Edit tour

Windows Analysis Report
ezUEYpQhNN

Overview

General Information

Sample Name:	ezUEYpQhNN (renamed file extension from none to exe)
Analysis ID:	626815
MD5:	b28ddf547716c0cdee99d4e5f261704d
SHA1:	cef47d43a0809616fbdb980b7864b4cef8ed2943
SHA256:	89aacd427f262a4a5b09af5c8abdeabc7f39a1d618a01a5a79074ebb62bb065e
Tags:	32exetrojan
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected DcRat

Yara detected AsyncRAT

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

.NET source code references suspicious native API functions

Machine Learning detection for sample

Binary or sample is protected by dotNetProtector

.NET source code contains potential unpacker

Yara detected Generic Downloader

Machine Learning detection for dropped file

Connects to a pastebin service (likely for C&C)

Moves itself to temp directory

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

ezUEYpQhNN.exe (PID: 3308 cmdline: "C:\Users\user\Desktop\ezUEYpQhNN.exe" MD5: B28DDF547716C0CDEE99D4E5F261704D)

ElWebsite.exe (PID: 5652 cmdline: "C:\Users\user\AppData\Local\Temp\ElWebsite.exe" MD5: 39FD56F4E5A67CCF23E627F371CA9A9F)

cmd.exe (PID: 1100 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 3432 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 3656 cmdline: cmd.exe" /C copy "C:\Users\user\Desktop\ezUEYpQhNN.exe" "C:\Users\user\AppData\Roaming\Mshta\Mshta.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\ElWebsite.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\ElWebsite.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\ElWebsite.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
C:\Users\user\AppData\Local\Temp\ElWebsite.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
C:\Users\user\AppData\Local\Temp\ElWebsite.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.501081381.0000000002B14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000004.00000002.502245246.0000000002D05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000004.00000000.253851947.0000000000842000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000000.254482249.0000000000842000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.498438501.0000000000842000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000000.254177754.0000000000842000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.272022034.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: ezUEYpQhNN.exe PID: 3308	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: ElWebsite.exe PID: 5652	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: ElWebsite.exe PID: 5652	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.ElWebsite.exe.840000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.ElWebsite.exe.840000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.ElWebsite.exe.840000.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.0.ElWebsite.exe.840000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.ElWebsite.exe.840000.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
4.0.ElWebsite.exe.840000.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
4.0.ElWebsite.exe.840000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
4.0.ElWebsite.exe.840000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.0.ElWebsite.exe.840000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.ElWebsite.exe.840000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
4.2.ElWebsite.exe.840000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
4.2.ElWebsite.exe.840000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
4.0.ElWebsite.exe.840000.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
4.0.ElWebsite.exe.840000.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
4.0.ElWebsite.exe.840000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
0.2.ezUEYpQhNN.exe.3023f04.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.ezUEYpQhNN.exe.3023f04.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
0.2.ezUEYpQhNN.exe.3023f04.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.ezUEYpQhNN.exe.3023f04.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
4.0.ElWebsite.exe.840000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.0.ElWebsite.exe.840000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.ElWebsite.exe.840000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
4.0.ElWebsite.exe.840000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
4.0.ElWebsite.exe.840000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
0.2.ezUEYpQhNN.exe.302fec4.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.ezUEYpQhNN.exe.302fec4.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
0.2.ezUEYpQhNN.exe.302fec4.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.ezUEYpQhNN.exe.302fec4.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x15a18:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x15963:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x158e2:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x15930:$s4: VmlydHVhbFByb3RlY3Q
0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x15c9a:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x15cda:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x15d28:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x15d76:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x16112:$s1: DcRatBy
Click to see the 33 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) - Source IP: 51.195.196.86 - Destination IP: 192.168.2.4

Timestamp:	51.195.196.86192.168.2.48868497592848152 05/15/22-16:02:44.117605
SID:	2848152
Source Port:	8868
Destination Port:	49759
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ezUEYpQhNN.exe	Virustotal: Detection: 46%			Perma Link
Source: ezUEYpQhNN.exe	ReversingLabs: Detection: 43%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe

Avira: detection malicious, Label: HEUR/AGEN.1202861

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Virustotal: Detection: 62%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	ReversingLabs: Detection: 84%

Machine Learning detection for sample

Source: ezUEYpQhNN.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe

Unpacked PE file: 4.2.ElWebsite.exe.840000.0.unpack

Source: ezUEYpQhNN.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 172.67.34.170:443 -> 192.168.2.4:49758 version: TLS 1.0

Source: ezUEYpQhNN.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 51.195.196.86:8868 -> 192.168.2.4:49759

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic

HTTP traffic detected: GET /raw/tefSYKAL HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 172.67.34.170 172.67.34.170

Source: unknown

HTTPS traffic detected: 172.67.34.170:443 -> 192.168.2.4:49758 version: TLS 1.0

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 51.195.196.86:8868

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758

Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.196.86

Source: ElWebsite.exe, 00000004.00000002.504787827.000000001B559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ElWebsite.exe, 00000004.00000002.500548662.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ElWebsite.exe, 00000004.00000002.504787827.000000001B559000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ElWebsite.exe, 00000004.00000003.277711450.000000001B3EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e6d1f84d848ed
Source: ElWebsite.exe, 00000004.00000002.504787827.000000001B559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabr
Source: ElWebsite.exe, 00000004.00000002.502096513.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: ElWebsite.exe, 00000004.00000002.501579874.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000002.500974615.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ElWebsite.exe, 00000004.00000002.502024248.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: ElWebsite.exe, 00000004.00000002.501579874.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000003.282476478.000000001B3E8000.00000004.00000020.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000002.500974615.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/tefSYKAL

Source: unknown

DNS traffic detected: queries for: pastebin.com

Source: global traffic

HTTP traffic detected: GET /raw/tefSYKAL HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.3023f04.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.302fec4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.253851947.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254482249.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498438501.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254177754.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.272022034.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ezUEYpQhNN.exe PID: 3308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ElWebsite.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen

Source: ezUEYpQhNN.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_011188D0	0_2_011188D0
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_053DAD35	0_2_053DAD35
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_053DADC4	0_2_053DADC4
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_053D0006	0_2_053D0006
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_053D5730	0_2_053D5730
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_053E0040	0_2_053E0040
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_0114211F	0_2_0114211F

Source: ezUEYpQhNN.exe, 00000000.00000000.228335128.000000000118E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMSHTA.EXED vs ezUEYpQhNN.exe
Source: ezUEYpQhNN.exe, 00000000.00000002.272022034.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs ezUEYpQhNN.exe
Source: ezUEYpQhNN.exe	Binary or memory string: OriginalFilenameMSHTA.EXED vs ezUEYpQhNN.exe

Source: ezUEYpQhNN.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ezUEYpQhNN.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ezUEYpQhNN.exe	Virustotal: Detection: 46%
Source: ezUEYpQhNN.exe	ReversingLabs: Detection: 43%

Source: ezUEYpQhNN.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ezUEYpQhNN.exe "C:\Users\user\Desktop\ezUEYpQhNN.exe"
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process created: C:\Users\user\AppData\Local\Temp\ElWebsite.exe "C:\Users\user\AppData\Local\Temp\ElWebsite.exe"
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\ezUEYpQhNN.exe" "C:\Users\user\AppData\Roaming\Mshta\Mshta.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process created: C:\Users\user\AppData\Local\Temp\ElWebsite.exe "C:\Users\user\AppData\Local\Temp\ElWebsite.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\ezUEYpQhNN.exe" "C:\Users\user\AppData\Roaming\Mshta\Mshta.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f	Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe

