Edit tour

Windows Analysis Report
Zexo.exe

Overview

General Information

Sample name:Zexo.exe
Analysis ID:1651678
MD5:fe21311e262630af1a54520f55ca8c69
SHA1:1d595196ae495436868b9b6d5f0d17d04a5ff8ef
SHA256:62ab616a986ed8d7725c5c37122c385b7ad30b9e02d659e950fa099c9b8d9ed3
Tags:exeuser-zhuzhu0009
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected DcRat
Binary or sample is protected by dotNetProtector
Connects to many ports of the same IP (likely port scanning)
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • Zexo.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\Zexo.exe" MD5: FE21311E262630AF1A54520F55CA8C69)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.AsyncRAT as delivered by MintsLoader includes a PowerShell module with a DGA. The DGA is similar to MintsLoader's DGA, but generates more domains and uses more than one TLD.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
{
  "Server": "147.185.221.21",
  "Port": "27180",
  "Version": "",
  "MutexName": "YΒb2VDSoAΖjAΔX8D杰f",
  "Autorun": "false",
  "Group": "Default"
}
SourceRuleDescriptionAuthorStrings
Zexo.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    Zexo.exerat_win_dcrat_qwqdanchunFind DcRAT samples (qwqdanchun) based on specific stringsSekoia.io
    • 0xd7a4:$str01: DcRatByqwqdanchun
    • 0xccdc:$str03: Po_ng
    • 0xccb2:$str04: Pac_ket
    • 0xd384:$str05: Perfor_mance
    • 0xd3c8:$str06: Install_ed
    • 0x886a:$str07: get_IsConnected
    • 0x9965:$str08: get_ActivatePo_ng
    • 0xccf8:$str10: save_Plugin
    • 0xceb8:$str11: timeout 3 > NUL
    • 0xcf4e:$str12: ProcessHacker.exe
    Zexo.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0xd1a8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0xd1f6:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0xd244:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    Zexo.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0xd7a4:$s1: DcRatBy
    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x19782:$b2: DcRat By qwqdanchun1
    • 0x19c34:$b2: DcRat By qwqdanchun1
    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0xc35:$b2: DcRat By qwqdanchun1
    • 0x19e19:$b2: DcRat By qwqdanchun1
    00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000001.00000002.2471678534.00000000006FC000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x1d95:$b2: DcRat By qwqdanchun1
      00000001.00000002.2471678534.0000000000762000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x42549:$b2: DcRat By qwqdanchun1
      00000001.00000002.2472987250.0000000002477000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x5518d:$b2: DcRat By qwqdanchun1
      Click to see the 5 entries
      SourceRuleDescriptionAuthorStrings
      1.0.Zexo.exe.110000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        1.0.Zexo.exe.110000.0.unpackrat_win_dcrat_qwqdanchunFind DcRAT samples (qwqdanchun) based on specific stringsSekoia.io
        • 0xd7a4:$str01: DcRatByqwqdanchun
        • 0xccdc:$str03: Po_ng
        • 0xccb2:$str04: Pac_ket
        • 0xd384:$str05: Perfor_mance
        • 0xd3c8:$str06: Install_ed
        • 0x886a:$str07: get_IsConnected
        • 0x9965:$str08: get_ActivatePo_ng
        • 0xccf8:$str10: save_Plugin
        • 0xceb8:$str11: timeout 3 > NUL
        • 0xcf4e:$str12: ProcessHacker.exe
        1.0.Zexo.exe.110000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
        • 0xd1a8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
        • 0xd1f6:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
        • 0xd244:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
        1.0.Zexo.exe.110000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
        • 0xd7a4:$s1: DcRatBy
        No Sigma rule has matched
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-29T13:37:27.436783+010028424781Malware Command and Control Activity Detected147.185.221.2127180192.168.2.649703TCP
        2025-03-29T13:37:38.815344+010028424781Malware Command and Control Activity Detected147.185.221.2127180192.168.2.649705TCP

