Edit tour

Windows Analysis Report
250427-xt4dsszrv3.bin.exe

Overview

General Information

Sample name:	250427-xt4dsszrv3.bin.exe
Analysis ID:	1675600
MD5:	dd6e4da328dca0e94fa0bf263276ed44
SHA1:	4f9e1cd25c1abe4c96a2a5db0893b153377f8695
SHA256:	685b4307728abd92415c2d9c001761cfa0481b29689b35106f7a5ee1d1117c8a
Tags:	user-UNP4CK
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Joe Sandbox ML detected suspicious sample

Protects its processes via BreakOnTermination flag

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

250427-xt4dsszrv3.bin.exe (PID: 7744 cmdline: "C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe" MD5: DD6E4DA328DCA0E94FA0BF263276ED44)

cmd.exe (PID: 7828 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7912 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7844 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A0D.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7924 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

mantekaaaa.exe (PID: 8068 cmdline: "C:\Users\user\AppData\Roaming\mantekaaaa.exe" MD5: DD6E4DA328DCA0E94FA0BF263276ED44)

mantekaaaa.exe (PID: 7948 cmdline: C:\Users\user\AppData\Roaming\mantekaaaa.exe MD5: DD6E4DA328DCA0E94FA0BF263276ED44)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.AsyncRAT as delivered by MintsLoader includes a PowerShell module with a DGA. The DGA is similar to MintsLoader's DGA, but generates more domains and uses more than one TLD.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
250427-xt4dsszrv3.bin.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
250427-xt4dsszrv3.bin.exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6ed9:$str01: get_ActivatePong 0x7c2f:$str02: get_SslClient 0x7c4b:$str03: get_TcpClient 0x653e:$str04: get_SendSync 0x65fc:$str05: get_IsConnected 0x6c20:$str06: set_UseShellExecute 0xa5c7:$str07: Pastebin 0xa649:$str08: Select * from AntivirusProduct 0xa3a1:$str10: timeout 3 > NUL 0xa291:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xa321:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
250427-xt4dsszrv3.bin.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa323:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\mantekaaaa.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\mantekaaaa.exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6ed9:$str01: get_ActivatePong 0x7c2f:$str02: get_SslClient 0x7c4b:$str03: get_TcpClient 0x653e:$str04: get_SendSync 0x65fc:$str05: get_IsConnected 0x6c20:$str06: set_UseShellExecute 0xa5c7:$str07: Pastebin 0xa649:$str08: Select * from AntivirusProduct 0xa3a1:$str10: timeout 3 > NUL 0xa291:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xa321:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
C:\Users\user\AppData\Roaming\mantekaaaa.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa323:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa123:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa833:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1c3da:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.1179987885.0000000002871000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1179987885.0000000002871000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x27422:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: 250427-xt4dsszrv3.bin.exe PID: 7744	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 250427-xt4dsszrv3.bin.exe PID: 7744	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x141ea:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x35c24:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x430a0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: mantekaaaa.exe PID: 7948	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: mantekaaaa.exe PID: 7948	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x35976:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x50d9:$str01: get_ActivatePong 0x5e2f:$str02: get_SslClient 0x5e4b:$str03: get_TcpClient 0x473e:$str04: get_SendSync 0x47fc:$str05: get_IsConnected 0x4e20:$str06: set_UseShellExecute 0x87c7:$str07: Pastebin 0x8849:$str08: Select * from AntivirusProduct 0x85a1:$str10: timeout 3 > NUL 0x8491:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x8521:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8523:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6ed9:$str01: get_ActivatePong 0x7c2f:$str02: get_SslClient 0x7c4b:$str03: get_TcpClient 0x653e:$str04: get_SendSync 0x65fc:$str05: get_IsConnected 0x6c20:$str06: set_UseShellExecute 0xa5c7:$str07: Pastebin 0xa649:$str08: Select * from AntivirusProduct 0xa3a1:$str10: timeout 3 > NUL 0xa291:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xa321:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa323:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x6ed9:$str01: get_ActivatePong 0x7c2f:$str02: get_SslClient 0x7c4b:$str03: get_TcpClient 0x653e:$str04: get_SendSync 0x65fc:$str05: get_IsConnected 0x6c20:$str06: set_UseShellExecute 0xa5c7:$str07: Pastebin 0xa649:$str08: Select * from AntivirusProduct 0xa3a1:$str10: timeout 3 > NUL 0xa291:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xa321:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa323:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe", ParentImage: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe, ParentProcessId: 7744, ParentProcessName: 250427-xt4dsszrv3.bin.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' & exit, ProcessId: 7828, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7828, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' , ProcessId: 7912, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• Operating System Destruction
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 250427-xt4dsszrv3.bin.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe

Avira: detection malicious, Label: HEUR/AGEN.1360508

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: 250427-xt4dsszrv3.bin.exe	Virustotal: Detection: 77%			Perma Link
Source: 250427-xt4dsszrv3.bin.exe	ReversingLabs: Detection: 86%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 97.9%