File created: C:\Users\user\AppData\Roaming\Mshta

Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe

File created: C:\Users\user\AppData\Local\Temp\ElWebsite.exe

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/4@1/2

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: 4.0.ElWebsite.exe.840000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.ElWebsite.exe.840000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.0.ElWebsite.exe.840000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.ElWebsite.exe.840000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.0.ElWebsite.exe.840000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.ElWebsite.exe.840000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.ElWebsite.exe.840000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.ElWebsite.exe.840000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ElWebsite.exe.0.dr, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: ElWebsite.exe.0.dr, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: ezUEYpQhNN.exe, Op_Addition.cs	Base64 encoded string: 'ZFAh/XUZScdTyrqXbf1zuWqw6p5cADRIPQLLnRVZRjYbf5HlyVUFFIKDlEU/0YxjmHXe5pzVQic='
Source: ElWebsite.exe.0.dr, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: ElWebsite.exe.0.dr, Client/Settings.cs	Base64 encoded string: 'Nh7A06gyvZu+pjE6WzaDDouOzT42/irqrkHQEOpP11/p6AGps/kQmCsPdkurwQVyxUuk4LBpn2VKP02/Y/CQwA==', 'kpLN7klWfjrTkNNOR2zzd/pM6HRvHYY+gsZaSsPUC6WkYfZ48Ack+RmQR03fNiPSkcJD5kTmpDajj0x+soZFI3rUfF1jCmzQiRhzNE10H9T9lEgBLahwrZtu/y+8MAJoq5AOlozOVj/XIlS0I6hIZjsoGm1i+9495CQyDUK6FqHh/iWLOJfPZ3I8TdJUWqhSXtggvmdClkLmRaZHLm3Y8JkTlE7tK2Se5317FCX0EyyPgac/RLqMo3/eHGyVjp0EMcHPWTaOslf1XJXzTEsSoJzHplgWokGKisUrxC3XcbphqDuZXxpquUZZb7L2HgZF2AMY1n1mnoKM0YITgF2XJffvQMBnfFNb2ObTIq/fXjsyrdhOrtd5HEVe9Ro2mru00f/l5hGyl2lvVaglM845tnM1EHRrar2sJL777AHQ4yL/I3VdLFWbxer9kr8N8y2zPjUQR6FFcSPOYVljg1VQlXh7FcYGx40fC5njclzSMaXLf1pS1SRQP4FH22aBmqfL6hJ9h6XMAesUTww6dlTYu3MGxvDrdRNyfHfor0XSQpBYqzz5Ua9kYhIKPH+M+YcHY6HN2qyfs+1z2IhuEkenpDUrJ1ReNjtnlJvD0wa9CwkLFoB2YY+ZUVxhowRwPQ0YgHjdKajXjrFqh35hyIdVYI9jnrQVeFr8xGDW8mTtlATL7Mn8BRDM4ZgtKQvgtM8STH1Zgd5Rpn8gS/I/qZtK1EXMwKmuB6fo++zE9hyD5G2Yq/PKa9K6yAiDYEhVFm6SuMkR3Qm8yZoCLFTweSTLjiFPU6hBnxUS/2ouR9yUdJYPYXWVJjKE7NHbpxiEOtvrUtyPH90qbAzGsnhB9s00s9DgzKwGHtTAVA5rhY8rilASzIJQoJpRwlKXZLxK7BL3CVtr9KnHptMqwvwhSkvcn7DTS5pjeV2RKVwIWe1WA18Xj++MKj626MSyCWUYuDcBX/S1hFXLiMHkmUDlUvNCi9OWI5tQKvrXTqQj8DYZNtPfgxuKXdP6S8ER1GDN2LrZWtgrS6/fV+oQ9lb+TkOkcJRzUM9ZEQJdNKda1DTZLJR6dUIqWs+k6ThkILgV57yF', 'ggHcqhXJL2ma54WMeTPmUm3sgPUl2B0HrE5uyMXnSBKEpVkMx+Ka+LRr17q42XJc9nMQ+Zrn3LHzwdNGBX48/HHrx2Hwgcji1xkFhwVh1oLphszZxgWSUxdjFtNmeFGI1r+LDHFMFZlBjuFM3UdpFa0Gnq5x4M3BPKrdoMZIptyUAUYDcQps/4pLGsICXjIzaGr4Dtyfs+85ua4H0dtRjJn2DcsWCvI/hKJeQEom1GvAlQcDABTxeRaOzWy/F81HK7PZHofGVDAND/MYnqmKzYkY7yXP6xwUxibY9kBiBdU=', 'NsZvIMW1aA9L+EPn9VW3hZ7mNEYbSos78D1MNYvAS5PtaYNsl0nppYHTzEbQzsFpQMPl1l1gzizryqy7cOMAMw==', 'NsjxxW98LY9Hh9z9Zp3u0sMN1enK7MObFZzHnBIlnapQB/cs7UG5TnOO6AnMlILlAAdOv+E0GUwaD+wrrrUQxg==', 'mJJbVCeA7WPPrtzSlBJqnTj6VbuM9fpCRP+SwrPw/msOKPpEEi+aJo12GdbQ3v7UvnMw1/gsy+ahrVDKzHwwsQ=='
Source: 0.0.ezUEYpQhNN.exe.1140000.0.unpack, Op_Addition.cs	Base64 encoded string: 'ZFAh/XUZScdTyrqXbf1zuWqw6p5cADRIPQLLnRVZRjYbf5HlyVUFFIKDlEU/0YxjmHXe5pzVQic='