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: Zexo.exeAvira: detected
        Source: Zexo.exeMalware Configuration Extractor: AsyncRAT {"Server": "147.185.221.21", "Port": "27180", "Version": "", "MutexName": "Y\u0392b2VDSoA\u0396jA\u0394X8D\u6770f", "Autorun": "false", "Group": "Default"}
        Source: Zexo.exeReversingLabs: Detection: 80%
        Source: Zexo.exeVirustotal: Detection: 75%Perma Link
        Source: Submited SampleNeural Call Log Analysis: 98.5%
        Source: Zexo.exeString decryptor: 27180
        Source: Zexo.exeString decryptor: 147.185.221.21
        Source: Zexo.exeString decryptor:
        Source: Zexo.exeString decryptor: false
        Source: Zexo.exeString decryptor: Yb2VDSoAjAX8Df
        Source: Zexo.exeString decryptor: MIICKTCCAZKgAwIBAgIVAPctg9L2nB7zZ9ZKb+Oytazgjc3vMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwNjE3MTAwNDI2WhcNMzUwMzI3MTAwNDI2WjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApn+ZiLceaVbYXIRGRaR0CC7bPd3lo3S3SgzNZ2HYcZv4jCwg9TO+ZmJnsJ/LGsUCtlhe+APJmx2HLxcD9QuefyUZsmDyeVUtsipA0egXiZKyccdWhcdBWVbeljoqAh9f7S0yvm1qcLs0wJAmhPtqa32fY/ADa6u/z9AwIm3hP7sCAwEAAaMyMDAwHQYDVR0OBBYEFCX17SeBPgCQhe6bY6mL1Ao/h/joMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEARHy30faCrIC33MhB0zgzKNuoZvJDsgzw3d4QIiOP9fpYKZ64CXn/Sj5wPKIfdssTqrRA+fS+Fh9uZeCp3CABKcZsZoi/YNz5F7lcOrI4CvQhuRoLdqBIlCpLoOqs/xgyPp8NbiMplpYguJV8UlSs0l6FZD/crY9/inhbfMKHM6E=
        Source: Zexo.exeString decryptor: VVa4P0pz27rFuOy+7vaCudpQMEJ9Pd11gK5rogh8FHTI7Be4JRWknHzaAyChM/spllKvAvxP7xPesYq2tTKBJFp3pjJ94prfAtCwxKL5nKLOozEzYtxlaoXg1t9Nql5L3Z8yoyOld+ZAdOvK0OeEyR9jC7gLzU2Bvyp1EDC/XjI=
        Source: Zexo.exeString decryptor: null
        Source: Zexo.exeString decryptor: Default
        Source: Zexo.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Networking

        barindex
        Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 147.185.221.21:27180 -> 192.168.2.6:49703
        Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 147.185.221.21:27180 -> 192.168.2.6:49705
        Source: global trafficTCP traffic: 147.185.221.21 ports 0,1,2,7,8,27180
        Source: global trafficTCP traffic: 192.168.2.6:49693 -> 147.185.221.21:27180
        Source: Joe Sandbox ViewIP Address: 147.185.221.21 147.185.221.21
        Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.21
        Source: 77EC63BDA74BD0D0E0426DC8F8008506.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: Zexo.exe, 00000001.00000002.2471678534.00000000006FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabadt
        Source: Zexo.exe, 00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ene089
        Source: Zexo.exe, 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Source: Yara matchFile source: Zexo.exe, type: SAMPLE
        Source: Yara matchFile source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR

        System Summary

        barindex
        Source: Zexo.exe, type: SAMPLEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
        Source: Zexo.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: Zexo.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
        Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000001.00000002.2471678534.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000001.00000002.2471678534.0000000000762000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000001.00000002.2472987250.0000000002477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4E31DE NtProtectVirtualMemory,1_2_00007FF88B4E31DE
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4E2AED1_2_00007FF88B4E2AED
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4EE2ED1_2_00007FF88B4EE2ED
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4E9AB21_2_00007FF88B4E9AB2
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4E31DE1_2_00007FF88B4E31DE
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B50C8281_2_00007FF88B50C828
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4F0FCD1_2_00007FF88B4F0FCD
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B50EE401_2_00007FF88B50EE40
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B5015FF1_2_00007FF88B5015FF
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4EFE181_2_00007FF88B4EFE18
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4F05481_2_00007FF88B4F0548
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4E8D061_2_00007FF88B4E8D06
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4ECF4E1_2_00007FF88B4ECF4E
        Source: Zexo.exe, 00000001.00000002.2486709765.000000001B4A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll" vs Zexo.exe
        Source: Zexo.exe, 00000001.00000002.2484910216.0000000012421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll" vs Zexo.exe
        Source: Zexo.exe, 00000001.00000000.1210655774.0000000000122000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameClient.exe" vs Zexo.exe
        Source: Zexo.exeBinary or memory string: OriginalFilenameClient.exe" vs Zexo.exe
        Source: Zexo.exe, type: SAMPLEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
        Source: Zexo.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: Zexo.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
        Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000001.00000002.2471678534.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000001.00000002.2471678534.0000000000762000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000001.00000002.2472987250.0000000002477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Zexo.exe, Settings.csBase64 encoded string: 'xgbm1YJNIMbgj7WRz7kOEOoPdqEYmCovvDSAzUma42qlroy0BTBDxtAe76eG1UQhMIFLEHLcRUsf54rZSzivvg==', 'hZnHTMPEo2F7dzSM8SakDgRmmNjaF6m10ZiE8LdSmgKNzFcy4Pd9y8gCCAwte6PCgarLHF5uugzvmlmKA0J8Ug==', 'NAt47R7LZ5jBTNOPwF2jK2JD0xT/ssZ5uf5zJ36bTgE6G2B1M59i7pUcJg2XQAMvOrgZ7l+gfnQDYtE+quPWLcg2FLSihhN8gezoyzQAGv0=', 'X822lMthSzgbF/AfX3i0uH3tYnV4eRoYiVTBmYrNSsOJUsGkjerX97jCOESJCy3REn9vJISvtBb8KYc5Pkg5OBud8rIfGRZqxE23jLJKL3ILFH6FXaOu6+xFm6OPC8w4s8kF9FcR9+IcELabfP8j7OPPV9MvJZMcwRCh3eDhbez9+sPu5pUh5BfwgOK3t7KN0BMtYivijycoVx3O7i/DFgYm/qqo90+5LVjkXFFmUKYomTZDVwUXifGgJLrcc1v+KLpX9cPQQ0V3PMqukGjtzB1HP4T4ak5cIx0fN0No2t4uYfHgj2vzUltDfqGvB8tuRcbN8OexuuimpmudxP8/abBrq4eI0U7CyY1eZxaxvpoV0LBvE8Kau+ml/3oljA1yMgWS2kc8bPVGnHDWG06pvrOYQH7lk61Z07vIz7NT4CwyGDXUU8Zoha6tavFG/xX8qPIIcuEnc2WIFft7nK4ohbvDMfdS/FpOdfcHGJ8s3Yen7XY4hSaHeoconbHJ2vublCn36uNt0JiL2hKbhVQvSF5ymA0GF8J6BWi6urCzqx/HEiBvKMMmwG7YXSJBdbGdSb/qe9QzMnLKULjO4jkKT2oTQGXYSFXPHWdxHeygsybE2uWOATB7gd9l6uogsyvj7EPEzz2L+XgbMVNiazyBLwmMkgFdkcmjgDD7FxwNdik3oK3LLz30Ef+fcO+UANE6cPS+bzoqLZ2eePHVY16gUQlGjg4H0AtxlJz0ISLjM6DFNUnVUyPAtsdWTaCUawpcvN+zfP7jlr7l7KvvSJMBBNUXNYj+W8P62RMezGR0MyGStFyB37iu1Q1nUwCXaOn/N8lL0CT6SxtB6yXDP5+J5+5dcaeIfeEEKzZ7p3TW85r+4Mho0hmk5I0cGluv7bshytWLBG8mtR0pQZS5dwbJ1Luo8qBCkIyi1sDSkjKBE+WX0P898SMvxNQADF50q7iQVNUoZeGXggFYbvA/AQO74pc5+QDNEsDFtt+q3gHDX0KRlBPxuac08ueKT86IUdm8pfNiaDkb8pkEtkqUVGLYMerdMpYSBBZZ3IvRQT5Xk2g=', '+XszIBQcqNxpULKlxQWbScaxHUM6QRu4004m4TkZ7Gsy0hJoWi3pKAUndHQ2inuP8ggY/GnF5CEpFwMSk7FKbmuv6Cm0X7ftiS76bYAzWUQccIP01TJHdWARm9VwRJoHc7i3m8t5D4nkah5/esdqYCNpmchiUsxfH7ac+gR6z/wRiUQtmfR8IvayvwCMeBlzf0ZsEcXrpbsmXHsiKEtf8s9QmzZt7z9/MQwe4TcYUdp1qNXujFJX9jpDJrtIpWdTx+8Q7xjjuLPd0A/EvI9UrzVrpcB+LroShbAnxIFq3nM=', 'lTbHjSKR1dIl6/qXliPn0mAEQWYJa0Y5o6oP+v58ZFLJEw3fs1ShPZsOf+HbYntzqcFkfmKbkIhpPst191peQA==', 'KADNlPWaJZIjzD11N8XzoXyvOz83Ck5ioBRPduqAlOgXaCx8602ncYAumlmVqs42VnOP6E/ieX7yFjhkbnfa2Q==', 'V6HfnGZuqXWPphGLSO6et4Klj+Y4fZly8M/MRS2/VsXnhg6J1RJKl8HAH8Vx5h6bxzLKW5uRON+nc2dZstL6sQ==', 'Wxz2PPhcZR9OnUykBvsGNER5Ns04CtHyDOuDQoPYCBfz+YtMFJ91VBxv70aHqTTpXl6r7RdNm34EWVmenp/PcA=='
        Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@0/1
        Source: C:\Users\user\Desktop\Zexo.exeMutant created: NULL
        Source: C:\Users\user\Desktop\Zexo.exeMutant created: \Sessions\1\BaseNamedObjects\Y?b2VDSoA?jA?X8D?f
        Source: Zexo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: Zexo.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
        Source: C:\Users\user\Desktop\Zexo.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Zexo.exeReversingLabs: Detection: 80%
        Source: Zexo.exeVirustotal: Detection: 75%
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: cryptnet.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: webio.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: devenum.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: msdmo.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: Zexo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Zexo.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Data Obfuscation

        barindex
        Source: Zexo.exe, 00000001.00000002.2486709765.000000001B4A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: dotNetProtector
        Source: Zexo.exe, 00000001.00000002.2484910216.0000000012421000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: dotNetProtector
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4E00BD pushad ; iretd 1_2_00007FF88B4E00C1
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4FA8BF push ebx; iretd 1_2_00007FF88B4FA8C2
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4EAFD8 push E85CA259h; ret 1_2_00007FF88B4EAFF9
        Source: C:\Users\user\Desktop\Zexo.exeCode function: 1_2_00007FF88B4F552C push ebp; iretd 1_2_00007FF88B4F5538