Sample uses string decryption to hide its real strings

Source: 250427-xt4dsszrv3.bin.exe	String decryptor: 12802
Source: 250427-xt4dsszrv3.bin.exe	String decryptor: 0.tcp.eu.ngrok.io
Source: 250427-xt4dsszrv3.bin.exe	String decryptor: 0.5.8
Source: 250427-xt4dsszrv3.bin.exe	String decryptor: true
Source: 250427-xt4dsszrv3.bin.exe	String decryptor: XaYVyizsO2Bz
Source: 250427-xt4dsszrv3.bin.exe	String decryptor: MIIE8jCCAtqgAwIBAgIQAJUIs5zUMjOTMx3DQgpiZTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwNDI0MjEwNzAzWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJz5KpT+IeiomYVFpjqohlyaZ/vShAoclF7NWWYulof0lme8RYBY15P4TExXFVLI4qW3NHKl7AiA8lkpgm3ZM5EiRLlwTPBGi/BBGNSjRHPiWEszF1UI9FFz2GctP/ml32vgLIxm4nmVp4OFfHM+Swx6ud/d0ZiQvSsi0yLKCbceP45RKWiILbqTv322B+FTKStEyvdbkDTF3GR5dN01B34qZFDCYMDERRdRbu2+kXY55r9h/YTUR4XVWwrw92KpepbzEtYnCthbAaqFgVKxH54/NgHmvNUc3Ho4LGmPHbElC0h5rfsoRfKESWOjTtaqKkOcu65iwbD6z5sxxpuLm5yY65aR10M/kUP2si2HEZ5jeX5AU6frxXINUdPCQ/RYF6DiXNLb1IB+G2NjYaju48deu9Ux8p5odESgNuGLA6iybU24OH3O/+jUOfYuuk9J69lLaskdRRVDw0nUeYRX6RGdTj1slkyFfrnC+rJ1pEg2IMPWsdqPaG3Ynv6Wqa03epuUJutiBmlGLa5NPjxUDkfMzdreCV4LZp6aVYmnu7kiKfKA9c/EZsVxzvD6dLuuSnd/mT1gQS4gQADs2peZHzkRKfgs/9DmOVI50JG4XASZCBYwjw2bST1DTddvljSIfQ2APZ5CAXRc5AXIl/LkYgVEgK1BA61Dr2uDz8NROBHPAgMBAAGjMjAwMB0GA1UdDgQWBBQBT/jSXenFu0hFCO06ERalsbP5ajAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA156gPZsCS8jLbZUOa7HCo3xD35eFrGDCPJVvpwp9eOijpaFCo2LzYNOzLQ4XTuLonzz+qQagA46R8vyZm1URt7JjbhwHhCYNA8m7OkVU+fXLaBbsBQmoLA6Je7QymbtHK4UJGopGiLORuN4tSkoUnoKBIauL2X7XoKxbiLSp9TGokbQIkz7u2E6iPQk1qeLJNEN0SSgdI5rrcv8u3g+VELJF9ltQU426+kTSYQ4V3BY1Qxbnym+NuD7tZWh0OAxyMA9l0kLysdXwscBxfpcvKsAgr7/iW1p1EGXLZoJi/OJ41PAhgKY7dSS8usjO2MQB2tEx6DVymbDAc8HKaEawLNzi04hUAI7j6bi/rRrtouRLQrGFRYxEquYCBRrqeKUo+1q/TbY83bUuAozkDC3H+fV6/CRFKDxelMQ9+NTEAahkacFjqUWzgAP/qfmUJvjbeUqc0fPL9jPrhvei7iz+ejcjD1qJjFiu7WHnv5916O3lX0JFx3ewZLiRqK7sV62MiMaoI0MK8SjMqr4HGxKz0t7rvIOEIN3u4K6UKG2S+S1DZhKmTlceGFpofy88V/ODiC4VxPZfo5psfa8zn/Af3dlpzb0fDLpftZN41PVflR3oiKfbz8ndFvZ1QrYXgIdNiynBqcEEMHogY6d1TUMBPbOJmDQZOJ759fjo/Jch3QA==
Source: 250427-xt4dsszrv3.bin.exe	String decryptor: K34dL2g8m3roWyfEuo+ij2IuhFhNN9yriYY26x4P0HfoY39fj9ZhN2RefmqCVtQ9pn3t2OKMVDAoPG6KJjmLJiOhe0zjUBKBRDwPci1xefynR/GcKMYO+GKlV0qkEDRKBtxwh9A8DI4oD2klP/WmkRcWBrdJLJyBviFIGEc2M9WEGl1eIC9GuO1tjUVcEIJ4BUDjt20QpPkEv8Wks7jpQ70h4PqzQ1ABEuCxnr8WFLGaNRkikgKZ8RWmCwMg31073iILc+qHCe1JCW5jyIOF7rzrBMAt8wa5BF07q9kFYXxIjl5qudzp8NiVrlLqgIgkdf+eMmB8UplmtPIeSx+g1PuEPnxt2C2FNCZJlP5v34gQRRdUJZqMfQnc3XOp1qOA66i7kL2yDTO5DAXf/NSkPdqRcoP6vIV/K9S/p99wzykxDfHCOyrUzbr6HOqz1SxY6EqfXFKGe7QPuuqFzSt00E4WCLRMLKFbFqxBhUry1A5YW4KEVLLV6x71GjEzvbVVuewX+81SHmGGyGzfH73Qcc9iYAzc2HLbodgTOCdjOn210dpWJP8CujmdmqVAvYtmWu/DfUtrnK9hYp6Ea6dFb9IVku47p4tfdp3kjBvJiH43TACiEBSyctX9IeTZ0ICLnjRgM/RMWzKaZSs25paPSkgMm4Yvy7d55/Gd1PJH1Uo=
Source: 250427-xt4dsszrv3.bin.exe	String decryptor: null
Source: 250427-xt4dsszrv3.bin.exe	String decryptor: Default
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: 12802
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: 0.tcp.eu.ngrok.io
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: 0.5.8
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: true
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: XaYVyizsO2Bz
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: MIIE8jCCAtqgAwIBAgIQAJUIs5zUMjOTMx3DQgpiZTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwNDI0MjEwNzAzWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJz5KpT+IeiomYVFpjqohlyaZ/vShAoclF7NWWYulof0lme8RYBY15P4TExXFVLI4qW3NHKl7AiA8lkpgm3ZM5EiRLlwTPBGi/BBGNSjRHPiWEszF1UI9FFz2GctP/ml32vgLIxm4nmVp4OFfHM+Swx6ud/d0ZiQvSsi0yLKCbceP45RKWiILbqTv322B+FTKStEyvdbkDTF3GR5dN01B34qZFDCYMDERRdRbu2+kXY55r9h/YTUR4XVWwrw92KpepbzEtYnCthbAaqFgVKxH54/NgHmvNUc3Ho4LGmPHbElC0h5rfsoRfKESWOjTtaqKkOcu65iwbD6z5sxxpuLm5yY65aR10M/kUP2si2HEZ5jeX5AU6frxXINUdPCQ/RYF6DiXNLb1IB+G2NjYaju48deu9Ux8p5odESgNuGLA6iybU24OH3O/+jUOfYuuk9J69lLaskdRRVDw0nUeYRX6RGdTj1slkyFfrnC+rJ1pEg2IMPWsdqPaG3Ynv6Wqa03epuUJutiBmlGLa5NPjxUDkfMzdreCV4LZp6aVYmnu7kiKfKA9c/EZsVxzvD6dLuuSnd/mT1gQS4gQADs2peZHzkRKfgs/9DmOVI50JG4XASZCBYwjw2bST1DTddvljSIfQ2APZ5CAXRc5AXIl/LkYgVEgK1BA61Dr2uDz8NROBHPAgMBAAGjMjAwMB0GA1UdDgQWBBQBT/jSXenFu0hFCO06ERalsbP5ajAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA156gPZsCS8jLbZUOa7HCo3xD35eFrGDCPJVvpwp9eOijpaFCo2LzYNOzLQ4XTuLonzz+qQagA46R8vyZm1URt7JjbhwHhCYNA8m7OkVU+fXLaBbsBQmoLA6Je7QymbtHK4UJGopGiLORuN4tSkoUnoKBIauL2X7XoKxbiLSp9TGokbQIkz7u2E6iPQk1qeLJNEN0SSgdI5rrcv8u3g+VELJF9ltQU426+kTSYQ4V3BY1Qxbnym+NuD7tZWh0OAxyMA9l0kLysdXwscBxfpcvKsAgr7/iW1p1EGXLZoJi/OJ41PAhgKY7dSS8usjO2MQB2tEx6DVymbDAc8HKaEawLNzi04hUAI7j6bi/rRrtouRLQrGFRYxEquYCBRrqeKUo+1q/TbY83bUuAozkDC3H+fV6/CRFKDxelMQ9+NTEAahkacFjqUWzgAP/qfmUJvjbeUqc0fPL9jPrhvei7iz+ejcjD1qJjFiu7WHnv5916O3lX0JFx3ewZLiRqK7sV62MiMaoI0MK8SjMqr4HGxKz0t7rvIOEIN3u4K6UKG2S+S1DZhKmTlceGFpofy88V/ODiC4VxPZfo5psfa8zn/Af3dlpzb0fDLpftZN41PVflR3oiKfbz8ndFvZ1QrYXgIdNiynBqcEEMHogY6d1TUMBPbOJmDQZOJ759fjo/Jch3QA==
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: K34dL2g8m3roWyfEuo+ij2IuhFhNN9yriYY26x4P0HfoY39fj9ZhN2RefmqCVtQ9pn3t2OKMVDAoPG6KJjmLJiOhe0zjUBKBRDwPci1xefynR/GcKMYO+GKlV0qkEDRKBtxwh9A8DI4oD2klP/WmkRcWBrdJLJyBviFIGEc2M9WEGl1eIC9GuO1tjUVcEIJ4BUDjt20QpPkEv8Wks7jpQ70h4PqzQ1ABEuCxnr8WFLGaNRkikgKZ8RWmCwMg31073iILc+qHCe1JCW5jyIOF7rzrBMAt8wa5BF07q9kFYXxIjl5qudzp8NiVrlLqgIgkdf+eMmB8UplmtPIeSx+g1PuEPnxt2C2FNCZJlP5v34gQRRdUJZqMfQnc3XOp1qOA66i7kL2yDTO5DAXf/NSkPdqRcoP6vIV/K9S/p99wzykxDfHCOyrUzbr6HOqz1SxY6EqfXFKGe7QPuuqFzSt00E4WCLRMLKFbFqxBhUry1A5YW4KEVLLV6x71GjEzvbVVuewX+81SHmGGyGzfH73Qcc9iYAzc2HLbodgTOCdjOn210dpWJP8CujmdmqVAvYtmWu/DfUtrnK9hYp6Ea6dFb9IVku47p4tfdp3kjBvJiH43TACiEBSyctX9IeTZ0ICLnjRgM/RMWzKaZSs25paPSkgMm4Yvy7d55/Gd1PJH1Uo=
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: true
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: null
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: true
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack	String decryptor: Default

Source: 250427-xt4dsszrv3.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 250427-xt4dsszrv3.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic	TCP traffic: 192.168.2.4:49716 -> 18.192.31.30:12802
Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 3.71.225.231:12802

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 0.tcp.eu.ngrok.io

Source: 250427-xt4dsszrv3.bin.exe, 00000000.00000002.1179987885.00000000029BA000.00000004.00000800.00020000.00000000.sdmp, mantekaaaa.exe, 00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 250427-xt4dsszrv3.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1179987885.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 250427-xt4dsszrv3.bin.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mantekaaaa.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: 00 00 00 00			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: 01 00 00 00			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 250427-xt4dsszrv3.bin.exe, type: SAMPLE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 250427-xt4dsszrv3.bin.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.1179987885.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: 250427-xt4dsszrv3.bin.exe PID: 7744, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: mantekaaaa.exe PID: 7948, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, type: DROPPED	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Code function: 0_2_00E34088	0_2_00E34088
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Code function: 0_2_00E34958	0_2_00E34958
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Code function: 0_2_00E35B20	0_2_00E35B20
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Code function: 0_2_00E33D40	0_2_00E33D40
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Code function: 7_2_00714088	7_2_00714088
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Code function: 7_2_00714958	7_2_00714958
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Code function: 7_2_00715B20	7_2_00715B20
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Code function: 7_2_00713D40	7_2_00713D40

Source: 250427-xt4dsszrv3.bin.exe, 00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDiscord.exe0 vs 250427-xt4dsszrv3.bin.exe
Source: 250427-xt4dsszrv3.bin.exe, 00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDiscord.exe0 vs 250427-xt4dsszrv3.bin.exe
Source: 250427-xt4dsszrv3.bin.exe	Binary or memory string: OriginalFilenameDiscord.exe0 vs 250427-xt4dsszrv3.bin.exe