Source: 4.0.ElWebsite.exe.840000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 4.0.ElWebsite.exe.840000.0.unpack, Client/Settings.cs	Base64 encoded string: 'Nh7A06gyvZu+pjE6WzaDDouOzT42/irqrkHQEOpP11/p6AGps/kQmCsPdkurwQVyxUuk4LBpn2VKP02/Y/CQwA==', 'kpLN7klWfjrTkNNOR2zzd/pM6HRvHYY+gsZaSsPUC6WkYfZ48Ack+RmQR03fNiPSkcJD5kTmpDajj0x+soZFI3rUfF1jCmzQiRhzNE10H9T9lEgBLahwrZtu/y+8MAJoq5AOlozOVj/XIlS0I6hIZjsoGm1i+9495CQyDUK6FqHh/iWLOJfPZ3I8TdJUWqhSXtggvmdClkLmRaZHLm3Y8JkTlE7tK2Se5317FCX0EyyPgac/RLqMo3/eHGyVjp0EMcHPWTaOslf1XJXzTEsSoJzHplgWokGKisUrxC3XcbphqDuZXxpquUZZb7L2HgZF2AMY1n1mnoKM0YITgF2XJffvQMBnfFNb2ObTIq/fXjsyrdhOrtd5HEVe9Ro2mru00f/l5hGyl2lvVaglM845tnM1EHRrar2sJL777AHQ4yL/I3VdLFWbxer9kr8N8y2zPjUQR6FFcSPOYVljg1VQlXh7FcYGx40fC5njclzSMaXLf1pS1SRQP4FH22aBmqfL6hJ9h6XMAesUTww6dlTYu3MGxvDrdRNyfHfor0XSQpBYqzz5Ua9kYhIKPH+M+YcHY6HN2qyfs+1z2IhuEkenpDUrJ1ReNjtnlJvD0wa9CwkLFoB2YY+ZUVxhowRwPQ0YgHjdKajXjrFqh35hyIdVYI9jnrQVeFr8xGDW8mTtlATL7Mn8BRDM4ZgtKQvgtM8STH1Zgd5Rpn8gS/I/qZtK1EXMwKmuB6fo++zE9hyD5G2Yq/PKa9K6yAiDYEhVFm6SuMkR3Qm8yZoCLFTweSTLjiFPU6hBnxUS/2ouR9yUdJYPYXWVJjKE7NHbpxiEOtvrUtyPH90qbAzGsnhB9s00s9DgzKwGHtTAVA5rhY8rilASzIJQoJpRwlKXZLxK7BL3CVtr9KnHptMqwvwhSkvcn7DTS5pjeV2RKVwIWe1WA18Xj++MKj626MSyCWUYuDcBX/S1hFXLiMHkmUDlUvNCi9OWI5tQKvrXTqQj8DYZNtPfgxuKXdP6S8ER1GDN2LrZWtgrS6/fV+oQ9lb+TkOkcJRzUM9ZEQJdNKda1DTZLJR6dUIqWs+k6ThkILgV57yF', 'ggHcqhXJL2ma54WMeTPmUm3sgPUl2B0HrE5uyMXnSBKEpVkMx+Ka+LRr17q42XJc9nMQ+Zrn3LHzwdNGBX48/HHrx2Hwgcji1xkFhwVh1oLphszZxgWSUxdjFtNmeFGI1r+LDHFMFZlBjuFM3UdpFa0Gnq5x4M3BPKrdoMZIptyUAUYDcQps/4pLGsICXjIzaGr4Dtyfs+85ua4H0dtRjJn2DcsWCvI/hKJeQEom1GvAlQcDABTxeRaOzWy/F81HK7PZHofGVDAND/MYnqmKzYkY7yXP6xwUxibY9kBiBdU=', 'NsZvIMW1aA9L+EPn9VW3hZ7mNEYbSos78D1MNYvAS5PtaYNsl0nppYHTzEbQzsFpQMPl1l1gzizryqy7cOMAMw==', 'NsjxxW98LY9Hh9z9Zp3u0sMN1enK7MObFZzHnBIlnapQB/cs7UG5TnOO6AnMlILlAAdOv+E0GUwaD+wrrrUQxg==', 'mJJbVCeA7WPPrtzSlBJqnTj6VbuM9fpCRP+SwrPw/msOKPpEEi+aJo12GdbQ3v7UvnMw1/gsy+ahrVDKzHwwsQ=='
Source: 4.0.ElWebsite.exe.840000.2.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 4.0.ElWebsite.exe.840000.2.unpack, Client/Settings.cs	Base64 encoded string: 'Nh7A06gyvZu+pjE6WzaDDouOzT42/irqrkHQEOpP11/p6AGps/kQmCsPdkurwQVyxUuk4LBpn2VKP02/Y/CQwA==', 'kpLN7klWfjrTkNNOR2zzd/pM6HRvHYY+gsZaSsPUC6WkYfZ48Ack+RmQR03fNiPSkcJD5kTmpDajj0x+soZFI3rUfF1jCmzQiRhzNE10H9T9lEgBLahwrZtu/y+8MAJoq5AOlozOVj/XIlS0I6hIZjsoGm1i+9495CQyDUK6FqHh/iWLOJfPZ3I8TdJUWqhSXtggvmdClkLmRaZHLm3Y8JkTlE7tK2Se5317FCX0EyyPgac/RLqMo3/eHGyVjp0EMcHPWTaOslf1XJXzTEsSoJzHplgWokGKisUrxC3XcbphqDuZXxpquUZZb7L2HgZF2AMY1n1mnoKM0YITgF2XJffvQMBnfFNb2ObTIq/fXjsyrdhOrtd5HEVe9Ro2mru00f/l5hGyl2lvVaglM845tnM1EHRrar2sJL777AHQ4yL/I3VdLFWbxer9kr8N8y2zPjUQR6FFcSPOYVljg1VQlXh7FcYGx40fC5njclzSMaXLf1pS1SRQP4FH22aBmqfL6hJ9h6XMAesUTww6dlTYu3MGxvDrdRNyfHfor0XSQpBYqzz5Ua9kYhIKPH+M+YcHY6HN2qyfs+1z2IhuEkenpDUrJ1ReNjtnlJvD0wa9CwkLFoB2YY+ZUVxhowRwPQ0YgHjdKajXjrFqh35hyIdVYI9jnrQVeFr8xGDW8mTtlATL7Mn8BRDM4ZgtKQvgtM8STH1Zgd5Rpn8gS/I/qZtK1EXMwKmuB6fo++zE9hyD5G2Yq/PKa9K6yAiDYEhVFm6SuMkR3Qm8yZoCLFTweSTLjiFPU6hBnxUS/2ouR9yUdJYPYXWVJjKE7NHbpxiEOtvrUtyPH90qbAzGsnhB9s00s9DgzKwGHtTAVA5rhY8rilASzIJQoJpRwlKXZLxK7BL3CVtr9KnHptMqwvwhSkvcn7DTS5pjeV2RKVwIWe1WA18Xj++MKj626MSyCWUYuDcBX/S1hFXLiMHkmUDlUvNCi9OWI5tQKvrXTqQj8DYZNtPfgxuKXdP6S8ER1GDN2LrZWtgrS6/fV+oQ9lb+TkOkcJRzUM9ZEQJdNKda1DTZLJR6dUIqWs+k6ThkILgV57yF', 'ggHcqhXJL2ma54WMeTPmUm3sgPUl2B0HrE5uyMXnSBKEpVkMx+Ka+LRr17q42XJc9nMQ+Zrn3LHzwdNGBX48/HHrx2Hwgcji1xkFhwVh1oLphszZxgWSUxdjFtNmeFGI1r+LDHFMFZlBjuFM3UdpFa0Gnq5x4M3BPKrdoMZIptyUAUYDcQps/4pLGsICXjIzaGr4Dtyfs+85ua4H0dtRjJn2DcsWCvI/hKJeQEom1GvAlQcDABTxeRaOzWy/F81HK7PZHofGVDAND/MYnqmKzYkY7yXP6xwUxibY9kBiBdU=', 'NsZvIMW1aA9L+EPn9VW3hZ7mNEYbSos78D1MNYvAS5PtaYNsl0nppYHTzEbQzsFpQMPl1l1gzizryqy7cOMAMw==', 'NsjxxW98LY9Hh9z9Zp3u0sMN1enK7MObFZzHnBIlnapQB/cs7UG5TnOO6AnMlILlAAdOv+E0GUwaD+wrrrUQxg==', 'mJJbVCeA7WPPrtzSlBJqnTj6VbuM9fpCRP+SwrPw/msOKPpEEi+aJo12GdbQ3v7UvnMw1/gsy+ahrVDKzHwwsQ=='
