsxfH7ac+gR6z/wRiUQtmfR8IvayvwCMeBlzf0ZsEcXrpbsmXHsiKEtf8s9QmzZt7z9/MQwe4TcYUdp1qNXujFJX9jpDJrtIpWdTx+8Q7xjjuLPd0A/EvI9UrzVrpcB+LroShbAnxIFq3nM=', 'lTbHjSKR1dIl6/qXliPn0mAEQWYJa0Y5o6oP+v58ZFLJEw3fs1ShPZsOf+HbYntzqcFkfmKbkIhpPst191peQA==', 'KADNlPWaJZIjzD11N8XzoXyvOz83Ck5ioBRPduqAlOgXaCx8602ncYAumlmVqs42VnOP6E/ieX7yFjhkbnfa2Q==', 'V6HfnGZuqXWPphGLSO6et4Klj+Y4fZly8M/MRS2/VsXnhg6J1RJKl8HAH8Vx5h6bxzLKW5uRON+nc2dZstL6sQ==', 'Wxz2PPhcZR9OnUykBvsGNER5Ns04CtHyDOuDQoPYCBfz+YtMFJ91VBxv70aHqTTpXl6r7RdNm34EWVmenp/PcA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\Zexo.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Zexo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Y?b2VDSoA?jA?X8D?f

Source: Zexo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Zexo.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Zexo.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Zexo.exe	ReversingLabs: Detection: 80%
Source: Zexo.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Zexo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Zexo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Zexo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Binary or sample is protected by dotNetProtector

Source: Zexo.exe, 00000001.00000002.2486709765.000000001B4A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: dotNetProtector
Source: Zexo.exe, 00000001.00000002.2484910216.0000000012421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dotNetProtector

Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4E00BD pushad ; iretd	1_2_00007FF88B4E00C1
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4FA8BF push ebx; iretd	1_2_00007FF88B4FA8C2
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4EAFD8 push E85CA259h; ret	1_2_00007FF88B4EAFF9
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4F552C push ebp; iretd	1_2_00007FF88B4F5538

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: Zexo.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR

Source: C:\Users\user\Desktop\Zexo.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\Zexo.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\8DDAA8B7C3447D4E21BA E204D15F0E7269D364157AAAB265A5DFBE7E76C9F6202BF90998F0EDD77CA248

Jump to behavior

Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: Zexo.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Zexo.exe	Binary or memory string: SBIEDLL.DLLM{860BB310-5D01-11D0-BD3B-00A0C911CE86}
Source: Zexo.exe	Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\Zexo.exe	Memory allocated: 960000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Memory allocated: 1A410000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Zexo.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Zexo.exe	Window / User API: threadDelayed 3975			Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Window / User API: threadDelayed 5873			Jump to behavior

Source: C:\Users\user\Desktop\Zexo.exe TID: 5768	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe TID: 6860	Thread sleep time: -23980767295822402s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Zexo.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Zexo.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Zexo.exe	Binary or memory string: vmware
Source: Zexo.exe, 00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Zexo.exe, 00000001.00000002.2485989026.000000001AE6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Zexo.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Zexo.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: Zexo.exe, 00000001.00000002.2472987250.00000000025FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Zexo.exe, 00000001.00000002.2472987250.00000000025FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\Desktop\Zexo.exe	Queries volume information: C:\Users\user\Desktop\Zexo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zexo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Zexo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: Zexo.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR

Source: Zexo.exe, 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: MSASCui.exe
Source: Zexo.exe, 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: procexp.exe
Source: Zexo.exe, 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Zexo.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Process Injection	1 Modify Registry	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Zexo.exe	81%	ReversingLabs	ByteCode-MSIL.Backdoor.MarteVenomRAT
Zexo.exe	75%	Virustotal		Browse
Zexo.exe	100%	Avira	HEUR/AGEN.1307453
SAMPLE	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.31	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Zexo.exe, 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.21	unknown	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1651678
Start date and time:	2025-03-29 13:35:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Zexo.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 208.89.73.31, 23.204.23.20, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:37:26	API Interceptor	1x Sleep call for process: Zexo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.21	file.exe	Get hash	malicious	Njrat	Browse
	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse
	Nurcraft.exe	Get hash	malicious	XWorm	Browse
	Zvas34nq1T.exe	Get hash	malicious	XWorm	Browse
	aoKTzGQSRP.exe	Get hash	malicious	XWorm	Browse
	SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exe	Get hash	malicious	SheetRat	Browse
	mIURiU8n2P.exe	Get hash	malicious	XWorm	Browse
	PixpFUv4G7.exe	Get hash	malicious	Quasar, XWorm	Browse
	r4RF3TX5Mi.exe	Get hash	malicious	XWorm	Browse
	ra66DSpa.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	kpsbCW7D1x.ps1	Get hash	malicious	Vidar	Browse	208.89.73.31
	windows.ps1	Get hash	malicious	Vidar	Browse	208.89.73.21
	4uxI3oIdvM.ps1	Get hash	malicious	Vidar	Browse	208.89.73.29
	PO#P18620782.exe	Get hash	malicious	Snake Keylogger	Browse	208.89.73.31
	SG-07298.exe	Get hash	malicious	Snake Keylogger	Browse	208.89.73.23
	https://stockanalysis.com/out/news?url=https://tbcorps.com/eDocument/Docusign/a6egt67309hy66402g6sj2348/pdf.html#purchasing@ycwa.com	Get hash	malicious	Unknown	Browse	208.89.73.27
	windscribe.msi	Get hash	malicious	Unknown	Browse	208.89.73.29
	https://www.transfernow.net/dl/20250327nEx48coZ	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	208.89.73.21
	taxCPAm.bat	Get hash	malicious	Unknown	Browse	208.89.73.17
	JKT48.exe	Get hash	malicious	Unknown	Browse	208.89.73.29

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	xxrkjufx.exe	Get hash	malicious	NeptuneRAT	Browse	147.185.221.25
	Vanta Loader.exe	Get hash	malicious	XWorm	Browse	147.185.221.19
	XC.exe	Get hash	malicious	XWorm	Browse	147.185.221.20
	xxx.exe	Get hash	malicious	XWorm	Browse	147.185.221.25
	Spicetify.bat	Get hash	malicious	Unknown	Browse	147.185.221.27
	MasonClient.exe	Get hash	malicious	NeptuneRAT	Browse	147.185.221.25
	Microsoft-e26fa1b625.exe.exe	Get hash	malicious	XWorm	Browse	147.185.221.19
	sihost.exe	Get hash	malicious	XWorm	Browse	147.185.221.19
	Supermiom.exe	Get hash	malicious	SheetRat	Browse	147.185.221.26
	x96lib.exe	Get hash	malicious	NeptuneRAT	Browse	147.185.221.19

Process:	C:\Users\user\Desktop\Zexo.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	73305
Entropy (8bit):	7.996028107841645
Encrypted:	true
SSDEEP:	1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
MD5:	83142242E97B8953C386F988AA694E4A
SHA1:	833ED12FC15B356136DCDD27C61A50F59C5C7D50
SHA-256:	D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
SHA-512:	BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH..M.KB."..rK.RQ..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j\|w...#.oU..Eq[..P..^..~.V...;..m...I\|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.\|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\Zexo.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.1897121670185173
Encrypted:	false
SSDEEP:	6:kKyDImcvSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:tmCkPlE99SNxAhUeq8S
MD5:	CFED83DBADABBB39736738643CAEADDE
SHA1:	7B99B29B1869D5FCECE9E44A387FDEFACC91FC5D
SHA-256:	F74E8863694F510A82FAB14AB3C91C0E99454EAEA80900FB44860B30CB114B5D
SHA-512:	ED5854F2CC48E012F0C353E39768046316919509C40C19477AFFF3B361DD65D6A006C63F78389A62050FD04EA139A1E009B7F07BD55B7E43EB81016CBB43FA14
Malicious:	false
Reputation:	low
Preview:	p...... .........`.S....(....................................................... ..................(...........Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.806036419342361
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Zexo.exe
File size:	64'512 bytes
MD5:	fe21311e262630af1a54520f55ca8c69
SHA1:	1d595196ae495436868b9b6d5f0d17d04a5ff8ef
SHA256:	62ab616a986ed8d7725c5c37122c385b7ad30b9e02d659e950fa099c9b8d9ed3
SHA512:	c89d654df3ab13762f1cf529d5526da7716bc61c6634d3255a0f01a4708a2701513cd45c0079f95d089df127f73386a83b0a19b1a09b5b2b28d0cb43946ce97f
SSDEEP:	768:jnuguX1wbgyX78dIC8A+XkuazcBRL5JTk1+T4KSBGHmDbD/ph0oXpdM7nNqSuEdP:rvCCPTDdSJYUbdh9jMXuEdpqKmY7
TLSH:	84536C003798C965E2AE87B8BCF3550106B1C2772116DA1E7CC810DB6B9FFC64A526FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.eb................................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41099e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62658926 [Sun Apr 24 17:30:14 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10944	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xdb5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe9a4	0xea00	44a0f0fde58509bdb5cdd32f580d76c7	False	0.4906517094017094	data	5.844232667729135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xdb5	0xe00	8ae77c3680b8fc7998fab3a0df2d0ede	False	0.40122767857142855	data	5.026234489158954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	7d0a0127c9ffff397a9b1a5f86ddcf26	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x120a0	0x2d4	data			0.4350828729281768
RT_MANIFEST	0x12374	0xa41	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.4114285714285714