Source: 250427-xt4dsszrv3.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 250427-xt4dsszrv3.bin.exe, type: SAMPLE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 250427-xt4dsszrv3.bin.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.1179987885.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: 250427-xt4dsszrv3.bin.exe PID: 7744, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: mantekaaaa.exe PID: 7948, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, type: DROPPED	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: 250427-xt4dsszrv3.bin.exe, lsvJXszuJGwU.cs	Base64 encoded string: 'ILFBodZFh/fSnaBngtFU9hQpU2+9bI+AeuNxYlGuYO7EzQAz3xCDHlcaQClpQbRgvZn9Lupwx9OXoTD+CZvKjw==', 'pH85q6E8+abQAKbMwc4fs06O2U/oafOXKwudd11ZqO94Ubqtbx9lSSMjUSsywBa3m61S6Ou3gG7bSzpArBuA6tA+IkCyGDFncuJIWAb0a4M=', 'SM78ltu98Ggo2i1QKX0+l1Uhspz9nD9eRi2Og2UaeNrwU4+rXMjcYYzcHIgTF+L2KRAHQ+IS7/HW2bIjpxrWuA==', 'tAd/ECZ9qotib8bccK25fmq1IpV+AqT67uWti6iSQHLQj53sbN/YRs0/dU0HIHN6pr/FJP8BIqdVjw+v8w59Ko9MHGrIjqYzIruPsUVHKN0/GyyMXScoAoMLgWY4BE7sKtO02zABTN9mfIwop751niFLfsKLSiAtKylaT0rKbY2t1Bb180/6AFQGwAz4dbeDFjCVfV5ELfgD7cbh6cn/+FEe1nPv/Zvpjt76Ej/tmM75uultugOezpjeupottYmvPFEH8aUaI3/Zh7WZT4goaJiADuasym+ZPJnzQlBdWQDv/GW3kwFvDKcPa9sJymlW3aM3rorT2BENAoRER/IhOTicaEZ9RmFOIbGGMt6coka57HWImKq4GcAOSmnZUn6aAXUXNQ20BmkbOSCuTCTic8tplOzRiNDYDlCaXHfJV9dL+eg10EZKvbphB13dwPkxcz4/WB3ev0cu8LPxQYDaXbT45Jjai4L704CtVQW5H+DUsq3y1zconJDvyFbOWJf3sRI4aj+oA99UgoeYG8n66XzlvW4EBP7x6eK7VDnWGTZCGQGpvpe6YZTQtBhftfjJ6nWPkYGcQPtMnS+FEC4jkArKZuGwbwMAyIhojadpMd0eGBaPfMmC/4gB49dY0VglWEphPIFvVh8R/T+M3ZHGrJ94vu1tIcJbWjmG1cIF7ieNDrs8JGShiOxBP7lQlpk/waTeJVxgSaKn5zuqucQxMxpc/9B6QH2WQUAH0/9l0OohbpJiKOa/eiYEEVqfjfFhKXJQ7V+OB19P5uTudooxHbfCHkHujpXao6PiYX9LUG7Ycd4E2KuGFQyRVsKdQ/Z08rA0rHvfbWGHIsnwBIXAbIAmOlqBs1ubNj+ah1i/M2N3cvQpzeotsg3bSDWiuIa4hd/B0ZB5PGEpEol9IVfPnwOwY9FiRdWWmY9k1+s0LT6RpBYM37jzCFUumJCOx3++DxLx9YSHLL5cnNVrEaMjMQ==', 's5I7ZSLUeBIHxVhBQW0FFx1F4zGSS8MMMiIlnQ2aQnzJa3VbOT3/ZKywRzJrFuGgSfDLCDmRTuHHhDzBsBCSxg==', 'jM88hDdsrBrd4Z6ZzXf+IcHqeuQhTR5zG6AMYM0nX6RJK6TWAixRkEeQEqluoimWYm+FYb+K6d8bPhxr1HW4Rw==', 'QBBlUt0alPeLrNkgj0KoIsSwobTV+3EsETS9YWCsVgcnS/XGKpRCsMf1p5tTJZRI3dWbv+2K0mumEFXxN4N3iQ=='
Source: mantekaaaa.exe.0.dr, lsvJXszuJGwU.cs	Base64 encoded string: 'ILFBodZFh/fSnaBngtFU9hQpU2+9bI+AeuNxYlGuYO7EzQAz3xCDHlcaQClpQbRgvZn9Lupwx9OXoTD+CZvKjw==', 'pH85q6E8+abQAKbMwc4fs06O2U/oafOXKwudd11ZqO94Ubqtbx9lSSMjUSsywBa3m61S6Ou3gG7bSzpArBuA6tA+IkCyGDFncuJIWAb0a4M=', 'SM78ltu98Ggo2i1QKX0+l1Uhspz9nD9eRi2Og2UaeNrwU4+rXMjcYYzcHIgTF+L2KRAHQ+IS7/HW2bIjpxrWuA==', 'tAd/ECZ9qotib8bccK25fmq1IpV+AqT67uWti6iSQHLQj53sbN/YRs0/dU0HIHN6pr/FJP8BIqdVjw+v8w59Ko9MHGrIjqYzIruPsUVHKN0/GyyMXScoAoMLgWY4BE7sKtO02zABTN9mfIwop751niFLfsKLSiAtKylaT0rKbY2t1Bb180/6AFQGwAz4dbeDFjCVfV5ELfgD7cbh6cn/+FEe1nPv/Zvpjt76Ej/tmM75uultugOezpjeupottYmvPFEH8aUaI3/Zh7WZT4goaJiADuasym+ZPJnzQlBdWQDv/GW3kwFvDKcPa9sJymlW3aM3rorT2BENAoRER/IhOTicaEZ9RmFOIbGGMt6coka57HWImKq4GcAOSmnZUn6aAXUXNQ20BmkbOSCuTCTic8tplOzRiNDYDlCaXHfJV9dL+eg10EZKvbphB13dwPkxcz4/WB3ev0cu8LPxQYDaXbT45Jjai4L704CtVQW5H+DUsq3y1zconJDvyFbOWJf3sRI4aj+oA99UgoeYG8n66XzlvW4EBP7x6eK7VDnWGTZCGQGpvpe6YZTQtBhftfjJ6nWPkYGcQPtMnS+FEC4jkArKZuGwbwMAyIhojadpMd0eGBaPfMmC/4gB49dY0VglWEphPIFvVh8R/T+M3ZHGrJ94vu1tIcJbWjmG1cIF7ieNDrs8JGShiOxBP7lQlpk/waTeJVxgSaKn5zuqucQxMxpc/9B6QH2WQUAH0/9l0OohbpJiKOa/eiYEEVqfjfFhKXJQ7V+OB19P5uTudooxHbfCHkHujpXao6PiYX9LUG7Ycd4E2KuGFQyRVsKdQ/Z08rA0rHvfbWGHIsnwBIXAbIAmOlqBs1ubNj+ah1i/M2N3cvQpzeotsg3bSDWiuIa4hd/B0ZB5PGEpEol9IVfPnwOwY9FiRdWWmY9k1+s0LT6RpBYM37jzCFUumJCOx3++DxLx9YSHLL5cnNVrEaMjMQ==', 's5I7ZSLUeBIHxVhBQW0FFx1F4zGSS8MMMiIlnQ2aQnzJa3VbOT3/ZKywRzJrFuGgSfDLCDmRTuHHhDzBsBCSxg==', 'jM88hDdsrBrd4Z6ZzXf+IcHqeuQhTR5zG6AMYM0nX6RJK6TWAixRkEeQEqluoimWYm+FYb+K6d8bPhxr1HW4Rw==', 'QBBlUt0alPeLrNkgj0KoIsSwobTV+3EsETS9YWCsVgcnS/XGKpRCsMf1p5tTJZRI3dWbv+2K0mumEFXxN4N3iQ=='
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, lsvJXszuJGwU.cs	Base64 encoded string: 'ILFBodZFh/fSnaBngtFU9hQpU2+9bI+AeuNxYlGuYO7EzQAz3xCDHlcaQClpQbRgvZn9Lupwx9OXoTD+CZvKjw==', 'pH85q6E8+abQAKbMwc4fs06O2U/oafOXKwudd11ZqO94Ubqtbx9lSSMjUSsywBa3m61S6Ou3gG7bSzpArBuA6tA+IkCyGDFncuJIWAb0a4M=', 'SM78ltu98Ggo2i1QKX0+l1Uhspz9nD9eRi2Og2UaeNrwU4+rXMjcYYzcHIgTF+L2KRAHQ+IS7/HW2bIjpxrWuA==', 'tAd/ECZ9qotib8bccK25fmq1IpV+AqT67uWti6iSQHLQj53sbN/YRs0/dU0HIHN6pr/FJP8BIqdVjw+v8w59Ko9MHGrIjqYzIruPsUVHKN0/GyyMXScoAoMLgWY4BE7sKtO02zABTN9mfIwop751niFLfsKLSiAtKylaT0rKbY2t1Bb180/6AFQGwAz4dbeDFjCVfV5ELfgD7cbh6cn/+FEe1nPv/Zvpjt76Ej/tmM75uultugOezpjeupottYmvPFEH8aUaI3/Zh7WZT4goaJiADuasym+ZPJnzQlBdWQDv/GW3kwFvDKcPa9sJymlW3aM3rorT2BENAoRER/IhOTicaEZ9RmFOIbGGMt6coka57HWImKq4GcAOSmnZUn6aAXUXNQ20BmkbOSCuTCTic8tplOzRiNDYDlCaXHfJV9dL+eg10EZKvbphB13dwPkxcz4/WB3ev0cu8LPxQYDaXbT45Jjai4L704CtVQW5H+DUsq3y1zconJDvyFbOWJf3sRI4aj+oA99UgoeYG8n66XzlvW4EBP7x6eK7VDnWGTZCGQGpvpe6YZTQtBhftfjJ6nWPkYGcQPtMnS+FEC4jkArKZuGwbwMAyIhojadpMd0eGBaPfMmC/4gB49dY0VglWEphPIFvVh8R/T+M3ZHGrJ94vu1tIcJbWjmG1cIF7ieNDrs8JGShiOxBP7lQlpk/waTeJVxgSaKn5zuqucQxMxpc/9B6QH2WQUAH0/9l0OohbpJiKOa/eiYEEVqfjfFhKXJQ7V+OB19P5uTudooxHbfCHkHujpXao6PiYX9LUG7Ycd4E2KuGFQyRVsKdQ/Z08rA0rHvfbWGHIsnwBIXAbIAmOlqBs1ubNj+ah1i/M2N3cvQpzeotsg3bSDWiuIa4hd/B0ZB5PGEpEol9IVfPnwOwY9FiRdWWmY9k1+s0LT6RpBYM37jzCFUumJCOx3++DxLx9YSHLL5cnNVrEaMjMQ==', 's5I7ZSLUeBIHxVhBQW0FFx1F4zGSS8MMMiIlnQ2aQnzJa3VbOT3/ZKywRzJrFuGgSfDLCDmRTuHHhDzBsBCSxg==', 'jM88hDdsrBrd4Z6ZzXf+IcHqeuQhTR5zG6AMYM0nX6RJK6TWAixRkEeQEqluoimWYm+FYb+K6d8bPhxr1HW4Rw==', 'QBBlUt0alPeLrNkgj0KoIsSwobTV+3EsETS9YWCsVgcnS/XGKpRCsMf1p5tTJZRI3dWbv+2K0mumEFXxN4N3iQ=='