Source: 4.2.ElWebsite.exe.840000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 4.2.ElWebsite.exe.840000.0.unpack, Client/Settings.cs	Base64 encoded string: 'Nh7A06gyvZu+pjE6WzaDDouOzT42/irqrkHQEOpP11/p6AGps/kQmCsPdkurwQVyxUuk4LBpn2VKP02/Y/CQwA==', 'kpLN7klWfjrTkNNOR2zzd/pM6HRvHYY+gsZaSsPUC6WkYfZ48Ack+RmQR03fNiPSkcJD5kTmpDajj0x+soZFI3rUfF1jCmzQiRhzNE10H9T9lEgBLahwrZtu/y+8MAJoq5AOlozOVj/XIlS0I6hIZjsoGm1i+9495CQyDUK6FqHh/iWLOJfPZ3I8TdJUWqhSXtggvmdClkLmRaZHLm3Y8JkTlE7tK2Se5317FCX0EyyPgac/RLqMo3/eHGyVjp0EMcHPWTaOslf1XJXzTEsSoJzHplgWokGKisUrxC3XcbphqDuZXxpquUZZb7L2HgZF2AMY1n1mnoKM0YITgF2XJffvQMBnfFNb2ObTIq/fXjsyrdhOrtd5HEVe9Ro2mru00f/l5hGyl2lvVaglM845tnM1EHRrar2sJL777AHQ4yL/I3VdLFWbxer9kr8N8y2zPjUQR6FFcSPOYVljg1VQlXh7FcYGx40fC5njclzSMaXLf1pS1SRQP4FH22aBmqfL6hJ9h6XMAesUTww6dlTYu3MGxvDrdRNyfHfor0XSQpBYqzz5Ua9kYhIKPH+M+YcHY6HN2qyfs+1z2IhuEkenpDUrJ1ReNjtnlJvD0wa9CwkLFoB2YY+ZUVxhowRwPQ0YgHjdKajXjrFqh35hyIdVYI9jnrQVeFr8xGDW8mTtlATL7Mn8BRDM4ZgtKQvgtM8STH1Zgd5Rpn8gS/I/qZtK1EXMwKmuB6fo++zE9hyD5G2Yq/PKa9K6yAiDYEhVFm6SuMkR3Qm8yZoCLFTweSTLjiFPU6hBnxUS/2ouR9yUdJYPYXWVJjKE7NHbpxiEOtvrUtyPH90qbAzGsnhB9s00s9DgzKwGHtTAVA5rhY8rilASzIJQoJpRwlKXZLxK7BL3CVtr9KnHptMqwvwhSkvcn7DTS5pjeV2RKVwIWe1WA18Xj++MKj626MSyCWUYuDcBX/S1hFXLiMHkmUDlUvNCi9OWI5tQKvrXTqQj8DYZNtPfgxuKXdP6S8ER1GDN2LrZWtgrS6/fV+oQ9lb+TkOkcJRzUM9ZEQJdNKda1DTZLJR6dUIqWs+k6ThkILgV57yF', 'ggHcqhXJL2ma54WMeTPmUm3sgPUl2B0HrE5uyMXnSBKEpVkMx+Ka+LRr17q42XJc9nMQ+Zrn3LHzwdNGBX48/HHrx2Hwgcji1xkFhwVh1oLphszZxgWSUxdjFtNmeFGI1r+LDHFMFZlBjuFM3UdpFa0Gnq5x4M3BPKrdoMZIptyUAUYDcQps/4pLGsICXjIzaGr4Dtyfs+85ua4H0dtRjJn2DcsWCvI/hKJeQEom1GvAlQcDABTxeRaOzWy/F81HK7PZHofGVDAND/MYnqmKzYkY7yXP6xwUxibY9kBiBdU=', 'NsZvIMW1aA9L+EPn9VW3hZ7mNEYbSos78D1MNYvAS5PtaYNsl0nppYHTzEbQzsFpQMPl1l1gzizryqy7cOMAMw==', 'NsjxxW98LY9Hh9z9Zp3u0sMN1enK7MObFZzHnBIlnapQB/cs7UG5TnOO6AnMlILlAAdOv+E0GUwaD+wrrrUQxg==', 'mJJbVCeA7WPPrtzSlBJqnTj6VbuM9fpCRP+SwrPw/msOKPpEEi+aJo12GdbQ3v7UvnMw1/gsy+ahrVDKzHwwsQ=='
Source: 4.0.ElWebsite.exe.840000.1.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 4.0.ElWebsite.exe.840000.1.unpack, Client/Settings.cs	Base64 encoded string: 'Nh7A06gyvZu+pjE6WzaDDouOzT42/irqrkHQEOpP11/p6AGps/kQmCsPdkurwQVyxUuk4LBpn2VKP02/Y/CQwA==', 'kpLN7klWfjrTkNNOR2zzd/pM6HRvHYY+gsZaSsPUC6WkYfZ48Ack+RmQR03fNiPSkcJD5kTmpDajj0x+soZFI3rUfF1jCmzQiRhzNE10H9T9lEgBLahwrZtu/y+8MAJoq5AOlozOVj/XIlS0I6hIZjsoGm1i+9495CQyDUK6FqHh/iWLOJfPZ3I8TdJUWqhSXtggvmdClkLmRaZHLm3Y8JkTlE7tK2Se5317FCX0EyyPgac/RLqMo3/eHGyVjp0EMcHPWTaOslf1XJXzTEsSoJzHplgWokGKisUrxC3XcbphqDuZXxpquUZZb7L2HgZF2AMY1n1mnoKM0YITgF2XJffvQMBnfFNb2ObTIq/fXjsyrdhOrtd5HEVe9Ro2mru00f/l5hGyl2lvVaglM845tnM1EHRrar2sJL777AHQ4yL/I3VdLFWbxer9kr8N8y2zPjUQR6FFcSPOYVljg1VQlXh7FcYGx40fC5njclzSMaXLf1pS1SRQP4FH22aBmqfL6hJ9h6XMAesUTww6dlTYu3MGxvDrdRNyfHfor0XSQpBYqzz5Ua9kYhIKPH+M+YcHY6HN2qyfs+1z2IhuEkenpDUrJ1ReNjtnlJvD0wa9CwkLFoB2YY+ZUVxhowRwPQ0YgHjdKajXjrFqh35hyIdVYI9jnrQVeFr8xGDW8mTtlATL7Mn8BRDM4ZgtKQvgtM8STH1Zgd5Rpn8gS/I/qZtK1EXMwKmuB6fo++zE9hyD5G2Yq/PKa9K6yAiDYEhVFm6SuMkR3Qm8yZoCLFTweSTLjiFPU6hBnxUS/2ouR9yUdJYPYXWVJjKE7NHbpxiEOtvrUtyPH90qbAzGsnhB9s00s9DgzKwGHtTAVA5rhY8rilASzIJQoJpRwlKXZLxK7BL3CVtr9KnHptMqwvwhSkvcn7DTS5pjeV2RKVwIWe1WA18Xj++MKj626MSyCWUYuDcBX/S1hFXLiMHkmUDlUvNCi9OWI5tQKvrXTqQj8DYZNtPfgxuKXdP6S8ER1GDN2LrZWtgrS6/fV+oQ9lb+TkOkcJRzUM9ZEQJdNKda1DTZLJR6dUIqWs+k6ThkILgV57yF', 'ggHcqhXJL2ma54WMeTPmUm3sgPUl2B0HrE5uyMXnSBKEpVkMx+Ka+LRr17q42XJc9nMQ+Zrn3LHzwdNGBX48/HHrx2Hwgcji1xkFhwVh1oLphszZxgWSUxdjFtNmeFGI1r+LDHFMFZlBjuFM3UdpFa0Gnq5x4M3BPKrdoMZIptyUAUYDcQps/4pLGsICXjIzaGr4Dtyfs+85ua4H0dtRjJn2DcsWCvI/hKJeQEom1GvAlQcDABTxeRaOzWy/F81HK7PZHofGVDAND/MYnqmKzYkY7yXP6xwUxibY9kBiBdU=', 'NsZvIMW1aA9L+EPn9VW3hZ7mNEYbSos78D1MNYvAS5PtaYNsl0nppYHTzEbQzsFpQMPl1l1gzizryqy7cOMAMw==', 'NsjxxW98LY9Hh9z9Zp3u0sMN1enK7MObFZzHnBIlnapQB/cs7UG5TnOO6AnMlILlAAdOv+E0GUwaD+wrrrUQxg==', 'mJJbVCeA7WPPrtzSlBJqnTj6VbuM9fpCRP+SwrPw/msOKPpEEi+aJo12GdbQ3v7UvnMw1/gsy+ahrVDKzHwwsQ=='