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription
FileVersion	3.6.0.0
InternalName	Client.exe
LegalCopyright
LegalTrademarks
OriginalFilename	Client.exe
ProductName
ProductVersion	3.6.0.0
Assembly Version	3.6.0.0

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-29T13:37:27.436783+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	147.185.221.21	27180	192.168.2.6	49703	TCP
2025-03-29T13:37:38.815344+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	147.185.221.21	27180	192.168.2.6	49705	TCP

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2025 13:36:11.032743931 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:11.131879091 CET	27180	49693	147.185.221.21	192.168.2.6
Mar 29, 2025 13:36:11.132009983 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:11.145828962 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:11.458174944 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:11.770667076 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:12.380028963 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:13.583161116 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:14.801934958 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:16.005081892 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:18.411447048 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:23.223915100 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:32.833352089 CET	49693	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:37.851155043 CET	49698	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:37.948851109 CET	27180	49698	147.185.221.21	192.168.2.6
Mar 29, 2025 13:36:37.948949099 CET	49698	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:37.949342966 CET	49698	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:38.255235910 CET	49698	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:38.567869902 CET	49698	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:39.177126884 CET	49698	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:40.380326033 CET	49698	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:42.786535978 CET	49698	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:47.599078894 CET	49698	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:36:57.208873987 CET	49698	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:02.224805117 CET	49701	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:02.309685946 CET	27180	49701	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:02.309828043 CET	49701	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:02.310190916 CET	49701	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:02.614805937 CET	49701	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:02.929702044 CET	49701	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:03.536798954 CET	49701	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:04.739845037 CET	49701	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:07.146135092 CET	49701	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:11.958667040 CET	49701	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:21.568269014 CET	49701	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:26.584513903 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:26.690032959 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:26.690232992 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:26.690614939 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:26.990020037 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:27.003633976 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:27.211760998 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:27.239895105 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:27.436783075 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:27.436945915 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:27.465084076 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:27.505789042 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:27.702501059 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:27.702558041 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:29.539199114 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:29.927561045 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:30.161195040 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:33.768693924 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:33.818202019 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:33.849004030 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:34.005822897 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.005963087 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:34.224482059 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:34.463529110 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.832659960 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835062027 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835099936 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835134029 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:34.835144997 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835179090 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835191011 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:34.835220098 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835252047 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835264921 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:34.835294962 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835326910 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835340023 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:34.835370064 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835401058 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835418940 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:34.835439920 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835470915 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:34.835484028 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:34.882211924 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.082211971 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083306074 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083364964 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.083379030 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083400011 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083424091 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083444118 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083444118 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.083466053 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083482027 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083482981 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.083518028 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.083550930 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083619118 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083637953 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083663940 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.083687067 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083729029 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.083740950 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083759069 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083812952 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.083836079 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083853960 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083870888 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083887100 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083899975 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.083904028 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.083930016 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.101453066 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.101517916 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.101639986 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.146318913 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.318315029 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318357944 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318401098 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318417072 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318434954 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318444967 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.318464994 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318473101 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.318509102 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.318521023 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318607092 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318624973 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318650961 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318654060 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.318667889 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318685055 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318703890 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318706036 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.318725109 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.318747044 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318788052 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.318829060 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318856001 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318871021 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.318886042 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.318907976 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.318938971 