Source: 250427-xt4dsszrv3.bin.exe, uLrDnYtvkZrQ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 250427-xt4dsszrv3.bin.exe, uLrDnYtvkZrQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, uLrDnYtvkZrQ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, uLrDnYtvkZrQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: mantekaaaa.exe.0.dr, uLrDnYtvkZrQ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: mantekaaaa.exe.0.dr, uLrDnYtvkZrQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 250427-xt4dsszrv3.bin.exe, 00000000.00000002.1179987885.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, mantekaaaa.exe, 00000007.00000002.2383698510.000000000244F000.00000004.00000800.00020000.00000000.sdmp, mantekaaaa.exe, 00000009.00000002.1252011105.0000000003091000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: .slNO

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/5@2/2

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

File created: C:\Users\user\AppData\Roaming\mantekaaaa.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Mutant created: \Sessions\1\BaseNamedObjects\XaYVyizsO2Bz
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7A0D.tmp

Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A0D.tmp.bat""

Source: 250427-xt4dsszrv3.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 250427-xt4dsszrv3.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 250427-xt4dsszrv3.bin.exe	Virustotal: Detection: 77%
Source: 250427-xt4dsszrv3.bin.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

File read: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe "C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe"
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A0D.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mantekaaaa.exe C:\Users\user\AppData\Roaming\mantekaaaa.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mantekaaaa.exe "C:\Users\user\AppData\Roaming\mantekaaaa.exe"
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A0D.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mantekaaaa.exe "C:\Users\user\AppData\Roaming\mantekaaaa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 250427-xt4dsszrv3.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 250427-xt4dsszrv3.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 250427-xt4dsszrv3.bin.exe, qhnhGUdzrttQbB.cs	High entropy of concatenated method names: 'OnHxZqrMwvuofH', 'mAnFKyHvXi', 'hYWtZoNRWUh', 'EmldLKHeZkeGNn', 'EAcXeCVkIAtZG', 'qEGIAGKJISLqnmnv', 'tzYmpgMygEd', 'ZGpuyZXgLZxcU', 'aZTMRPiVqWc', 'DnctsskPlQQiBLj'
Source: mantekaaaa.exe.0.dr, qhnhGUdzrttQbB.cs	High entropy of concatenated method names: 'OnHxZqrMwvuofH', 'mAnFKyHvXi', 'hYWtZoNRWUh', 'EmldLKHeZkeGNn', 'EAcXeCVkIAtZG', 'qEGIAGKJISLqnmnv', 'tzYmpgMygEd', 'ZGpuyZXgLZxcU', 'aZTMRPiVqWc', 'DnctsskPlQQiBLj'
Source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, qhnhGUdzrttQbB.cs	High entropy of concatenated method names: 'OnHxZqrMwvuofH', 'mAnFKyHvXi', 'hYWtZoNRWUh', 'EmldLKHeZkeGNn', 'EAcXeCVkIAtZG', 'qEGIAGKJISLqnmnv', 'tzYmpgMygEd', 'ZGpuyZXgLZxcU', 'aZTMRPiVqWc', 'DnctsskPlQQiBLj'

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

File created: C:\Users\user\AppData\Roaming\mantekaaaa.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 250427-xt4dsszrv3.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1179987885.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 250427-xt4dsszrv3.bin.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mantekaaaa.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, type: DROPPED

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"'

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 250427-xt4dsszrv3.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1179987885.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 250427-xt4dsszrv3.bin.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mantekaaaa.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, type: DROPPED

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 250427-xt4dsszrv3.bin.exe, mantekaaaa.exe.0.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Memory allocated: E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Memory allocated: 710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Memory allocated: 2420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Memory allocated: 2360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Memory allocated: 5090000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe

Window / User API: threadDelayed 878

Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe TID: 7764	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe TID: 8108	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: mantekaaaa.exe.0.dr	Binary or memory string: vmware
Source: 250427-xt4dsszrv3.bin.exe, 00000000.00000002.1179266486.0000000000A32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-
Source: mantekaaaa.exe, 00000007.00000002.2386346122.00000000048CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV)

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

Code function: 0_2_00E32D4C CheckRemoteDebuggerPresent,

0_2_00E32D4C

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A0D.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mantekaaaa.exe "C:\Users\user\AppData\Roaming\mantekaaaa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Queries volume information: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Queries volume information: C:\Users\user\AppData\Roaming\mantekaaaa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe	Queries volume information: C:\Users\user\AppData\Roaming\mantekaaaa.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 250427-xt4dsszrv3.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.250427-xt4dsszrv3.bin.exe.4b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.250427-xt4dsszrv3.bin.exe.38d6510.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1179987885.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 250427-xt4dsszrv3.bin.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mantekaaaa.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	1 Scripting	2 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
250427-xt4dsszrv3.bin.exe	78%	Virustotal		Browse
250427-xt4dsszrv3.bin.exe	86%	ReversingLabs	Win32.Backdoor.AsyncRat
250427-xt4dsszrv3.bin.exe	100%	Avira	HEUR/AGEN.1360508
SAMPLE	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\mantekaaaa.exe	100%	Avira	HEUR/AGEN.1360508
C:\Users\user\AppData\Roaming\mantekaaaa.exe	86%	ReversingLabs	Win32.Backdoor.AsyncRat

Name	IP	Active	Malicious	Antivirus Detection	Reputation
0.tcp.eu.ngrok.io	18.192.31.30	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	250427-xt4dsszrv3.bin.exe, 00000000.00000002.1179987885.00000000029BA000.00000004.00000800.00020000.00000000.sdmp, mantekaaaa.exe, 00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.192.31.30	0.tcp.eu.ngrok.io	United States		16509	AMAZON-02US	true
3.71.225.231	unknown	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1675600
Start date and time:	2025-04-27 21:14:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	250427-xt4dsszrv3.bin.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/5@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 32 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.29.183.29, 4.245.163.56
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mantekaaaa.exe, PID 8068 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:15:19	Task Scheduler	Run new task: mantekaaaa path: "C:\Users\user\AppData\Roaming\mantekaaaa.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
18.192.31.30	YiWuyX184J.exe	Get hash	malicious	Njrat	Browse
	r0FS3r7Ore.exe	Get hash	malicious	Njrat	Browse
	OLHskBFtS1.exe	Get hash	malicious	Njrat	Browse
	lXLWfHWHMd.exe	Get hash	malicious	Njrat	Browse
3.71.225.231	r0FS3r7Ore.exe	Get hash	malicious	Njrat	Browse
3.71.225.231	4zeGOaTirn.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
0.tcp.eu.ngrok.io	svchost pastebin actual.exe	Get hash	malicious	XWorm	Browse	18.153.198.123
	resembleC2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	18.153.198.123
	CrSpoofer.exe	Get hash	malicious	AsyncRAT	Browse	3.78.28.71
	7299_output.vbs	Get hash	malicious	Unknown	Browse	3.78.28.71
	Opera.exe	Get hash	malicious	ZTrat	Browse	52.57.120.10
	YiWuyX184J.exe	Get hash	malicious	Njrat	Browse	3.74.27.83
	TLH3anP3lh.exe	Get hash	malicious	Njrat	Browse	52.57.120.10
	r0FS3r7Ore.exe	Get hash	malicious	Njrat	Browse	3.74.27.83
	OLHskBFtS1.exe	Get hash	malicious	Njrat	Browse	3.74.27.83
	lXLWfHWHMd.exe	Get hash	malicious	Njrat	Browse	18.192.31.30