        Boot Survival

        barindex
        Source: Yara matchFile source: Zexo.exe, type: SAMPLE
        Source: Yara matchFile source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR
        Source: C:\Users\user\Desktop\Zexo.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\8DDAA8B7C3447D4E21BA E204D15F0E7269D364157AAAB265A5DFBE7E76C9F6202BF90998F0EDD77CA248Jump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: Yara matchFile source: Zexo.exe, type: SAMPLE
        Source: Yara matchFile source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR
        Source: Zexo.exeBinary or memory string: SBIEDLL.DLLM{860BB310-5D01-11D0-BD3B-00A0C911CE86}
        Source: Zexo.exeBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
        Source: C:\Users\user\Desktop\Zexo.exeMemory allocated: 960000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeMemory allocated: 1A410000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeWindow / User API: threadDelayed 3975Jump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeWindow / User API: threadDelayed 5873Jump to behavior
        Source: C:\Users\user\Desktop\Zexo.exe TID: 5768Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exe TID: 6860Thread sleep time: -23980767295822402s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: Zexo.exeBinary or memory string: vmware
        Source: Zexo.exe, 00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Zexo.exe, 00000001.00000002.2485989026.000000001AE6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\Zexo.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeMemory allocated: page read and write | page guardJump to behavior
        Source: Zexo.exe, 00000001.00000002.2472987250.00000000025FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: Zexo.exe, 00000001.00000002.2472987250.00000000025FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
        Source: C:\Users\user\Desktop\Zexo.exeQueries volume information: C:\Users\user\Desktop\Zexo.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Zexo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: Yara matchFile source: Zexo.exe, type: SAMPLE
        Source: Yara matchFile source: 1.0.Zexo.exe.110000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR
        Source: Zexo.exe, 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: MSASCui.exe
        Source: Zexo.exe, 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: procexp.exe
        Source: Zexo.exe, 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: MsMpEng.exe
        Source: C:\Users\user\Desktop\Zexo.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Zexo.exe PID: 7364, type: MEMORYSTR
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation
        1
        Scheduled Task/Job
        1
        Process Injection
        1
        Modify Registry
        OS Credential Dumping1
        Query Registry
        Remote Services1
        Archive Collected Data
        1
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Scheduled Task/Job
        1
        DLL Side-Loading
        1
        Scheduled Task/Job
        1
        Disable or Modify Tools
        LSASS Memory121
        Security Software Discovery
        Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading
        31
        Virtualization/Sandbox Evasion
        Security Account Manager1
        Process Discovery
        SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Process Injection
        NTDS31
        Virtualization/Sandbox Evasion
        Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
        Obfuscated Files or Information
        LSA Secrets1
        Application Window Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading
        Cached Domain Credentials13
        System Information Discovery
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1651678 Sample: Zexo.exe Startdate: 29/03/2025 Architecture: WINDOWS Score: 100 11 Suricata IDS alerts for network traffic 2->11 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 8 other signatures 2->17 5 Zexo.exe 2 2 2->5         started        process3 dnsIp4 9 147.185.221.21, 27180, 49693, 49698 SALSGIVERUS United States 5->9 19 Binary or sample is protected by dotNetProtector 5->19 signatures5

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        Zexo.exe81%ReversingLabsByteCode-MSIL.Backdoor.MarteVenomRAT
        Zexo.exe75%VirustotalBrowse
        Zexo.exe100%AviraHEUR/AGEN.1307453
        SAMPLE100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches