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:35.565397978 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:35.565509081 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:37.955498934 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:37.976083994 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:38.042191029 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:38.042304039 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:38.042787075 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:38.266892910 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:38.267255068 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:38.349490881 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:38.557951927 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:38.571386099 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:38.572082996 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:38.815344095 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:38.815515041 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:38.880848885 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.044178009 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.103059053 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:39.267122984 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:39.267323971 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.268313885 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:39.268450975 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.317946911 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.485940933 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:39.486097097 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.487637997 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:39.552138090 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.589716911 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:39.630424023 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.708733082 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.709801912 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:39.774065018 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:39.774163961 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.818077087 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.877089977 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:39.877357960 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:39.928314924 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:39.928474903 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:40.034873009 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:40.034959078 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:40.037539959 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:40.151016951 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:40.151104927 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:40.320199966 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:40.320323944 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:40.426145077 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:40.426346064 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:40.585001945 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:40.588731050 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:40.696060896 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:40.696207047 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:40.816176891 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:40.816409111 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:40.942615986 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:40.981904030 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:40.982028961 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.039011002 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.088131905 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:41.088275909 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.170310020 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:41.170418024 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.268232107 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:41.268587112 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.309937954 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:41.310067892 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.364923954 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:41.365211010 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.408905029 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:41.409177065 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.459817886 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.532144070 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:41.554419041 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.570321083 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:41.581034899 CET	27180	49705	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:41.581186056 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.582716942 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.629040003 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.661155939 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.754725933 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.786880016 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.880836010 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:41.926064014 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:42.049560070 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:42.237534046 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:42.240139008 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:42.943439007 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:44.334007978 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:47.099611998 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:52.537692070 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:52.631081104 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:52.810930014 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:52.811115026 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:37:53.091445923 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:55.010845900 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:37:55.052835941 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:38:03.677825928 CET	49705	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:38:04.037592888 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:38:04.318363905 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:38:04.318643093 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:38:04.588134050 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:38:15.839905977 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:38:16.102430105 CET	27180	49703	147.185.221.21	192.168.2.6
Mar 29, 2025 13:38:16.102547884 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:38:16.615375042 CET	49703	27180	192.168.2.6	147.185.221.21
Mar 29, 2025 13:38:16.838929892 CET	27180	49703	147.185.221.21	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2025 13:36:49.303415060 CET	53	64001	162.159.36.2	192.168.2.6

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 29, 2025 13:36:24.688249111 CET	1.1.1.1	192.168.2.6	0x294	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.31	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:24.688249111 CET	1.1.1.1	192.168.2.6	0x294	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.19	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:24.688249111 CET	1.1.1.1	192.168.2.6	0x294	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.25	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:24.688249111 CET	1.1.1.1	192.168.2.6	0x294	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.29	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:24.688249111 CET	1.1.1.1	192.168.2.6	0x294	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.21	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:24.688249111 CET	1.1.1.1	192.168.2.6	0x294	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.27	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:24.688249111 CET	1.1.1.1	192.168.2.6	0x294	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.23	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:24.688249111 CET	1.1.1.1	192.168.2.6	0x294	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.17	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:37.238760948 CET	1.1.1.1	192.168.2.6	0x6b63	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.23	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:37.238760948 CET	1.1.1.1	192.168.2.6	0x6b63	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.17	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:37.238760948 CET	1.1.1.1	192.168.2.6	0x6b63	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.31	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:37.238760948 CET	1.1.1.1	192.168.2.6	0x6b63	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.19	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:37.238760948 CET	1.1.1.1	192.168.2.6	0x6b63	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.25	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:37.238760948 CET	1.1.1.1	192.168.2.6	0x6b63	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.29	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:37.238760948 CET	1.1.1.1	192.168.2.6	0x6b63	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.21	A (IP address)	IN (0x0001)	false
Mar 29, 2025 13:36:37.238760948 CET	1.1.1.1	192.168.2.6	0x6b63	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	208.89.73.27	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• Zexo.exe