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	na.elf	Get hash	malicious	Prometei	Browse	13.214.182.154
	zenmunet-bittery.exe	Get hash	malicious	Unknown	Browse	65.8.165.71
	GFController.exe	Get hash	malicious	Unknown	Browse	18.154.131.104
	sdc.exe	Get hash	malicious	Njrat	Browse	3.124.67.191
	250427-vdxvzat1ex.bin.exe	Get hash	malicious	Neconyd	Browse	44.247.155.67
	ppc.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	x86.elf	Get hash	malicious	Unknown	Browse	34.243.160.129
	250427-tnf5jawr13.bin.exe	Get hash	malicious	FloodFix, GhostRat	Browse	35.161.60.101
	250427-ta714awpt9.bin.exe	Get hash	malicious	XRed	Browse	108.139.10.35
	250427-ta714awpt9.bin.exe	Get hash	malicious	XRed	Browse	108.139.10.29
AMAZON-02US	na.elf	Get hash	malicious	Prometei	Browse	13.214.182.154
	zenmunet-bittery.exe	Get hash	malicious	Unknown	Browse	65.8.165.71
	GFController.exe	Get hash	malicious	Unknown	Browse	18.154.131.104
	sdc.exe	Get hash	malicious	Njrat	Browse	3.124.67.191
	250427-vdxvzat1ex.bin.exe	Get hash	malicious	Neconyd	Browse	44.247.155.67
	ppc.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	x86.elf	Get hash	malicious	Unknown	Browse	34.243.160.129
	250427-tnf5jawr13.bin.exe	Get hash	malicious	FloodFix, GhostRat	Browse	35.161.60.101
	250427-ta714awpt9.bin.exe	Get hash	malicious	XRed	Browse	108.139.10.35
	250427-ta714awpt9.bin.exe	Get hash	malicious	XRed	Browse	108.139.10.29

Process:	C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	739
Entropy (8bit):	5.348505694476449
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaWzAbDLI4MNldKZat92n4M6:ML9E4KlKDE4KhKiKhBsXE4qdK284j
MD5:	A65F13C4355387C4645D260206AE915F
SHA1:	F8857636BB3B50E634E96E7B0ECE6AD77656BA5F
SHA-256:	DB8CA2E253F03395ABECD812505666B3BD5CE699B798E3F624D22EE605FB290E
SHA-512:	0584E8911FD08CC0BB833C6373AE5D161D00CF40FB4533B5DD0D31F38CF1783BB25E34084995A2D116AFB01ABAD14005D62EE51A1D9B79E262EF28775B878AB6
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mantekaaaa.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\mantekaaaa.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp7A0D.tmp.bat

Download File

Process:	C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	154
Entropy (8bit):	4.989498228555358
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5ot+kiEaKC5V8iAZmqRDt+kiE2J5xAInTRI4eGZPy:hWKqTtT6wknaZ5V8iAZmq1wkn23fTZeN
MD5:	111BFEDB2FE1184FCD5FA75B0AFD0DC8
SHA1:	945F1E3929BDA6913992866447BDE632AD717E8A
SHA-256:	BE88AE367533800A31B2692100078E5441C4A346791EEEB80322446F620253AE
SHA-512:	A1B35742320F75DD188ED67E5002E9D42219B880C2F680BAC909542AB631F9C551E0CB07C5EEBE897E20A233193EBF1E4D7C74F63BE1BCAE9780DC8FAE575BEF
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\mantekaaaa.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp7A0D.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\mantekaaaa.exe

Download File

Process:	C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	334848
Entropy (8bit):	3.3565884382571527
Encrypted:	false
SSDEEP:	1536:XujY21TU0r2r23ehdf+hbygwlbjAikOapPXLocdSpp65GI:XujY6TU0r2oKf+hbyggjAiktPJ4vSGI
MD5:	DD6E4DA328DCA0E94FA0BF263276ED44
SHA1:	4F9E1CD25C1ABE4C96A2A5DB0893B153377F8695
SHA-256:	685B4307728ABD92415C2D9C001761CFA0481B29689B35106F7A5EE1D1117C8A
SHA-512:	054FC29D46338465D372E2C27E21A170DAF7110755ED4B5F6C1A9D91DB5DC4C9214A0199098F4FF32EA0CFC744B4D259F8315EFE7E0AC09CD64D6CE3C6854669
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, Author: Joe Security Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e.....................h......~.... ........@.. ....................................@.................................,...O.......$e...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...$e.......f..................@..@.reloc.......`......................@..B................`.......H........Y..8v.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...Vr\|%.p~....(o....#....s...

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.3565884382571527
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	250427-xt4dsszrv3.bin.exe
File size:	334'848 bytes
MD5:	dd6e4da328dca0e94fa0bf263276ed44
SHA1:	4f9e1cd25c1abe4c96a2a5db0893b153377f8695
SHA256:	685b4307728abd92415c2d9c001761cfa0481b29689b35106f7a5ee1d1117c8a
SHA512:	054fc29d46338465d372e2c27e21a170daf7110755ed4b5f6c1a9d91db5dc4c9214a0199098f4ff32ea0cfc744b4d259f8315efe7e0ac09cd64d6ce3c6854669
SSDEEP:	1536:XujY21TU0r2r23ehdf+hbygwlbjAikOapPXLocdSpp65GI:XujY6TU0r2oKf+hbyggjAiktPJ4vSGI
TLSH:	6E6462E02698FF17E679CFBC48B191424D79BD13A513E40B6A8436CD0A33ACB4532DE6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e.....................h......~.... ........@.. ....................................@................................

File Icon


Icon Hash:	0f2b69d4d44d330f

Static PE Info

General

Entrypoint:	0x40d07e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd02c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x46524	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x56000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb084	0xb200	75edce6dcf8c6636e2b4d1f74349327a	False	0.5417837078651685	data	5.6167728870607485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x46524	0x46600	ecee44ab5bb1263bbf8283d551e2ad9e	False	0.0337790019982238	data	2.6028504911502264	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x56000	0xc	0x200	4cabfef58a4e8716ddd98e1c6e729d0d	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xe1c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.32180851063829785
RT_ICON	0xe628	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.18785178236397748
RT_ICON	0xf6d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.17074688796680498
RT_ICON	0x11c78	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.020719294611947808
RT_GROUP_ICON	0x53ca0	0x3e	data	0.7580645161290323
RT_VERSION	0x53ce0	0x3b0	data	0.4269067796610169
RT_MANIFEST	0x54090	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName	Discord Inc.
FileDescription	Discord
FileVersion	1.0.9189.0
InternalName	Discord.exe
LegalCopyright	Copyright (c) 2025-04-22 18:37:45.598179 Discord Inc. All rights reserved.
LegalTrademarks
OriginalFilename	Discord.exe
ProductName	Discord
ProductVersion	1.0.9189.0
Assembly Version	1.0.9189.0