        Download Network PCAP: filteredfull

        NameIPActiveMaliciousAntivirus DetectionReputation
        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
        208.89.73.31
        truefalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameZexo.exe, 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            147.185.221.21
            unknownUnited States
            12087SALSGIVERUStrue
            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1651678
            Start date and time:2025-03-29 13:35:12 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 40s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:12
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Zexo.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@1/2@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 208.89.73.31, 23.204.23.20, 20.12.23.50
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            TimeTypeDescription
            08:37:26API Interceptor1x Sleep call for process: Zexo.exe modified
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            147.185.221.21file.exeGet hashmaliciousNjratBrowse
              YPzNsfg4nR.exeGet hashmaliciousXWormBrowse
                Nurcraft.exeGet hashmaliciousXWormBrowse
                  Zvas34nq1T.exeGet hashmaliciousXWormBrowse
                    aoKTzGQSRP.exeGet hashmaliciousXWormBrowse
                      SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeGet hashmaliciousSheetRatBrowse
                        mIURiU8n2P.exeGet hashmaliciousXWormBrowse
                          PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                            r4RF3TX5Mi.exeGet hashmaliciousXWormBrowse
                              ra66DSpa.exeGet hashmaliciousXWormBrowse
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comkpsbCW7D1x.ps1Get hashmaliciousVidarBrowse
                                • 208.89.73.31
                                windows.ps1Get hashmaliciousVidarBrowse
                                • 208.89.73.21
                                4uxI3oIdvM.ps1Get hashmaliciousVidarBrowse
                                • 208.89.73.29
                                PO#P18620782.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 208.89.73.31
                                SG-07298.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 208.89.73.23
                                https://stockanalysis.com/out/news?url=https://tbcorps.com/eDocument/Docusign/a6egt67309hy66402g6sj2348/pdf.html#purchasing@ycwa.comGet hashmaliciousUnknownBrowse
                                • 208.89.73.27
                                windscribe.msiGet hashmaliciousUnknownBrowse
                                • 208.89.73.29
                                https://www.transfernow.net/dl/20250327nEx48coZGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                • 208.89.73.21
                                taxCPAm.batGet hashmaliciousUnknownBrowse
                                • 208.89.73.17
                                JKT48.exeGet hashmaliciousUnknownBrowse
                                • 208.89.73.29
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                SALSGIVERUSxxrkjufx.exeGet hashmaliciousNeptuneRATBrowse
                                • 147.185.221.25
                                Vanta Loader.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.19
                                XC.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.20
                                xxx.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.25
                                Spicetify.batGet hashmaliciousUnknownBrowse
                                • 147.185.221.27
                                MasonClient.exeGet hashmaliciousNeptuneRATBrowse
                                • 147.185.221.25
                                Microsoft-e26fa1b625.exe.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.19
                                sihost.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.19
                                Supermiom.exeGet hashmaliciousSheetRatBrowse
                                • 147.185.221.26
                                x96lib.exeGet hashmaliciousNeptuneRATBrowse
                                • 147.185.221.19
                                No context
                                No context
                                Process:C:\Users\user\Desktop\Zexo.exe
                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                Category:dropped
                                Size (bytes):73305
                                Entropy (8bit):7.996028107841645
                                Encrypted:true
                                SSDEEP:1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
                                MD5:83142242E97B8953C386F988AA694E4A
                                SHA1:833ED12FC15B356136DCDD27C61A50F59C5C7D50
                                SHA-256:D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
                                SHA-512:BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH*..M.KB."..rK.RQ*..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j|w..*.#.oU..Eq[..P..^..~.V...;..m...I|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8*E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....
                                Process:C:\Users\user\Desktop\Zexo.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):330
                                Entropy (8bit):3.1897121670185173
                                Encrypted:false
                                SSDEEP:6:kKyDImcvSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:tmCkPlE99SNxAhUeq8S
                                MD5:CFED83DBADABBB39736738643CAEADDE
                                SHA1:7B99B29B1869D5FCECE9E44A387FDEFACC91FC5D
                                SHA-256:F74E8863694F510A82FAB14AB3C91C0E99454EAEA80900FB44860B30CB114B5D
                                SHA-512:ED5854F2CC48E012F0C353E39768046316919509C40C19477AFFF3B361DD65D6A006C63F78389A62050FD04EA139A1E009B7F07BD55B7E43EB81016CBB43FA14
                                Malicious:false
                                Reputation:low
                                Preview:p...... .........`.S....(....................................................... ..................(...........Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...
                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):5.806036419342361
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:Zexo.exe
                                File size:64'512 bytes
                                MD5:fe21311e262630af1a54520f55ca8c69
                                SHA1:1d595196ae495436868b9b6d5f0d17d04a5ff8ef
                                SHA256:62ab616a986ed8d7725c5c37122c385b7ad30b9e02d659e950fa099c9b8d9ed3
                                SHA512:c89d654df3ab13762f1cf529d5526da7716bc61c6634d3255a0f01a4708a2701513cd45c0079f95d089df127f73386a83b0a19b1a09b5b2b28d0cb43946ce97f
                                SSDEEP:768:jnuguX1wbgyX78dIC8A+XkuazcBRL5JTk1+T4KSBGHmDbD/ph0oXpdM7nNqSuEdP:rvCCPTDdSJYUbdh9jMXuEdpqKmY7
                                TLSH:84536C003798C965E2AE87B8BCF3550106B1C2772116DA1E7CC810DB6B9FFC64A526FE
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.eb................................. ... ....@.. .......................`............@................................
                                Icon Hash:90cececece8e8eb0
                                Entrypoint:0x41099e
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x62658926 [Sun Apr 24 17:30:14 2022 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x109440x57.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000xdb5.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xe9a40xea0044a0f0fde58509bdb5cdd32f580d76c7False0.4906517094017094data5.844232667729135IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x120000xdb50xe008ae77c3680b8fc7998fab3a0df2d0edeFalse0.40122767857142855data5.026234489158954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x140000xc0x2007d0a0127c9ffff397a9b1a5f86ddcf26False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x120a00x2d4data0.4350828729281768
                                RT_MANIFEST0x123740xa41XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.4114285714285714
                                DLLImport
                                mscoree.dll_CorExeMain
                                DescriptionData
                                Translation0x0000 0x04b0
                                Comments
                                CompanyName
                                FileDescription
                                FileVersion3.6.0.0
                                InternalNameClient.exe
                                LegalCopyright
                                LegalTrademarks
                                OriginalFilenameClient.exe
                                ProductName
                                ProductVersion3.6.0.0
                                Assembly Version3.6.0.0