Click to jump to process

Memory Usage

• Zexo.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	1
Start time:	08:36:06
Start date:	29/03/2025
Path:	C:\Users\user\Desktop\Zexo.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Zexo.exe"
Imagebase:	0x110000
File size:	64'512 bytes
MD5 hash:	FE21311E262630AF1A54520F55CA8C69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2471678534.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2471678534.0000000000762000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2472987250.0000000002477000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00007FF88B4EFE18 Relevance: 3.0, Strings: 2, Instructions: 507
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m, xrefs: 00007FF88B5229E8
&, xrefs: 00007FF88B522D55

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID: &$m
API String ID: 0-23731971
Opcode ID: 722b5a3088b400b625e704ce12d6d5c5c1a5ab7f0d35fb09434340bb02b90676
Instruction ID: 360331bfc743072eccacd2cc6d7d0f7c5603c4294de55440f8de9a58ccc84cf1
Opcode Fuzzy Hash: 722b5a3088b400b625e704ce12d6d5c5c1a5ab7f0d35fb09434340bb02b90676
Instruction Fuzzy Hash: 81029271E08A499FE799EF68D8557A9B7E5FF98740F0001BDE04DD3292CE395982CB01

Function 00007FF88B4E31DE Relevance: 1.9, APIs: 1, Instructions: 447
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF88B4E3534

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 68221e5c9d4dc313bcb2a6646b456d4f607c94093c0eda8d741534650de3bd90
Instruction ID: e6ca998266f78d4b4448bfdf1253adba5106cba8583cb9b1b48b10debbb9f76f
Opcode Fuzzy Hash: 68221e5c9d4dc313bcb2a6646b456d4f607c94093c0eda8d741534650de3bd90
Instruction Fuzzy Hash: C2C14B31A0CA494FE71EE76898162FA77E1FF95360F04417ED48AC3597DE3CA8468782

Function 00007FF88B50C828 Relevance: 1.9, Strings: 1, Instructions: 667
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VJ_H, xrefs: 00007FF88B50CE70

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID: VJ_H
API String ID: 0-4144697165
Opcode ID: 8d3d57e149c17405171df58b3ec410291ab176900b89fae9fb8d3ece7c68b4ac
Instruction ID: 5b574a0b0bf8029deeff2b2a5a6e8e34ed0df9740484f3e84c0df45f94572114
Opcode Fuzzy Hash: 8d3d57e149c17405171df58b3ec410291ab176900b89fae9fb8d3ece7c68b4ac
Instruction Fuzzy Hash: 0302E532F0CE458BF759A62C68661B977D2FFD9790B0801BBD04EC32E7DD28A8478645

Function 00007FF88B4EE2ED Relevance: 1.8, Strings: 1, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?L_L, xrefs: 00007FF88B4EE574

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID: ?L_L
API String ID: 0-2999258991
Opcode ID: 79c91d401b742046ca80554718f1ccf36ff45e32546616458df7009bab8b77da
Instruction ID: 9aff8e3c3fdfc32d0e1c6c93d799e2f93fb606b67cd6cc3a3af7aff19aa3c874
Opcode Fuzzy Hash: 79c91d401b742046ca80554718f1ccf36ff45e32546616458df7009bab8b77da
Instruction Fuzzy Hash: 63B1F071B5CA448FE78CAB2CA45A77477D1FB98750F1441BEE00DC72A3DE29A8428786

Function 00007FF88B4E2AED Relevance: .8, Instructions: 820COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607099da1468169751e40c6d58675d2a59f1de86a73f450c1a594ae41c45d4e8
Instruction ID: 012c97a1ccc353fd8323922da63af69f4989d82fb6ccafa0fa220aa1e176eb7b
Opcode Fuzzy Hash: 607099da1468169751e40c6d58675d2a59f1de86a73f450c1a594ae41c45d4e8
Instruction Fuzzy Hash: 0A320431E0CA4A4FE759A77C98566B977D1FFD92A0B0801BED04EC71A7DD2CA886C341