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 32
• 12802 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2025 21:15:25.520715952 CEST	49716	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:25.798628092 CEST	12802	49716	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:26.300415993 CEST	49716	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:26.578188896 CEST	12802	49716	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:27.097204924 CEST	49716	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:27.374914885 CEST	12802	49716	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:27.889429092 CEST	49716	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:28.167196989 CEST	12802	49716	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:28.675333023 CEST	49716	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:28.953027010 CEST	12802	49716	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:33.957534075 CEST	49722	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:34.235354900 CEST	12802	49722	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:34.737857103 CEST	49722	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:35.015665054 CEST	12802	49722	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:35.519110918 CEST	49722	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:35.797177076 CEST	12802	49722	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:36.300395966 CEST	49722	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:36.578234911 CEST	12802	49722	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:37.081788063 CEST	49722	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:37.359574080 CEST	12802	49722	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:42.363879919 CEST	49723	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:42.642189980 CEST	12802	49723	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:43.146716118 CEST	49723	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:43.425208092 CEST	12802	49723	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:43.941014051 CEST	49723	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:44.219105005 CEST	12802	49723	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:44.722307920 CEST	49723	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:45.000678062 CEST	12802	49723	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:45.503561974 CEST	49723	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:45.781702042 CEST	12802	49723	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:50.785851955 CEST	49724	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:51.063553095 CEST	12802	49724	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:51.566041946 CEST	49724	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:51.843790054 CEST	12802	49724	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:52.363089085 CEST	49724	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:52.640976906 CEST	12802	49724	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:53.144165993 CEST	49724	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:53.421843052 CEST	12802	49724	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:53.925421000 CEST	49724	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:54.203044891 CEST	12802	49724	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:59.207900047 CEST	49725	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:15:59.487824917 CEST	12802	49725	18.192.31.30	192.168.2.4
Apr 27, 2025 21:15:59.987926960 CEST	49725	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:00.264175892 CEST	12802	49725	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:00.769264936 CEST	49725	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:01.045598030 CEST	12802	49725	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:01.550431013 CEST	49725	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:01.826831102 CEST	12802	49725	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:02.331686974 CEST	49725	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:02.608019114 CEST	12802	49725	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:07.614665985 CEST	49726	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:07.892502069 CEST	12802	49726	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:08.394208908 CEST	49726	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:08.671854019 CEST	12802	49726	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:09.175468922 CEST	49726	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:09.453233957 CEST	12802	49726	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:09.956902981 CEST	49726	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:10.234900951 CEST	12802	49726	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:10.737979889 CEST	49726	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:11.015633106 CEST	12802	49726	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:16.021056890 CEST	49728	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:16.299187899 CEST	12802	49728	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:16.800517082 CEST	49728	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:17.078588009 CEST	12802	49728	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:17.600920916 CEST	49728	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:17.878909111 CEST	12802	49728	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:18.401112080 CEST	49728	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:18.680283070 CEST	12802	49728	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:19.191095114 CEST	49728	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:19.469225883 CEST	12802	49728	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:24.473370075 CEST	49729	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:24.751552105 CEST	12802	49729	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:25.253632069 CEST	49729	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:25.531713009 CEST	12802	49729	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:26.034972906 CEST	49729	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:26.312964916 CEST	12802	49729	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:26.816143036 CEST	49729	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:27.094151020 CEST	12802	49729	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:27.597409964 CEST	49729	12802	192.168.2.4	18.192.31.30
Apr 27, 2025 21:16:27.875634909 CEST	12802	49729	18.192.31.30	192.168.2.4
Apr 27, 2025 21:16:33.049092054 CEST	49730	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:33.326988935 CEST	12802	49730	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:33.831813097 CEST	49730	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:34.109766006 CEST	12802	49730	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:34.613015890 CEST	49730	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:34.890978098 CEST	12802	49730	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:35.394269943 CEST	49730	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:35.672236919 CEST	12802	49730	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:36.175597906 CEST	49730	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:36.453577995 CEST	12802	49730	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:41.458103895 CEST	49731	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:41.736323118 CEST	12802	49731	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:42.238054037 CEST	49731	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:42.516196012 CEST	12802	49731	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:43.019288063 CEST	49731	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:43.297420025 CEST	12802	49731	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:43.800538063 CEST	49731	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:44.078613997 CEST	12802	49731	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:44.581787109 CEST	49731	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:44.859922886 CEST	12802	49731	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:49.864586115 CEST	49732	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:50.142307997 CEST	12802	49732	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:50.644320011 CEST	49732	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:50.922082901 CEST	12802	49732	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:51.425576925 CEST	49732	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:51.703243971 CEST	12802	49732	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:52.206891060 CEST	49732	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:52.484586954 CEST	12802	49732	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:52.988097906 CEST	49732	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:53.265777111 CEST	12802	49732	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:58.270299911 CEST	49733	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:58.548496008 CEST	12802	49733	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:59.050586939 CEST	49733	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:16:59.328701019 CEST	12802	49733	3.71.225.231	192.168.2.4
Apr 27, 2025 21:16:59.831830978 CEST	49733	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:00.110702991 CEST	12802	49733	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:00.613071918 CEST	49733	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:00.891297102 CEST	12802	49733	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:01.394314051 CEST	49733	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:01.672941923 CEST	12802	49733	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:06.709252119 CEST	49734	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:06.988089085 CEST	12802	49734	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:07.488136053 CEST	49734	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:07.767267942 CEST	12802	49734	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:08.269365072 CEST	49734	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:08.548175097 CEST	12802	49734	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:09.050602913 CEST	49734	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:09.329320908 CEST	12802	49734	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:09.831849098 CEST	49734	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:10.110668898 CEST	12802	49734	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:15.114257097 CEST	49735	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:15.392128944 CEST	12802	49735	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:15.895349979 CEST	49735	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:16.173089981 CEST	12802	49735	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:16.675605059 CEST	49735	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:16.953495979 CEST	12802	49735	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:17.456984997 CEST	49735	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:17.735815048 CEST	12802	49735	3.71.225.231	192.168.2.4
Apr 27, 2025 21:17:18.238380909 CEST	49735	12802	192.168.2.4	3.71.225.231
Apr 27, 2025 21:17:18.516314030 CEST	12802	49735	3.71.225.231	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2025 21:15:24.815685987 CEST	57199	53	192.168.2.4	1.1.1.1
Apr 27, 2025 21:15:24.986258030 CEST	53	57199	1.1.1.1	192.168.2.4
Apr 27, 2025 21:16:32.879594088 CEST	61152	53	192.168.2.4	1.1.1.1
Apr 27, 2025 21:16:33.048316002 CEST	53	61152	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 27, 2025 21:15:24.815685987 CEST	192.168.2.4	1.1.1.1	0x335b	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Apr 27, 2025 21:16:32.879594088 CEST	192.168.2.4	1.1.1.1	0xf2a	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 27, 2025 21:15:24.986258030 CEST	1.1.1.1	192.168.2.4	0x335b	No error (0)	0.tcp.eu.ngrok.io		18.192.31.30	A (IP address)	IN (0x0001)	false
Apr 27, 2025 21:16:33.048316002 CEST	1.1.1.1	192.168.2.4	0xf2a	No error (0)	0.tcp.eu.ngrok.io		3.71.225.231	A (IP address)	IN (0x0001)	false

Statistics

Click to jump to process

Memory Usage

• 250427-xt4dsszrv3.bin.exe
• cmd.exe
• conhost.exe
• cmd.exe
• conhost.exe
• schtasks.exe
• timeout.exe
• mantekaaaa.exe
• mantekaaaa.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• 250427-xt4dsszrv3.bin.exe
• cmd.exe
• conhost.exe
• cmd.exe
• conhost.exe
• schtasks.exe
• timeout.exe
• mantekaaaa.exe
• mantekaaaa.exe

Click to jump to process

Target ID:	0
Start time:	15:15:12
Start date:	27/04/2025
Path:	C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\250427-xt4dsszrv3.bin.exe"
Imagebase:	0x4b0000
File size:	334'848 bytes
MD5 hash:	DD6E4DA328DCA0E94FA0BF263276ED44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1129477830.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1181310315.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1179987885.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1179987885.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:15:17
Start date:	27/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"' & exit
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:15:17
Start date:	27/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:15:17
Start date:	27/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A0D.tmp.bat""
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:15:17
Start date:	27/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:15:17
Start date:	27/04/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "mantekaaaa" /tr '"C:\Users\user\AppData\Roaming\mantekaaaa.exe"'
Imagebase:	0x610000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:15:17
Start date:	27/04/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x320000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:15:19
Start date:	27/04/2025
Path:	C:\Users\user\AppData\Roaming\mantekaaaa.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mantekaaaa.exe
Imagebase:	0xd0000
File size:	334'848 bytes
MD5 hash:	DD6E4DA328DCA0E94FA0BF263276ED44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2383698510.000000000242C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, Author: Joe Security Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\mantekaaaa.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 86%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	15:15:20
Start date:	27/04/2025
Path:	C:\Users\user\AppData\Roaming\mantekaaaa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mantekaaaa.exe"
Imagebase:	0xd80000
File size:	334'848 bytes
MD5 hash:	DD6E4DA328DCA0E94FA0BF263276ED44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.7%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00E35B20 Relevance: 2.8, Strings: 2, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 00E35C27
$q, xrefs: 00E35C0E

Memory Dump Source

Source File: 00000000.00000002.1179816308.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_250427-xt4dsszrv3.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: 938a0212c6fb0d1a0bd986b48a980231f37fcabec54329c777193f9c1e07ca9a
Instruction ID: f57d19b037c6b7b6b659322d0c4769943142c4e1093d0eba3e3b184f7fbd72da
Opcode Fuzzy Hash: 938a0212c6fb0d1a0bd986b48a980231f37fcabec54329c777193f9c1e07ca9a
Instruction Fuzzy Hash: 1FB17035B047548FDB18AB799C5867E7BB7ABC8300B15882ED406EB385DE349D02D7A2

Function 00E32D4C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00E3532F

Memory Dump Source

Source File: 00000000.00000002.1179816308.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_250427-xt4dsszrv3.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 5d25cb36816e2ccbb25d99cdb08897346d6108e5f6ca1ae318149bc6846f9bc9
Instruction ID: 0603f9e303c1914b21afd619138d400d9cb8252fbd258f016a005eb66cb0adf4
Opcode Fuzzy Hash: 5d25cb36816e2ccbb25d99cdb08897346d6108e5f6ca1ae318149bc6846f9bc9
Instruction Fuzzy Hash: 6D2136B28016598FDB10CF9AC484BEEBBF4EF48310F14842AE859B7350D778A944CFA1

Function 00E34088 Relevance: .3, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1179816308.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_250427-xt4dsszrv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfc79a79e89dab3e6583b698e21a5dbe09df2d6559e08da812e442018a96609
Instruction ID: 92445356e93a536403821e3c329ebee45ae8864e0679d21aec4754e1ef7d032a
Opcode Fuzzy Hash: ebfc79a79e89dab3e6583b698e21a5dbe09df2d6559e08da812e442018a96609
Instruction Fuzzy Hash: 7CB131B0E00609CFDB14CFA9D88979EBFF2BF88314F149129E815B7294DB74A845CB91

Function 00E34958 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1179816308.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_250427-xt4dsszrv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c23cf7cc1c08be70a796cfcf62af4b82316c4d9c3ac1927d3b8caf3764ebe4e
Instruction ID: 622da5790855fac5012cd7ef159892181d98c3d901c28fd1ffddc948823ef0c7
Opcode Fuzzy Hash: 3c23cf7cc1c08be70a796cfcf62af4b82316c4d9c3ac1927d3b8caf3764ebe4e
Instruction Fuzzy Hash: DBB13BB0E002098FEB14CFA9D88979DBFF2BF88354F149129D415B7294EB75A845CB85