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2012:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Mutant created: \Sessions\1\BaseNamedObjects\mshta

Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ezUEYpQhNN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ezUEYpQhNN.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe

Unpacked PE file: 4.2.ElWebsite.exe.840000.0.unpack

Binary or sample is protected by dotNetProtector

Source: ezUEYpQhNN.exe	String found in binary or memory: dotNetProtector
Source: ezUEYpQhNN.exe, 00000000.00000000.228287753.0000000001142000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: dotNetProtector
Source: ezUEYpQhNN.exe, 00000000.00000000.228287753.0000000001142000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: xmTanSigPtrLenget_MetadataTokenAssignCancellationTokenlpNumbdhsdsderOfBfdsfytesWrittenhTokdsehfdfssdfnDesignSinAppDomainget_CurrentDomainUInt64PrecisionRuntimeVersionGetSubKeyCreatePermissionWindowsBootApplicationDynamicTimeZoneInformationNineRays.Obfuscator.EvaluationendActionSystem.ReflectionParseAsTypeSigReflectionDbiFunctionReadOneInstructionRanToCompletionOp_AdditionGet_ConditionGetGenericMethodDefinitionPositionCallingConventionAppDomainUnloadedExceptionRuntimeWrappedExceptionMissingMethodExceptionM_descriptionRunM_DynamicILInfoGetDynamicILInfoFieldInfoMethodInfoGet_CultureInfoEnsureUriInfostartupInfoMemberInfoM_memberInfoEmitLineNumberInfoParameterInfoProcessStartInfoDirectoryInfoZeroResetImplMapAlwaysCreateGuidHeapSleepsdgpsfgpExpSystem.Linqset_ShowInTaskbarJapaneseCalendarVolumeSeparatorCharMarkFinallyAddrMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderGetPoolDataOrderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerICustomMarshalerAnsiCharMarshalerModuleResolveEventHandlerGetOwnerDeleteHelperIsBaseOfHelperCreateMethodBodyHelperDeclSecurityUserGetReturnParameterGet_IsNativeWriterget_IsPointerInstructionPrinterMethodDecrypterBitConverterEfiRuntimeDriverGetTokenForFloorset_RedirectStandardErrorDateSeparatorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_ptrfaasfagfdgdasAbsTypeSpecsSystem.DiagnosticsdsdsdhddsdsdsdsgfdsFromMillisecondsGetMethodsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesInitializeWin32ResourceskrdcmecFSf.resourcesInitializePropertiesVTablesbInhderitfdfHandlesEnableVisualStylesEmptyTypesAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesSecurityAttributesWriteAllBytesGetBytesGet_NumberGroupSizessfggfsMapKeyStorageFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsGetSecurityFlagsfsfgfgsfhddsdhsToTicksEqualsSystem.Windows.FormsGet_HasExtraSectionsCallingConventionsSet_TablesHeapOptionsCosm_posGetScopePropsget_CharsHexUpperCharsStreamHeadersGetOptionalCustomModifiersGetParameters__Filtersget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressSystem.Net.SocketsSetBitsMyDocumentsset_ArgumentsCrossScopeImportsInitializeTypeRefTableRowsGetWeekOfYearFullDaysAlways
Source: ezUEYpQhNN.exe, 00000000.00000002.271762577.0000000001142000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: dotNetProtector
Source: ezUEYpQhNN.exe, 00000000.00000002.271762577.0000000001142000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: xmTanSigPtrLenget_MetadataTokenAssignCancellationTokenlpNumbdhsdsderOfBfdsfytesWrittenhTokdsehfdfssdfnDesignSinAppDomainget_CurrentDomainUInt64PrecisionRuntimeVersionGetSubKeyCreatePermissionWindowsBootApplicationDynamicTimeZoneInformationNineRays.Obfuscator.EvaluationendActionSystem.ReflectionParseAsTypeSigReflectionDbiFunctionReadOneInstructionRanToCompletionOp_AdditionGet_ConditionGetGenericMethodDefinitionPositionCallingConventionAppDomainUnloadedExceptionRuntimeWrappedExceptionMissingMethodExceptionM_descriptionRunM_DynamicILInfoGetDynamicILInfoFieldInfoMethodInfoGet_CultureInfoEnsureUriInfostartupInfoMemberInfoM_memberInfoEmitLineNumberInfoParameterInfoProcessStartInfoDirectoryInfoZeroResetImplMapAlwaysCreateGuidHeapSleepsdgpsfgpExpSystem.Linqset_ShowInTaskbarJapaneseCalendarVolumeSeparatorCharMarkFinallyAddrMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderGetPoolDataOrderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerICustomMarshalerAnsiCharMarshalerModuleResolveEventHandlerGetOwnerDeleteHelperIsBaseOfHelperCreateMethodBodyHelperDeclSecurityUserGetReturnParameterGet_IsNativeWriterget_IsPointerInstructionPrinterMethodDecrypterBitConverterEfiRuntimeDriverGetTokenForFloorset_RedirectStandardErrorDateSeparatorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_ptrfaasfagfdgdasAbsTypeSpecsSystem.DiagnosticsdsdsdhddsdsdsdsgfdsFromMillisecondsGetMethodsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesInitializeWin32ResourceskrdcmecFSf.resourcesInitializePropertiesVTablesbInhderitfdfHandlesEnableVisualStylesEmptyTypesAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesSecurityAttributesWriteAllBytesGetBytesGet_NumberGroupSizessfggfsMapKeyStorageFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsGetSecurityFlagsfsfgfgsfhddsdhsToTicksEqualsSystem.Windows.FormsGet_HasExtraSectionsCallingConventionsSet_TablesHeapOptionsCosm_posGetScopePropsget_CharsHexUpperCharsStreamHeadersGetOptionalCustomModifiersGetParameters__Filtersget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressSystem.Net.SocketsSetBitsMyDocumentsset_ArgumentsCrossScopeImportsInitializeTypeRefTableRowsGetWeekOfYearFullDaysAlways
Source: ezUEYpQhNN.exe	String found in binary or memory: dotNetProtector
Source: ezUEYpQhNN.exe	String found in binary or memory: xmTanSigPtrLenget_MetadataTokenAssignCancellationTokenlpNumbdhsdsderOfBfdsfytesWrittenhTokdsehfdfssdfnDesignSinAppDomainget_CurrentDomainUInt64PrecisionRuntimeVersionGetSubKeyCreatePermissionWindowsBootApplicationDynamicTimeZoneInformationNineRays.Obfuscator.EvaluationendActionSystem.ReflectionParseAsTypeSigReflectionDbiFunctionReadOneInstructionRanToCompletionOp_AdditionGet_ConditionGetGenericMethodDefinitionPositionCallingConventionAppDomainUnloadedExceptionRuntimeWrappedExceptionMissingMethodExceptionM_descriptionRunM_DynamicILInfoGetDynamicILInfoFieldInfoMethodInfoGet_CultureInfoEnsureUriInfostartupInfoMemberInfoM_memberInfoEmitLineNumberInfoParameterInfoProcessStartInfoDirectoryInfoZeroResetImplMapAlwaysCreateGuidHeapSleepsdgpsfgpExpSystem.Linqset_ShowInTaskbarJapaneseCalendarVolumeSeparatorCharMarkFinallyAddrMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderSpecialFolderGetPoolDataOrderBufferlpBfdsdhsdsdsfufferResourceManagerDebuggerICustomMarshalerAnsiCharMarshalerModuleResolveEventHandlerGetOwnerDeleteHelperIsBaseOfHelperCreateMethodBodyHelperDeclSecurityUserGetReturnParameterGet_IsNativeWriterget_IsPointerInstructionPrinterMethodDecrypterBitConverterEfiRuntimeDriverGetTokenForFloorset_RedirectStandardErrorDateSeparatorActivator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrM_ptrfaasfagfdgdasAbsTypeSpecsSystem.DiagnosticsdsdsdhddsdsdsdsgfdsFromMillisecondsGetMethodsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesInitializeWin32ResourceskrdcmecFSf.resourcesInitializePropertiesVTablesbInhderitfdfHandlesEnableVisualStylesEmptyTypesAssociateslpProcdesdhsAttdsdfsdfributeslphfdhThrdsedfdadAttributesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesSecurityAttributesWriteAllBytesGetBytesGet_NumberGroupSizessfggfsMapKeyStorageFlagsBindingFlagsdwCrefdfationFlagsGetMethodImplementationFlagsSetImplementationFlagsGetSecurityFlagsfsfgfgsfhddsdhsToTicksEqualsSystem.Windows.FormsGet_HasExtraSectionsCallingConventionsSet_TablesHeapOptionsCosm_posGetScopePropsget_CharsHexUpperCharsStreamHeadersGetOptionalCustomModifiersGetParameters__Filtersget_IsClassAssemblyBuilderAccessGetCurrentProcesshPhrdasocesshPfdsfhdsdrodscesslpfsdfAfdsddsadresslpBasfsdsdfeddfhsAddressSystem.Net.SocketsSetBitsMyDocumentsset_ArgumentsCrossScopeImportsInitializeTypeRefTableRowsGetWeekOfYearFullDaysAlways