                                Download Network PCAP: filteredfull

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2025-03-29T13:37:27.436783+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1147.185.221.2127180192.168.2.649703TCP
                                2025-03-29T13:37:38.815344+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1147.185.221.2127180192.168.2.649705TCP
                                TimestampSource PortDest PortSource IPDest IP
                                Mar 29, 2025 13:36:11.032743931 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:11.131879091 CET2718049693147.185.221.21192.168.2.6
                                Mar 29, 2025 13:36:11.132009983 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:11.145828962 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:11.458174944 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:11.770667076 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:12.380028963 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:13.583161116 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:14.801934958 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:16.005081892 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:18.411447048 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:23.223915100 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:32.833352089 CET4969327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:37.851155043 CET4969827180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:37.948851109 CET2718049698147.185.221.21192.168.2.6
                                Mar 29, 2025 13:36:37.948949099 CET4969827180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:37.949342966 CET4969827180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:38.255235910 CET4969827180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:38.567869902 CET4969827180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:39.177126884 CET4969827180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:40.380326033 CET4969827180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:42.786535978 CET4969827180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:47.599078894 CET4969827180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:36:57.208873987 CET4969827180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:02.224805117 CET4970127180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:02.309685946 CET2718049701147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:02.309828043 CET4970127180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:02.310190916 CET4970127180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:02.614805937 CET4970127180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:02.929702044 CET4970127180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:03.536798954 CET4970127180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:04.739845037 CET4970127180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:07.146135092 CET4970127180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:11.958667040 CET4970127180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:21.568269014 CET4970127180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:26.584513903 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:26.690032959 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:26.690232992 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:26.690614939 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:26.990020037 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:27.003633976 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:27.211760998 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:27.239895105 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:27.436783075 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:27.436945915 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:27.465084076 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:27.505789042 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:27.702501059 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:27.702558041 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:29.539199114 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:29.927561045 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:30.161195040 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:33.768693924 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:33.818202019 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:33.849004030 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:34.005822897 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.005963087 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:34.224482059 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:34.463529110 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.832659960 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835062027 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835099936 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835134029 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:34.835144997 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835179090 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835191011 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:34.835220098 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835252047 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835264921 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:34.835294962 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835326910 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835340023 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:34.835370064 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835401058 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835418940 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:34.835439920 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835470915 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:34.835484028 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:34.882211924 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.082211971 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083306074 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083364964 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.083379030 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083400011 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083424091 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083444118 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083444118 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.083466053 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083482027 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083482981 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.083518028 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.083550930 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083619118 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083637953 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083663940 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.083687067 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083729029 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.083740950 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083759069 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083812952 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.083836079 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083853960 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083870888 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083887100 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083899975 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.083904028 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.083930016 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.101453066 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.101517916 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.101639986 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.146318913 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.318315029 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318357944 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318401098 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318417072 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318434954 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318444967 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.318464994 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318473101 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.318509102 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.318521023 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318607092 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318624973 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318650961 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318654060 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.318667889 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318685055 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318703890 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318706036 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.318725109 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.318747044 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318788052 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.318829060 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318856001 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318871021 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.318886042 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.318907976 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.318938971 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:35.565397978 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:35.565509081 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:37.955498934 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:37.976083994 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:38.042191029 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:38.042304039 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:38.042787075 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:38.266892910 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:38.267255068 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:38.349490881 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:38.557951927 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:38.571386099 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:38.572082996 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:38.815344095 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:38.815515041 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:38.880848885 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.044178009 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.103059053 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:39.267122984 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:39.267323971 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.268313885 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:39.268450975 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.317946911 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.485940933 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:39.486097097 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.487637997 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:39.552138090 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.589716911 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:39.630424023 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.708733082 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.709801912 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:39.774065018 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:39.774163961 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.818077087 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.877089977 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:39.877357960 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:39.928314924 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:39.928474903 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:40.034873009 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:40.034959078 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:40.037539959 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:40.151016951 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:40.151104927 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:40.320199966 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:40.320323944 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:40.426145077 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:40.426346064 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:40.585001945 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:40.588731050 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:40.696060896 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:40.696207047 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:40.816176891 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:40.816409111 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:40.942615986 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:40.981904030 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:40.982028961 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.039011002 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.088131905 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:41.088275909 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.170310020 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:41.170418024 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.268232107 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:41.268587112 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.309937954 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:41.310067892 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.364923954 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:41.365211010 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.408905029 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:41.409177065 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.459817886 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.532144070 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:41.554419041 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.570321083 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:41.581034899 CET2718049705147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:41.581186056 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.582716942 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.629040003 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.661155939 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.754725933 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.786880016 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.880836010 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:41.926064014 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:42.049560070 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:42.237534046 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:42.240139008 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:42.943439007 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:44.334007978 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:47.099611998 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:52.537692070 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:52.631081104 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:52.810930014 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:52.811115026 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:37:53.091445923 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:55.010845900 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:37:55.052835941 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:38:03.677825928 CET4970527180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:38:04.037592888 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:38:04.318363905 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:38:04.318643093 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:38:04.588134050 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:38:15.839905977 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:38:16.102430105 CET2718049703147.185.221.21192.168.2.6
                                Mar 29, 2025 13:38:16.102547884 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:38:16.615375042 CET4970327180192.168.2.6147.185.221.21
                                Mar 29, 2025 13:38:16.838929892 CET2718049703147.185.221.21192.168.2.6
                                TimestampSource PortDest PortSource IPDest IP
                                Mar 29, 2025 13:36:49.303415060 CET5364001162.159.36.2192.168.2.6
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Mar 29, 2025 13:36:24.688249111 CET1.1.1.1192.168.2.60x294No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.31A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:24.688249111 CET1.1.1.1192.168.2.60x294No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.19A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:24.688249111 CET1.1.1.1192.168.2.60x294No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.25A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:24.688249111 CET1.1.1.1192.168.2.60x294No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.29A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:24.688249111 CET1.1.1.1192.168.2.60x294No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.21A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:24.688249111 CET1.1.1.1192.168.2.60x294No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.27A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:24.688249111 CET1.1.1.1192.168.2.60x294No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.23A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:24.688249111 CET1.1.1.1192.168.2.60x294No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.17A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:37.238760948 CET1.1.1.1192.168.2.60x6b63No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.23A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:37.238760948 CET1.1.1.1192.168.2.60x6b63No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.17A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:37.238760948 CET1.1.1.1192.168.2.60x6b63No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.31A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:37.238760948 CET1.1.1.1192.168.2.60x6b63No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.19A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:37.238760948 CET1.1.1.1192.168.2.60x6b63No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.25A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:37.238760948 CET1.1.1.1192.168.2.60x6b63No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.29A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:37.238760948 CET1.1.1.1192.168.2.60x6b63No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.21A (IP address)IN (0x0001)false
                                Mar 29, 2025 13:36:37.238760948 CET1.1.1.1192.168.2.60x6b63No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.27A (IP address)IN (0x0001)false
                                050100s020406080100