Function 00E352B0 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00E3532F

Memory Dump Source

Source File: 00000000.00000002.1179816308.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_250427-xt4dsszrv3.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: b081ee7c62c07c52883b30d4cd0ca859fc2161849c04e2f1a0fbf1f3013a0994
Instruction ID: 2c206535d866df78199976315098743e572f618b81a39b40c408cdc7f538c058
Opcode Fuzzy Hash: b081ee7c62c07c52883b30d4cd0ca859fc2161849c04e2f1a0fbf1f3013a0994
Instruction Fuzzy Hash: FE213972C012598FDB10CF9AD484BEEBBF4AF49310F14846ED855A7350C7789945CF65

Function 00E36A19 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 00E36A85

Memory Dump Source

Source File: 00000000.00000002.1179816308.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_250427-xt4dsszrv3.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 88b92bd206fb3bc794fca1c5f4c47c1f79969a065299fd19898fd236ee0209de
Instruction ID: 4f4e3017b213ed3f5d3b406e1bed7511079b058786de41dcb272e6f876413c32
Opcode Fuzzy Hash: 88b92bd206fb3bc794fca1c5f4c47c1f79969a065299fd19898fd236ee0209de
Instruction Fuzzy Hash: 0A1136B58003499FDB20CF9AC488BDEBFF4EF88314F10842AD519A7240C339A949CFA5

Function 00E36A20 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 00E36A85

Memory Dump Source

Source File: 00000000.00000002.1179816308.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_250427-xt4dsszrv3.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: a3e32a19d8ba47f3ae68e954e3b14880648c6bb37a03605358c18779c3f9fc45
Instruction ID: 48526374a61cb0a7be1f87151a220ac8a00129bad94e8a406d305770f74bf354
Opcode Fuzzy Hash: a3e32a19d8ba47f3ae68e954e3b14880648c6bb37a03605358c18779c3f9fc45
Instruction Fuzzy Hash: 1D1103B58003499FDB20DF9AC488BDEBFF4EB88314F208429D519A7250C779A944CFA5

Function 00DDD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1179717290.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ddd000_250427-xt4dsszrv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cb290bdf2cbbbd5a54e5a026582c12c112748431c8677ccfe0eb969953d053
Instruction ID: 9878b6fac4390282c1c42f916966e8cf56f21e93262c997d2dbf5df3c98c025a
Opcode Fuzzy Hash: d0cb290bdf2cbbbd5a54e5a026582c12c112748431c8677ccfe0eb969953d053
Instruction Fuzzy Hash: 3721D671504240DFDF15DF14E9C0B16BF66FB94314F24856AD9090B356C336D856CBB2

Function 00DDD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1179717290.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ddd000_250427-xt4dsszrv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c6bea1b0f6aaacb7db59bffceb06c36f0ab32707ada9f1390ddb9994ea60e7
Instruction ID: 9b93eb2f1c27b7e02671b536935f1952601a5710935fe3ff72993c1d04e1a136
Opcode Fuzzy Hash: 14c6bea1b0f6aaacb7db59bffceb06c36f0ab32707ada9f1390ddb9994ea60e7
Instruction Fuzzy Hash: C111B176904240DFCF16CF14D9C4B16BF72FB94324F28C6AAD9090B656C336D85ACBA2

Non-executed Functions

Function 00E33D40 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1179816308.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_250427-xt4dsszrv3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b4b410cd63b1d0bde952f3e44f6119cd369c01598b831b389ec303680c205e
Instruction ID: a696c8430a24fa4cb60baef99ca5b7758f9ac9b2b26222bd454acb4d88b00f64
Opcode Fuzzy Hash: d3b4b410cd63b1d0bde952f3e44f6119cd369c01598b831b389ec303680c205e
Instruction Fuzzy Hash: B1913B70E003098FDB14CFA9D989BDEBFF2AF88318F149129E415B7294EB749945CB91

Analysis Process: mantekaaaa.exePID: 7948, Parent PID: 1048COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 007152B0 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0071532F

Memory Dump Source

Source File: 00000007.00000002.2383059834.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_mantekaaaa.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 80593a5d233e402a3fb5b91e087fb11ea60aa95e764effcd2e5364bc4db0eb88
Instruction ID: 1e9f018e94511c4770f9b204d0ab935c333de236af6f92a50b5c8cca4c5a7361
Opcode Fuzzy Hash: 80593a5d233e402a3fb5b91e087fb11ea60aa95e764effcd2e5364bc4db0eb88
Instruction Fuzzy Hash: E82136B2801259CFDB14CF9AD884BEEBBF4AF49310F14846AE858A7641D778A944CF61

Function 00712D4C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0071532F

Memory Dump Source

Source File: 00000007.00000002.2383059834.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_mantekaaaa.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 6f8f076295af9fc8c12cb30bf9f65e20eb9bcf29b1de5359f74ecd5aaeac7137
Instruction ID: b3deb8ff6063fdc3821c864e8af9a609d5345da5543cf41ecaa1aee079a15f9f
Opcode Fuzzy Hash: 6f8f076295af9fc8c12cb30bf9f65e20eb9bcf29b1de5359f74ecd5aaeac7137
Instruction Fuzzy Hash: 832148B2C01259CFDB14CF9AD484BEEBBF4EF48310F14846AE859A7240D778A944CFA0

Function 007169C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 00716A2D

Memory Dump Source

Source File: 00000007.00000002.2383059834.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_mantekaaaa.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: ead83b09dfa07fbd23191fd1caebbf92147cddc09855af109a28e60f4687a782
Instruction ID: 6be7c5f38744c5b8f92e96e368bd2b617af980a51e29bbc274baf7b528eadfd8
Opcode Fuzzy Hash: ead83b09dfa07fbd23191fd1caebbf92147cddc09855af109a28e60f4687a782
Instruction Fuzzy Hash: 411125B58003488FEB20DF9AC584BDEBFF4EF88310F208029D519A7250C779A944CFA5

Function 007169C8 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 00716A2D

Memory Dump Source

Source File: 00000007.00000002.2383059834.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_710000_mantekaaaa.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 60de894e93f586599d5849fd45d13e26a1315f077f750ea5168d328e5ada3cec
Instruction ID: 666ab5f826a9d779ab1bce31fb3e7aec3f32b98d94d83422a1e958422619fe8c
Opcode Fuzzy Hash: 60de894e93f586599d5849fd45d13e26a1315f077f750ea5168d328e5ada3cec
Instruction Fuzzy Hash: 231103B59003488FDB20DF9AD984BDEBBF4EF88310F208429D518A7250C779A944CFA5

Function 006AD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382601472.00000000006AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ad000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c8a01d0f4865cba62e527f149f1520d68adb8baae5a0a1f128a6d9d1b8dca7
Instruction ID: 110e62c8e10e88552ef376a576002e0386e9e674ab8bb1bb9ff1667019d4ba2a
Opcode Fuzzy Hash: d3c8a01d0f4865cba62e527f149f1520d68adb8baae5a0a1f128a6d9d1b8dca7
Instruction Fuzzy Hash: D12136B1904200DFDB15EF00D9C0B16BFA2FB89318F24C569D80A0B656C336DC16CEA2

Function 006BD0EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382708131.00000000006BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bd000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23368918ed561f4a6868c558c93ea7e90f884aaf7cfd95fa69a83344667e37b
Instruction ID: 6aa7ecfa22944939560e321a9b98625671a332b152eb933ec0327e2e63721cde
Opcode Fuzzy Hash: a23368918ed561f4a6868c558c93ea7e90f884aaf7cfd95fa69a83344667e37b
Instruction Fuzzy Hash: 3721C2B5604304AFDB14DF18D9C0B56BBA6EB84314F24C56DD8094F396D33AD896CBA1

Function 006AD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382601472.00000000006AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ad000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c6bea1b0f6aaacb7db59bffceb06c36f0ab32707ada9f1390ddb9994ea60e7
Instruction ID: 81a365b95b5902e9b013edfc6c4336e5b15453d2e72b13c4c082e0477ff67bcc
Opcode Fuzzy Hash: 14c6bea1b0f6aaacb7db59bffceb06c36f0ab32707ada9f1390ddb9994ea60e7
Instruction Fuzzy Hash: FE11E1B6804240DFCB16DF04D5C0B56BF72FB84324F28C6A9D80A0B656C336D85ACFA2

Function 006BD0E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2382708131.00000000006BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bd000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17b561b3a2f5ccd6137e25a4bf8f6687a509af5f5175a698926a0964df509aa
Instruction ID: fbb181ac7bb1b8d4604a86f357987c529f42e46b8ea0cbb1cb220b167258ae14
Opcode Fuzzy Hash: c17b561b3a2f5ccd6137e25a4bf8f6687a509af5f5175a698926a0964df509aa
Instruction Fuzzy Hash: A411A9B55042809FDB05CF14D980B95BBA2FB84314F28C6A9D8094F796C33AD85ACBA1