Function 00007FF88B4F0548 Relevance: .8, Instructions: 796COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96943cd8c0b0ab649d0d3a3dbc72c2e463ae16a13021efd1b5414b5ca7825b6a
Instruction ID: 25acdb29f8e19b7a571287f422f00146a0b8a50cfcbd93860b813f2b459ac0be
Opcode Fuzzy Hash: 96943cd8c0b0ab649d0d3a3dbc72c2e463ae16a13021efd1b5414b5ca7825b6a
Instruction Fuzzy Hash: 9232F831E1CA464BE758E62C98566B577C2FFC4790F4445BED04EC32E3DE28A846C785

Function 00007FF88B50EE40 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1cd0de9ab39c15a68625d0175c65ae86b68ec157c294cfbee94afdcf8083e8
Instruction ID: 2dcb8aa49b1f56ce98026f051bd0c7569a98ff68ff1e44e858a1ef3f20115fff
Opcode Fuzzy Hash: 9f1cd0de9ab39c15a68625d0175c65ae86b68ec157c294cfbee94afdcf8083e8
Instruction Fuzzy Hash: 0C227430A1CB4A8FE7A8DF18985567AB7D1FBD8750F14467EC48DC32A6DE34A842C742

Function 00007FF88B5015FF Relevance: .6, Instructions: 624COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b098a4625323535b879a511648bafc2b4f86d889212fd440a842e4f5f2d7f0
Instruction ID: 162dd5c8f3b06647ce0cda40c5fcb864150f1833b88f2331ac6405e615c5cc2c
Opcode Fuzzy Hash: 73b098a4625323535b879a511648bafc2b4f86d889212fd440a842e4f5f2d7f0
Instruction Fuzzy Hash: 2412B731E0CA49CFEB98DA5898556BA77E2FF94750F04417ED40EC72A7DE34A842CB42

Function 00007FF88B4E8D06 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2752d4a3c1019e51210a3df9e9bf75d4f59b6c9e8502203cfe39e3be9d7b501
Instruction ID: cf9e63530fed301d576932cd7ec6ea3462c245ba1a57cbc0632e457c4058380e
Opcode Fuzzy Hash: c2752d4a3c1019e51210a3df9e9bf75d4f59b6c9e8502203cfe39e3be9d7b501
Instruction Fuzzy Hash: E2F19630908A8D8FEBA8DF28C8567E977D1FF94350F44426EE84DC7291CB749985CB82

Function 00007FF88B4E9AB2 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5e1663ef9e7bac765230a6ee557db173776b93380301753095e405809e9730
Instruction ID: 8168d9e78884fca1b4c3f903918d714f1ad20d9ac23a7f5d64879d088f92c550
Opcode Fuzzy Hash: 8c5e1663ef9e7bac765230a6ee557db173776b93380301753095e405809e9730
Instruction Fuzzy Hash: 1FE1B530908A4D8FEBA8DF68C8567E977D1FF94350F14426ED84DC7291DB789885CB81

Function 00007FF88B4F0FCD Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4010ad5952c30784a3a732fed707de77031dff588c7c5359f61468f0bef34e
Instruction ID: 37ec59022a8c07b7238ba110736dea2b9baa224fd454646c552db53ef37d968f
Opcode Fuzzy Hash: cc4010ad5952c30784a3a732fed707de77031dff588c7c5359f61468f0bef34e
Instruction Fuzzy Hash: 7E912723B0C9560BE714BAACB4565FA77D1FFC57B070401BBD04ECB1A3CE18A846C286

Non-executed Functions

Function 00007FF88B4ECF4E Relevance: 2.2, Strings: 1, Instructions: 996COMMON

Download Yara Rule

Strings

oL_, xrefs: 00007FF88B4ECF6D

Memory Dump Source

Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd

Similarity

API ID:
String ID: oL_
API String ID: 0-842947659
Opcode ID: b85b03e6fbc2c81d6bddea51a40c3954e52bc3d081c205c4b953c26fa012d33e
Instruction ID: f9a37c14a4f59a9ce1bfe35247a27330fc7bec28d7fb6dfeb2e7058d1712feb0
Opcode Fuzzy Hash: b85b03e6fbc2c81d6bddea51a40c3954e52bc3d081c205c4b953c26fa012d33e
Instruction Fuzzy Hash: B0528421F18D4A4BE768FB68949A77973D2FFE43A0F54417AD00EC31E7DD28A8868741