                                Click to jump to process

                                050100s0.0020406080MB

                                Click to jump to process

                                • File
                                • Registry
                                • Network

                                Click to dive into process behavior distribution

                                Target ID:1
                                Start time:08:36:06
                                Start date:29/03/2025
                                Path:C:\Users\user\Desktop\Zexo.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\Zexo.exe"
                                Imagebase:0x110000
                                File size:64'512 bytes
                                MD5 hash:FE21311E262630AF1A54520F55CA8C69
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2471678534.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.1210631282.0000000000112000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2471678534.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2471678534.0000000000762000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2472987250.0000000002477000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.2472987250.0000000002411000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Reputation:low
                                Has exited:false
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                Execution Graph

                                Execution Coverage

                                Dynamic/Packed Code Coverage

                                Signature Coverage

                                Execution Coverage:15.6%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:100%
                                Total number of Nodes:5
                                Total number of Limit Nodes:1
                                Show Legend
                                Hide Nodes/Edges
                                execution_graph 16447 7ff88b4e31de 16448 7ff88b4e320f 16447->16448 16449 7ff88b4e337b 16448->16449 16450 7ff88b4e3504 NtProtectVirtualMemory 16448->16450 16451 7ff88b4e3545 16450->16451

                                Executed Functions

                                Control-flow Graph

                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID: &$m
                                • API String ID: 0-23731971
                                • Opcode ID: 722b5a3088b400b625e704ce12d6d5c5c1a5ab7f0d35fb09434340bb02b90676
                                • Instruction ID: 360331bfc743072eccacd2cc6d7d0f7c5603c4294de55440f8de9a58ccc84cf1
                                • Opcode Fuzzy Hash: 722b5a3088b400b625e704ce12d6d5c5c1a5ab7f0d35fb09434340bb02b90676
                                • Instruction Fuzzy Hash: 81029271E08A499FE799EF68D8557A9B7E5FF98740F0001BDE04DD3292CE395982CB01

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID: MemoryProtectVirtual
                                • String ID:
                                • API String ID: 2706961497-0
                                • Opcode ID: 68221e5c9d4dc313bcb2a6646b456d4f607c94093c0eda8d741534650de3bd90
                                • Instruction ID: e6ca998266f78d4b4448bfdf1253adba5106cba8583cb9b1b48b10debbb9f76f
                                • Opcode Fuzzy Hash: 68221e5c9d4dc313bcb2a6646b456d4f607c94093c0eda8d741534650de3bd90
                                • Instruction Fuzzy Hash: C2C14B31A0CA494FE71EE76898162FA77E1FF95360F04417ED48AC3597DE3CA8468782

                                Control-flow Graph

                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID: VJ_H
                                • API String ID: 0-4144697165
                                • Opcode ID: 8d3d57e149c17405171df58b3ec410291ab176900b89fae9fb8d3ece7c68b4ac
                                • Instruction ID: 5b574a0b0bf8029deeff2b2a5a6e8e34ed0df9740484f3e84c0df45f94572114
                                • Opcode Fuzzy Hash: 8d3d57e149c17405171df58b3ec410291ab176900b89fae9fb8d3ece7c68b4ac
                                • Instruction Fuzzy Hash: 0302E532F0CE458BF759A62C68661B977D2FFD9790B0801BBD04EC32E7DD28A8478645