Analysis Process: mantekaaaa.exePID: 8068, Parent PID: 7844COMMON

Executed Functions

Function 01700EBA Relevance: 3.9, Strings: 3, Instructions: 161COMMON

Download Yara Rule

Strings

(q, xrefs: 01701192
d]t, xrefs: 01700F05
Teq, xrefs: 01700EED

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID: (q$Teq$d]t
API String ID: 0-433998699
Opcode ID: c20269adc3a59f926215e82c6436eeca81cb87f3ca79b07dc79d683809820f69
Instruction ID: 4d96620eb2cb271fa47e6158da3811290b2af38f5df9df255e8b4ff5a237ac8e
Opcode Fuzzy Hash: c20269adc3a59f926215e82c6436eeca81cb87f3ca79b07dc79d683809820f69
Instruction Fuzzy Hash: E8519170B106049FD754DF69D494A9DBBF2FF88710F2581AAE806EB3A5CA75DC01CB90

Function 01700D20 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

dLq, xrefs: 01700D5B
Hq, xrefs: 01700E40

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID: Hq$dLq
API String ID: 0-4038822049
Opcode ID: 4d14d44992e3470d42b334d6f69cbe6061ff016f0208818d220d798db52c52cc
Instruction ID: 6de7bb9bc2569d39bea1fdae555105a664e1cea2e3c2b94dd6a3ac18b6962c30
Opcode Fuzzy Hash: 4d14d44992e3470d42b334d6f69cbe6061ff016f0208818d220d798db52c52cc
Instruction Fuzzy Hash: 40519030B043048FDB159F69D494B9EBBF2FF89310F1445AAE405EB3A2CA759C05CB91

Function 01701339 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

LRq, xrefs: 0170138B

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: d15143f6fbe32ec97ae1af6a44c6556b61e1893d3c4aa20b698e550a5e5293aa
Instruction ID: 29cf628d1e94cdab15edee6de7397406ee46f0dfa84314eb23b5544d0d1db21a
Opcode Fuzzy Hash: d15143f6fbe32ec97ae1af6a44c6556b61e1893d3c4aa20b698e550a5e5293aa
Instruction Fuzzy Hash: 5131DC70F002158FCB159BBD9891AAEBBE2FFC9310B54456EE506DB3A5EA34CD028791

Function 01700D10 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

dLq, xrefs: 01700D5B

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID: dLq
API String ID: 0-2312315067
Opcode ID: 9d8d599c685c1f89117f471a761e01924db4b158e0dc3179659f9381c62589a2
Instruction ID: 936f09c868e0d457d2e5e436b5f2b35c0f73937aba3c45645dc7d7532d2c0b86
Opcode Fuzzy Hash: 9d8d599c685c1f89117f471a761e01924db4b158e0dc3179659f9381c62589a2
Instruction Fuzzy Hash: C9318F75A00204DFDB15DF69C898BAEBBF2FF88310F148569E405AB3A1CB74AD45CB91

Function 01700E3F Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Hq, xrefs: 01700E40

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: c2e09ce0a8e9b73afee21ca9777371cfd55cb3b674782bb96e4c86854ab40627
Instruction ID: e2adfefe7aec8fb3fb0229bb751ae4c1a55f165482408f1b5c658e6f59232f23
Opcode Fuzzy Hash: c2e09ce0a8e9b73afee21ca9777371cfd55cb3b674782bb96e4c86854ab40627
Instruction Fuzzy Hash: DB01F4307083404FC38A9B3DA49456E7BE2EFCA22036945BFD405CB3A6CD3D8C0687A1

Function 01700AA0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06583512c574b324990c952052bd2e12ac6453919b50194119e8f5aea8de7a65
Instruction ID: b29e659a2b4533d71602e4cefa4a94381b0f1174351ef9c180d7078971a7e7e5
Opcode Fuzzy Hash: 06583512c574b324990c952052bd2e12ac6453919b50194119e8f5aea8de7a65
Instruction Fuzzy Hash: BB51B638600205CFC7A5EF24F884A5AB772FB8C2057508679D801EB269EF3D9D06DF91

Function 017011D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4ef006da03cadc8a62d290beb75b9637f871bfbd7e1a0c03d0b267afd7fa82
Instruction ID: 90a9e2ab44de7de8056ff931e0e4666c8d43e58e970612705764c90bd3d65bcc
Opcode Fuzzy Hash: bf4ef006da03cadc8a62d290beb75b9637f871bfbd7e1a0c03d0b267afd7fa82
Instruction Fuzzy Hash: 08418DB0F00309AFCB44DFA9885466EFBFAFF98310F64856ED44AD7345DA3499428B91

Function 01701030 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6091084280a17e8f00fa091b22b0593d0021eb2e0fa0545e46168da2d7c448
Instruction ID: 258a259d98d0d61c833d920d481b026579e2b26fc74269de86021e4b3eb6bfa0
Opcode Fuzzy Hash: 6f6091084280a17e8f00fa091b22b0593d0021eb2e0fa0545e46168da2d7c448
Instruction Fuzzy Hash: 79212D35B00205DFE715DB69C955BADBBF2BF88720F658099E502AB3A5DA71DC00CB90

Function 01700998 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77c459e80b7be23b1624cd1a52cd718df5828809be6faccf789b58cabca39d5
Instruction ID: 8357ef08641a8d59c53cbeec701bb0ae9c40ee1c7784b4882f128ca595329a77
Opcode Fuzzy Hash: d77c459e80b7be23b1624cd1a52cd718df5828809be6faccf789b58cabca39d5
Instruction Fuzzy Hash: E5213670654302CFDB66AF79984876DFBE4FB04391704567DB807D5195DE388A808B51

Function 014AD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1250842251.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14ad000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3c112e30f98106229351b43eac98d8da48dcb208e899142739a374b9057477
Instruction ID: 48c8cecd1a412fe6c0193dd4ed0cad9238a2cf56db71013bb5854942339bf2b3
Opcode Fuzzy Hash: 9f3c112e30f98106229351b43eac98d8da48dcb208e899142739a374b9057477
Instruction Fuzzy Hash: 862136B1904200DFDB15DF44D9C0B17BF61FB98314F64856AD9090B666C336D416CAA2

Function 017009A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517c24b3e54e0b1ac9558042912f6b0b220dba5d8f25d0dc106a15f832b5897f
Instruction ID: 1c107a544ad8bd50cb95908a276d1845df2cfcfeae2c99dad053805b4c228ac3
Opcode Fuzzy Hash: 517c24b3e54e0b1ac9558042912f6b0b220dba5d8f25d0dc106a15f832b5897f
Instruction Fuzzy Hash: C32133B0614302CFDF66BF7D995872EFAE4BF082917044639B907D51D5EE34CA808B51

Function 01701431 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19674dc4494de911131d73d73df46546743392b475977699f1d67bed0563d348
Instruction ID: f2fd68604d031f0c02000c4c2e1df59f29afac0b3e2280b1f6cd99ea6d459fe9
Opcode Fuzzy Hash: 19674dc4494de911131d73d73df46546743392b475977699f1d67bed0563d348
Instruction Fuzzy Hash: 26119E30A00315DFC795DFB8D5445AABBF1FF8831035246B9E805D7268DA39DC12CB90

Function 014AD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1250842251.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14ad000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c6bea1b0f6aaacb7db59bffceb06c36f0ab32707ada9f1390ddb9994ea60e7
Instruction ID: 0999d9761445651c5f33b27f62d49d2c4b3f8ea2096536b9ddd77aef2ecece4d
Opcode Fuzzy Hash: 14c6bea1b0f6aaacb7db59bffceb06c36f0ab32707ada9f1390ddb9994ea60e7
Instruction Fuzzy Hash: 0511E4B6804240CFCB16CF44D5C0B16BF71FB94314F24C5AAD9450B667C336D456CB91

Function 01701440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d219c55c6ea131be290184cc1eed9035374283fbd3bc6adce9fe03db7a5aa287
Instruction ID: c4a384caa23db8f87d3cd2f9a591d663a879be516f9678b53dca2263ba8d51ac
Opcode Fuzzy Hash: d219c55c6ea131be290184cc1eed9035374283fbd3bc6adce9fe03db7a5aa287
Instruction Fuzzy Hash: 1C117C70A00205DFCB95EBB9D50466ABBF6BF8821075544B8D406D7368EE38CC01CB90

Function 01700E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1251757553.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1700000_mantekaaaa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6392cce511ca07d53ced97ba460fd9fd44d5e31227a41a1bea4df21c6ba842a
Instruction ID: 96d6e6979b536ea72b40c2bce6c3c5211acf2030ffa61cc8ab57171756969231
Opcode Fuzzy Hash: c6392cce511ca07d53ced97ba460fd9fd44d5e31227a41a1bea4df21c6ba842a
Instruction Fuzzy Hash: 22E08C313002005F83489A2EA88495ABBDAEBC822135444BAE109C7329CD70CC014790

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 250427-xt4dsszrv3.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\250427-xt4dsszrv3.bin.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mantekaaaa.exe.log

C:\Users\user\AppData\Local\Temp\tmp7A0D.tmp.bat

C:\Users\user\AppData\Roaming\mantekaaaa.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
250427-xt4dsszrv3.bin.exe