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 147.185.221.21:27180 -> 192.168.2.6:49703
Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 147.185.221.21:27180 -> 192.168.2.6:49705

Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.21

Source: 77EC63BDA74BD0D0E0426DC8F8008506.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Zexo.exe, 00000001.00000002.2471678534.00000000006FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabadt
Source: Zexo.exe, 00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ene089
Source: Zexo.exe, 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: Zexo.exe, type: SAMPLE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: Zexo.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: Zexo.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000001.00000002.2471678534.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000001.00000002.2471678534.0000000000762000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000001.00000002.2472987250.0000000002477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4E2AED	1_2_00007FF88B4E2AED
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4EE2ED	1_2_00007FF88B4EE2ED
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4E9AB2	1_2_00007FF88B4E9AB2
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4E31DE	1_2_00007FF88B4E31DE
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B50C828	1_2_00007FF88B50C828
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4F0FCD	1_2_00007FF88B4F0FCD
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B50EE40	1_2_00007FF88B50EE40
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B5015FF	1_2_00007FF88B5015FF
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4EFE18	1_2_00007FF88B4EFE18
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4F0548	1_2_00007FF88B4F0548
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4E8D06	1_2_00007FF88B4E8D06
Source: C:\Users\user\Desktop\Zexo.exe	Code function: 1_2_00007FF88B4ECF4E	1_2_00007FF88B4ECF4E

Source: Zexo.exe	String decryptor: 27180
Source: Zexo.exe	String decryptor: 147.185.221.21
Source: Zexo.exe	String decryptor:
Source: Zexo.exe	String decryptor: false
Source: Zexo.exe	String decryptor: Yb2VDSoAjAX8Df
Source: Zexo.exe	String decryptor: MIICKTCCAZKgAwIBAgIVAPctg9L2nB7zZ9ZKb+Oytazgjc3vMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwNjE3MTAwNDI2WhcNMzUwMzI3MTAwNDI2WjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApn+ZiLceaVbYXIRGRaR0CC7bPd3lo3S3SgzNZ2HYcZv4jCwg9TO+ZmJnsJ/LGsUCtlhe+APJmx2HLxcD9QuefyUZsmDyeVUtsipA0egXiZKyccdWhcdBWVbeljoqAh9f7S0yvm1qcLs0wJAmhPtqa32fY/ADa6u/z9AwIm3hP7sCAwEAAaMyMDAwHQYDVR0OBBYEFCX17SeBPgCQhe6bY6mL1Ao/h/joMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEARHy30faCrIC33MhB0zgzKNuoZvJDsgzw3d4QIiOP9fpYKZ64CXn/Sj5wPKIfdssTqrRA+fS+Fh9uZeCp3CABKcZsZoi/YNz5F7lcOrI4CvQhuRoLdqBIlCpLoOqs/xgyPp8NbiMplpYguJV8UlSs0l6FZD/crY9/inhbfMKHM6E=
Source: Zexo.exe	String decryptor: VVa4P0pz27rFuOy+7vaCudpQMEJ9Pd11gK5rogh8FHTI7Be4JRWknHzaAyChM/spllKvAvxP7xPesYq2tTKBJFp3pjJ94prfAtCwxKL5nKLOozEzYtxlaoXg1t9Nql5L3Z8yoyOld+ZAdOvK0OeEyR9jC7gLzU2Bvyp1EDC/XjI=
Source: Zexo.exe	String decryptor: null
Source: Zexo.exe	String decryptor: Default

Source: Zexo.exe, 00000001.00000002.2486709765.000000001B4A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRemoteDesktop.dll" vs Zexo.exe
Source: Zexo.exe, 00000001.00000002.2484910216.0000000012421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemoteDesktop.dll" vs Zexo.exe
Source: Zexo.exe, 00000001.00000000.1210655774.0000000000122000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs Zexo.exe
Source: Zexo.exe	Binary or memory string: OriginalFilenameClient.exe" vs Zexo.exe

Source: Zexo.exe, type: SAMPLE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: Zexo.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: Zexo.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000001.00000002.2471678534.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000001.00000002.2471678534.0000000000762000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000001.00000002.2472987250.0000000002477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Zexo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Windows Analysis Report
Zexo.exe