.NET source code contains potential unpacker

Source: ElWebsite.exe.0.dr, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ElWebsite.exe.840000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ElWebsite.exe.840000.2.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.ElWebsite.exe.840000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ElWebsite.exe.840000.1.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_0111F910 push eax; ret	0_2_0111F911
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_0111D35B pushad ; retf	0_2_0111D38D
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_0111D67C push eax; ret	0_2_0111D706
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_0111D6A5 push eax; ret	0_2_0111D706
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_053D4F2D pushad ; ret	0_2_053D4F5D
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_053EADC9 pushad ; iretd	0_2_053EADCA
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_053E582B push ebp; retf	0_2_053E582C
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Code function: 0_2_053EEC55 push FFFFFF8Bh; iretd	0_2_053EEC57
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Code function: 4_2_00842F16 push 0000003Eh; retn 0000h	4_2_00842F18
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Code function: 4_2_008430E5 push rax; ret	4_2_008430ED
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Code function: 4_2_008445A8 push rax; ret	4_2_008445B0
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Code function: 4_2_00007FFF7F5C2964 push edi; ret	4_2_00007FFF7F5C2965
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Code function: 4_2_00007FFF7F5CA20B push eax; ret	4_2_00007FFF7F5CA20C
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Code function: 4_2_00007FFF7F5C2E13 push edi; ret	4_2_00007FFF7F5C2E14
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Code function: 4_2_00007FFF7F5C2DF2 push edi; ret	4_2_00007FFF7F5C2DF3
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Code function: 4_2_00007FFF7F5C28B1 push edi; ret	4_2_00007FFF7F5C28B2

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe

File created: C:\Users\user\AppData\Local\Temp\ElWebsite.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.3023f04.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.302fec4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.253851947.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254482249.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498438501.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254177754.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.272022034.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ezUEYpQhNN.exe PID: 3308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ElWebsite.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f

Hooking and other Techniques for Hiding and Protection

Moves itself to temp directory

Source: c:\users\user\desktop\ezueypqhnn.exe

File moved: C:\Users\user\AppData\Local\Temp\krdcmecFSf.exe

Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.3023f04.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.302fec4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.253851947.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254482249.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498438501.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254177754.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.272022034.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ezUEYpQhNN.exe PID: 3308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ElWebsite.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe TID: 1560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe TID: 3248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe TID: 5292	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe TID: 5292	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe TID: 1328	Thread sleep count: 4430 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe TID: 1328	Thread sleep count: 5296 > 30	Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Window / User API: threadDelayed 4430			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Window / User API: threadDelayed 5296			Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: ElWebsite.exe, 00000004.00000002.500548662.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@-@
Source: ElWebsite.exe, 00000004.00000003.278251872.000000001B3F0000.00000004.00000020.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000002.504337226.000000001B3E8000.00000004.00000020.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000003.277711450.000000001B3EE000.00000004.00000020.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000003.337349003.000000001B3E8000.00000004.00000020.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000003.278746089.000000001B3F0000.00000004.00000020.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000003.282476478.000000001B3E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ezUEYpQhNN.exe, endAction.cs	Reference to suspicious API methods: ('M_canceled', 'FindResource@f9XzSt94xcZiB5+EVrSi5w==')
Source: ElWebsite.exe.0.dr, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: ElWebsite.exe.0.dr, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 0.0.ezUEYpQhNN.exe.1140000.0.unpack, endAction.cs	Reference to suspicious API methods: ('M_canceled', 'FindResource@f9XzSt94xcZiB5+EVrSi5w==')
Source: 4.0.ElWebsite.exe.840000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 4.0.ElWebsite.exe.840000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 4.0.ElWebsite.exe.840000.2.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 4.0.ElWebsite.exe.840000.2.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 4.2.ElWebsite.exe.840000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 4.2.ElWebsite.exe.840000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 4.0.ElWebsite.exe.840000.1.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 4.0.ElWebsite.exe.840000.1.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process created: C:\Users\user\AppData\Local\Temp\ElWebsite.exe "C:\Users\user\AppData\Local\Temp\ElWebsite.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\ezUEYpQhNN.exe" "C:\Users\user\AppData\Roaming\Mshta\Mshta.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f	Jump to behavior

Source: ElWebsite.exe, 00000004.00000002.501536235.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000002.501276030.0000000002B6C000.00000004.00000800.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000002.501470567.0000000002B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager(
Source: ElWebsite.exe, 00000004.00000002.501536235.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000002.502293808.0000000002D15000.00000004.00000800.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000002.504370354.000000001B417000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: ElWebsite.exe, 00000004.00000002.502293808.0000000002D15000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0y