                                Control-flow Graph

                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID: ?L_L
                                • API String ID: 0-2999258991
                                • Opcode ID: 79c91d401b742046ca80554718f1ccf36ff45e32546616458df7009bab8b77da
                                • Instruction ID: 9aff8e3c3fdfc32d0e1c6c93d799e2f93fb606b67cd6cc3a3af7aff19aa3c874
                                • Opcode Fuzzy Hash: 79c91d401b742046ca80554718f1ccf36ff45e32546616458df7009bab8b77da
                                • Instruction Fuzzy Hash: 63B1F071B5CA448FE78CAB2CA45A77477D1FB98750F1441BEE00DC72A3DE29A8428786
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 607099da1468169751e40c6d58675d2a59f1de86a73f450c1a594ae41c45d4e8
                                • Instruction ID: 012c97a1ccc353fd8323922da63af69f4989d82fb6ccafa0fa220aa1e176eb7b
                                • Opcode Fuzzy Hash: 607099da1468169751e40c6d58675d2a59f1de86a73f450c1a594ae41c45d4e8
                                • Instruction Fuzzy Hash: 0A320431E0CA4A4FE759A77C98566B977D1FFD92A0B0801BED04EC71A7DD2CA886C341
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 96943cd8c0b0ab649d0d3a3dbc72c2e463ae16a13021efd1b5414b5ca7825b6a
                                • Instruction ID: 25acdb29f8e19b7a571287f422f00146a0b8a50cfcbd93860b813f2b459ac0be
                                • Opcode Fuzzy Hash: 96943cd8c0b0ab649d0d3a3dbc72c2e463ae16a13021efd1b5414b5ca7825b6a
                                • Instruction Fuzzy Hash: 9232F831E1CA464BE758E62C98566B577C2FFC4790F4445BED04EC32E3DE28A846C785
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9f1cd0de9ab39c15a68625d0175c65ae86b68ec157c294cfbee94afdcf8083e8
                                • Instruction ID: 2dcb8aa49b1f56ce98026f051bd0c7569a98ff68ff1e44e858a1ef3f20115fff
                                • Opcode Fuzzy Hash: 9f1cd0de9ab39c15a68625d0175c65ae86b68ec157c294cfbee94afdcf8083e8
                                • Instruction Fuzzy Hash: 0C227430A1CB4A8FE7A8DF18985567AB7D1FBD8750F14467EC48DC32A6DE34A842C742
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 73b098a4625323535b879a511648bafc2b4f86d889212fd440a842e4f5f2d7f0
                                • Instruction ID: 162dd5c8f3b06647ce0cda40c5fcb864150f1833b88f2331ac6405e615c5cc2c
                                • Opcode Fuzzy Hash: 73b098a4625323535b879a511648bafc2b4f86d889212fd440a842e4f5f2d7f0
                                • Instruction Fuzzy Hash: 2412B731E0CA49CFEB98DA5898556BA77E2FF94750F04417ED40EC72A7DE34A842CB42
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2752d4a3c1019e51210a3df9e9bf75d4f59b6c9e8502203cfe39e3be9d7b501
                                • Instruction ID: cf9e63530fed301d576932cd7ec6ea3462c245ba1a57cbc0632e457c4058380e
                                • Opcode Fuzzy Hash: c2752d4a3c1019e51210a3df9e9bf75d4f59b6c9e8502203cfe39e3be9d7b501
                                • Instruction Fuzzy Hash: E2F19630908A8D8FEBA8DF28C8567E977D1FF94350F44426EE84DC7291CB749985CB82
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8c5e1663ef9e7bac765230a6ee557db173776b93380301753095e405809e9730
                                • Instruction ID: 8168d9e78884fca1b4c3f903918d714f1ad20d9ac23a7f5d64879d088f92c550
                                • Opcode Fuzzy Hash: 8c5e1663ef9e7bac765230a6ee557db173776b93380301753095e405809e9730
                                • Instruction Fuzzy Hash: 1FE1B530908A4D8FEBA8DF68C8567E977D1FF94350F14426ED84DC7291DB789885CB81
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cc4010ad5952c30784a3a732fed707de77031dff588c7c5359f61468f0bef34e
                                • Instruction ID: 37ec59022a8c07b7238ba110736dea2b9baa224fd454646c552db53ef37d968f
                                • Opcode Fuzzy Hash: cc4010ad5952c30784a3a732fed707de77031dff588c7c5359f61468f0bef34e
                                • Instruction Fuzzy Hash: 7E912723B0C9560BE714BAACB4565FA77D1FFC57B070401BBD04ECB1A3CE18A846C286

                                Non-executed Functions

                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2489639433.00007FF88B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88B4E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff88b4e0000_Zexo.jbxd
                                Similarity
                                • API ID:
                                • String ID: oL_
                                • API String ID: 0-842947659
                                • Opcode ID: b85b03e6fbc2c81d6bddea51a40c3954e52bc3d081c205c4b953c26fa012d33e
                                • Instruction ID: f9a37c14a4f59a9ce1bfe35247a27330fc7bec28d7fb6dfeb2e7058d1712feb0
                                • Opcode Fuzzy Hash: b85b03e6fbc2c81d6bddea51a40c3954e52bc3d081c205c4b953c26fa012d33e
                                • Instruction Fuzzy Hash: B0528421F18D4A4BE768FB68949A77973D2FFE43A0F54417AD00EC31E7DD28A8868741