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Queries volume information: C:\Users\user\Desktop\ezUEYpQhNN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ezUEYpQhNN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ElWebsite.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ezUEYpQhNN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 4.2.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.3023f04.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ElWebsite.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.302fec4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.302fec4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ezUEYpQhNN.exe.3023f04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.253851947.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254482249.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.498438501.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.254177754.0000000000842000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.272022034.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ezUEYpQhNN.exe PID: 3308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ElWebsite.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: ezUEYpQhNN.exe, 00000000.00000002.272022034.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, ElWebsite.exe, ElWebsite.exe, 00000004.00000000.253851947.0000000000842000.00000002.00000001.01000000.00000006.sdmp, ElWebsite.exe.0.dr	Binary or memory string: MSASCui.exe
Source: ezUEYpQhNN.exe, 00000000.00000002.272022034.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, ElWebsite.exe, ElWebsite.exe, 00000004.00000000.253851947.0000000000842000.00000002.00000001.01000000.00000006.sdmp, ElWebsite.exe.0.dr	Binary or memory string: procexp.exe
Source: ezUEYpQhNN.exe, 00000000.00000002.272022034.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, ElWebsite.exe, ElWebsite.exe, 00000004.00000000.253851947.0000000000842000.00000002.00000001.01000000.00000006.sdmp, ElWebsite.exe.0.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 00000004.00000002.501081381.0000000002B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.502245246.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ElWebsite.exe PID: 5652, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 00000004.00000002.501081381.0000000002B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.502245246.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ElWebsite.exe PID: 5652, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	12 Process Injection	11 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	111 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	2 Non-Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	3 Application Layer Protocol	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ezUEYpQhNN.exe	46%	Virustotal		Browse
ezUEYpQhNN.exe	44%	ReversingLabs	ByteCode-MSIL.Trojan.FormBook
ezUEYpQhNN.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\ElWebsite.exe	100%	Avira	HEUR/AGEN.1202861
C:\Users\user\AppData\Local\Temp\ElWebsite.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ElWebsite.exe	62%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\ElWebsite.exe	85%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.ElWebsite.exe.840000.0.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
4.0.ElWebsite.exe.840000.2.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
4.2.ElWebsite.exe.840000.0.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
4.0.ElWebsite.exe.840000.1.unpack	100%	Avira	HEUR/AGEN.1202861	Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastebin.com	172.67.34.170	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/tefSYKAL	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ElWebsite.exe, 00000004.00000002.501579874.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, ElWebsite.exe, 00000004.00000002.500974615.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pastebin.com	ElWebsite.exe, 00000004.00000002.502096513.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://pastebin.com	ElWebsite.exe, 00000004.00000002.502024248.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.195.196.86	unknown	France		16276	OVHFR	true
172.67.34.170	pastebin.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626815
Start date and time: 15/05/202216:01:21	2022-05-15 16:01:21 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ezUEYpQhNN (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/4@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 5.7% (good quality ratio 4.7%) Quality average: 62% Quality standard deviation: 36.8%
HCA Information:	Successful, ratio: 95% Number of executed functions: 32 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, a767.dspw65.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:02:41	Task Scheduler	Run new task: Nafifas path: "C:\Users\user\AppData\Roaming\Mshta\Mshta.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.34.170	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Get hash	malicious	Browse
	4BdN4MsOSx.exe	Get hash	malicious	Browse
	Roblox pet simulator autofarm installer.exe	Get hash	malicious	Browse
	hvWRyao1F9.exe	Get hash	malicious	Browse
	conhost.exe	Get hash	malicious	Browse
	E9IOqND6ov.exe	Get hash	malicious	Browse
	Kopija za plakkanje_Komercijalna Banka_Pdf.exe	Get hash	malicious	Browse
	0FurYFNu3K.exe	Get hash	malicious	Browse
	edAX7juqJ8.exe	Get hash	malicious	Browse
	RTvNR7IFh7.exe	Get hash	malicious	Browse
	54MipOJAzj.exe	Get hash	malicious	Browse
	invoice.exe	Get hash	malicious	Browse
	7C804B99B58AC30B0A4715DFC795C88D835513E1CF64C.exe	Get hash	malicious	Browse
	my cv.exe	Get hash	malicious	Browse
	eEBrgLh48S.exe	Get hash	malicious	Browse
	NXaaKk3w5o.exe	Get hash	malicious	Browse
	https://cdn.discordapp.com/attachments/926917160364806166/957780798910644314/svhost.exe	Get hash	malicious	Browse
	Formulario_20183.msi	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
pastebin.com	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Get hash	malicious	Browse	172.67.34.170
	7ECCDD2DFBA647FAC22066819DC893C1CB467252A2381.exe	Get hash	malicious	Browse	104.20.68.143
	WinBugsFix.cmd	Get hash	malicious	Browse	104.20.67.143
	4BdN4MsOSx.exe	Get hash	malicious	Browse	172.67.34.170
	Read Me.txt.cmd	Get hash	malicious	Browse	104.20.67.143
	vCHryYfSnV.exe	Get hash	malicious	Browse	104.20.67.143
	Roblox pet simulator autofarm installer.exe	Get hash	malicious	Browse	172.67.34.170
	PO^^MAYIN00043INBOMSpecifications Sheet^^^^^d.exe	Get hash	malicious	Browse	104.20.67.143
	hvWRyao1F9.exe	Get hash	malicious	Browse	172.67.34.170
	conhost.exe	Get hash	malicious	Browse	172.67.34.170
	setup.exe	Get hash	malicious	Browse	104.20.68.143
	E9IOqND6ov.exe	Get hash	malicious	Browse	104.20.68.143
	SecuriteInfo.com.W32.AIDetectNet.01.13790.exe	Get hash	malicious	Browse	104.20.67.143
	I8QWCkXHxT.exe	Get hash	malicious	Browse	104.20.67.143
	Copia de pagamento_ Caixa Geral_Pdf.exe	Get hash	malicious	Browse	104.20.67.143
	Kopija za plakkanje_Komercijalna Banka_Pdf.exe	Get hash	malicious	Browse	172.67.34.170
	0FurYFNu3K.exe	Get hash	malicious	Browse	172.67.34.170
	edAX7juqJ8.exe	Get hash	malicious	Browse	172.67.34.170
	RTvNR7IFh7.exe	Get hash	malicious	Browse	172.67.34.170
	QbWfobg3UL.exe	Get hash	malicious	Browse	104.20.68.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	http://y8hw959nhbaz7f.ist/MN1C0????////dgdfhjfthyuertywer634DETGRTY5RT6T	Get hash	malicious	Browse	188.114.96.10
	order confirmation copy.exe	Get hash	malicious	Browse	162.159.134.233
	LJRyvirNHS.exe	Get hash	malicious	Browse	188.114.96.10
	avira_en_sptl1_1038561641-1652615202__adwb.exe	Get hash	malicious	Browse	1.1.1.1
	eW323bJMHc.exe	Get hash	malicious	Browse	162.159.133.233
	LchoV9NYJA.exe	Get hash	malicious	Browse	162.159.135.232
	TGhrUySNPk	Get hash	malicious	Browse	1.14.17.57
	wd6ZtNzrF8	Get hash	malicious	Browse	104.25.87.103
	DTvQRT8Auf	Get hash	malicious	Browse	162.158.254.134
	E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exe	Get hash	malicious	Browse	172.67.34.170
	DetalhesBR_274.78748359.975581.32372.cmd	Get hash	malicious	Browse	104.16.123.96
	FragHack.exe	Get hash	malicious	Browse	172.67.177.206
	k2hZRsiQCH	Get hash	malicious	Browse	1.14.17.171
	fooYgfbxno.exe	Get hash	malicious	Browse	104.21.89.61
	Halkbank_Ekstre_20220513_082357_541079.exe	Get hash	malicious	Browse	162.159.133.233
	Delivery_Notification_000923456.doc.js	Get hash	malicious	Browse	104.21.96.32
	Delivery_Notification_000923456.doc.js	Get hash	malicious	Browse	172.67.150.164
	7ECCDD2DFBA647FAC22066819DC893C1CB467252A2381.exe	Get hash	malicious	Browse	104.20.67.143
	RFQ. 220 & Drawings.exe	Get hash	malicious	Browse	162.159.134.233
	inlaww321345.exe	Get hash	malicious	Browse	188.114.96.10
OVHFR	e07yoxjWCq.exe	Get hash	malicious	Browse	51.77.78.54
	n5eIMEM68E	Get hash	malicious	Browse	213.32.50.241
	buiodawbdawbuiopdw.x86	Get hash	malicious	Browse	178.32.147.229
	FragHack.exe	Get hash	malicious	Browse	213.32.74.157
	1RNa4Y6mPR	Get hash	malicious	Browse	54.36.155.225
	3ybcb9P3wy	Get hash	malicious	Browse	158.69.181.253
	geekqK3HJJ	Get hash	malicious	Browse	151.80.108.46
	fooYgfbxno.exe	Get hash	malicious	Browse	213.186.33.5
	DHL SHIPMENT NOTIFICATION 1146789443.exe	Get hash	malicious	Browse	51.210.156.152
	7ECCDD2DFBA647FAC22066819DC893C1CB467252A2381.exe	Get hash	malicious	Browse	51.38.43.18
	7uPpTL4Qmi	Get hash	malicious	Browse	91.121.106.169
	Tsunami.arm7	Get hash	malicious	Browse	37.187.28.200
	UR0w9ZKXQ2	Get hash	malicious	Browse	192.99.207.236
	dEQ1kYJPQH	Get hash	malicious	Browse	54.36.243.225
	vGS5FlwPDP	Get hash	malicious	Browse	54.37.53.163
	contract_of_purchase_and_sale_bc_example 44284.js	Get hash	malicious	Browse	51.195.12.191
	Payment Remittance098.html	Get hash	malicious	Browse	54.39.157.6
	INV_660100.xlsx	Get hash	malicious	Browse	51.210.3.236
	INV_660100.xlsx	Get hash	malicious	Browse	51.210.3.236
	https://myubi.tv	Get hash	malicious	Browse	51.89.9.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	YPDtDZozE3.exe	Get hash	malicious	Browse	172.67.34.170
	https://relaxhere.org/de/rotluseipovamaetm	Get hash	malicious	Browse	172.67.34.170
	U409.lnk	Get hash	malicious	Browse	172.67.34.170
	vaeNP8_1Pv_b(004).cmd	Get hash	malicious	Browse	172.67.34.170
	SmartNetITStore_SECOND.ps1	Get hash	malicious	Browse	172.67.34.170
	Report.vbs	Get hash	malicious	Browse	172.67.34.170
	Floor_Factors.lnk	Get hash	malicious	Browse	172.67.34.170
	EPI.lnk	Get hash	malicious	Browse	172.67.34.170
	SecuriteInfo.com.Heur.906.xlsx	Get hash	malicious	Browse	172.67.34.170
	6VIPGo475e.exe	Get hash	malicious	Browse	172.67.34.170
	8rDJ5JmSAD.exe	Get hash	malicious	Browse	172.67.34.170
	MAKo2bWh1R.exe	Get hash	malicious	Browse	172.67.34.170
	n0z8Ep95rd.exe	Get hash	malicious	Browse	172.67.34.170
	AZ2cy5s5OF.exe	Get hash	malicious	Browse	172.67.34.170
	JrtkShv8bv.ps1	Get hash	malicious	Browse	172.67.34.170
	Kaufvertrag.lnk	Get hash	malicious	Browse	172.67.34.170
	4BDAd47i.txt.cmd	Get hash	malicious	Browse	172.67.34.170
	Read Me.txt.cmd	Get hash	malicious	Browse	172.67.34.170
	PO^^MAYIN00043INBOMSpecifications Sheet^^^^^d.exe	Get hash	malicious	Browse	172.67.34.170

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Local\Temp\ElWebsite.exe
File Type:	Microsoft Cabinet archive data, 61480 bytes, 1 file
Category:	dropped
Size (bytes):	61480
Entropy (8bit):	7.9951219482618905
Encrypted:	true
SSDEEP:	1536:kmu7iDG/SCACih0/8uIGantJdjFpTE8lTeNjiXKGgUN:CeGf5gKsG4vdjFpjlYeX9gUN
MD5:	B9F21D8DB36E88831E5352BB82C438B3
SHA1:	4A3C330954F9F65A2F5FD7E55800E46CE228A3E2
SHA-256:	998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
SHA-512:	D4A2AC7C14227FBAF8B532398FB69053F0A0D913273F6917027C8CADBBA80113FDBEC20C2A7EB31B7BB57C99F9FDECCF8576BE5F39346D8B564FC72FB1699476
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....(.......,...................I........y.........Tbr .authroot.stl..$..4..CK..<Tk...c_.d....A.K.....Y.f....!.))$7I.....e..eKT..k....n.3.......S..9.s.....3H.Mh......qV.=M6.=.4.F.....V:F..]......B`....Q...c"U.0.n....J.....4.....i7s..:.27....._...+).lE..he.4\|.?,...h....7..PA..b.,. .....#1+..o...g.....2n1m...=.......Dp.;..f..ljX.Dx..r<'.1RI3B0<w.D.z..)D\|..8<..c+..'XH..K,.Y..d.j.<.A.......l_lVb[w..rDp...'.....nL....!G.F....f.fX..r.. ?.....v(...L..<.\.Z..g;.>.0v...P ......\|...A..(..x...T0.`g...c..7.U?...9.p..a..&..9......sV..l0..D..fhi..h.F....q...y.....Mq].4..Z.....={L....AS..9.....:.:.........+..P.N....EAQ.V. sr.....y.B.`.Efe..8../....$...y-.q.J.......nP...2.Q8...O........M.@\.>=X....V..z.4.=.@...ws.N.M3.S.c?.....C4]?..\.K.9......^...CU......O....X.`........._.gU.....V.{V6..m..D.-\|.Q.t.7.....9.~....[...I.<e...~$..>......s.I.S....~1..IV.2Ri:..]R!8...q...l.X.%.)@......2.gb,t...}..;...@.Z..<q..y..:...e3..cY.we.$....z..\| .#.......I...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Local\Temp\ElWebsite.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.096790542427552
Encrypted:	false
SSDEEP:	6:kKNYoJN+SkQlPlEGYRMY9z+4KlDA3RUesJ21:1KkPlE99SNxAhUesE1
MD5:	844812D4C2692040F1BEF86395A3975E
SHA1:	B80704D44CF98CC320A1BEA15359852B364C902B
SHA-256:	C970B54F0F078D7BC7F3EB7C661BDA72ACC2F19A0D5F5891728ABABAB1E5AED2
SHA-512:	D8F90BEA9130E33B1B90DB8FEBD8AC89C85D4E0F9D1B1B27EF44F227984B07303AB4F9BA2B50422D59DE51E65E0D163149C550E7B96FEEEFAA1AEE9BE4B5374F
Malicious:	false
Reputation:	low
Preview:	p...... .........._sdh..(....................................................... ........3k/"[......(...........(...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.3.3.6.b.2.f.2.2.5.b.d.8.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ezUEYpQhNN.exe.log

Download File

Process:	C:\Users\user\Desktop\ezUEYpQhNN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.356708753875314
Encrypted:	false
SSDEEP:	24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzd
MD5:	12BC6A423CB11584DBBB3264AE68E0CE
SHA1:	DE1E6954FF5E326226AD5469C3F1F0AC9E41C461
SHA-256:	3592978914563991F47FFE8DDBBDC9CAAAD2B31F530335F17277192231015D6A
SHA-512:	AF328D01DFD1B3733A0746A0C313A00FAF40CD02A5710BB40C17088C7F02D7E83B2C176C794ACD54BEEDDA2910D7DBDFB4DACC9282F19988D1271E2C805AB675
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\ElWebsite.exe

Download File

Process:	C:\Users\user\Desktop\ezUEYpQhNN.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48640
Entropy (8bit):	5.6191389694834015
Encrypted:	false
SSDEEP:	768:oo+s3CjtDILWCCa+DiQpzycrDif8Ybdge9FUDEh9vEgK/JfZVc6KN:oo+AatpOPNzbKq7XnkJfZVclN
MD5:	39FD56F4E5A67CCF23E627F371CA9A9F
SHA1:	EB41AC2C14D71D48C3D64D3F2DA62667CD97B799
SHA-256:	15F62FD2EE2855349D213E5832CD50CF8E8A3F6D860630575FE7D8B18E8C66CC
SHA-512:	6976A095B48B2834A06101A577D8288805BF0445A73C10DC04174C870FF00CB0BA0DF5EBC20FB817B5EA77EE7B100AA9941DF321411C31726321BCB520033065
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 62%, Browse Antivirus: ReversingLabs, Detection: 85%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@.................................t...W.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........]...m............................................................/.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(B......2~.....oC....s....%r...po....(g...r...p(....o....o....o....( ... ....(.....s....%r...po....r...po....%r...po.....o....o....( ...Vs.........sh...........(,.....(-........(a...(o........*.r1..p(g...rC..p(....o....(...+.!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.666746905824098
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ezUEYpQhNN.exe
File size:	311296
MD5:	b28ddf547716c0cdee99d4e5f261704d
SHA1:	cef47d43a0809616fbdb980b7864b4cef8ed2943
SHA256:	89aacd427f262a4a5b09af5c8abdeabc7f39a1d618a01a5a79074ebb62bb065e
SHA512:	c78e8c4b9d871e3df72f7ecdad2a179225df6887adc9db63746bbbc6fd7ae1d3cfdd5dcbde039790bbc84193a9f5eb8516df716d614a88181b8253c5c188c24b
SSDEEP:	3072:5fhmb7fuD9Ms3vU2C/0c3aqYJIx+80yLxD/b74aP29CKTDksiCLdDXaRAQofR0j+:WLsp1M2ae9CKTrw82SJDlbss2
TLSH:	666477EC3AC11A72FD9ED1334A011A28BB6E0BC36240AB9D57DB15C6874F17D5D6EC88
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b............................N.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	858db08080808081

Static PE Info

General

Entrypoint:	0x44c44e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627F91D3 [Sat May 14 11:26:11 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4c400	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x146a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4a454	0x4a600	False	0.427885372899	data	5.68830288996	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4e000	0x146a	0x1600	False	0.251242897727	data	3.6415599434	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
BGKNJ	0x4e5e0	0xd	ASCII text, with no line terminators
BSHLC	0x4e5f0	0xd	ASCII text, with no line terminators
CFAHE	0x4e600	0xd	ASCII text, with no line terminators
CKGMM	0x4e610	0xd	ASCII text, with no line terminators
DKECL	0x4e620	0xd	ASCII text, with no line terminators
DPBEO	0x4e630	0xd	ASCII text, with no line terminators
FECBF	0x4e640	0xd	ASCII text, with no line terminators
GDOMS	0x4e650	0xd	ASCII text, with no line terminators
JBFSD	0x4e660	0xd	ASCII text, with no line terminators
JDDJA	0x4e670	0xd	ASCII text, with no line terminators
KARBD	0x4e680	0xd	ASCII text, with no line terminators
MROKA	0x4e690	0xd	ASCII text, with no line terminators
RT_ICON	0x4e6a0	0x2e8	data
RT_ICON	0x4e988	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x4eab0	0x2e8	data
RT_ICON	0x4ed98	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x4eec0	0x22	data
RT_GROUP_ICON	0x4eee4	0x22	data
RT_VERSION	0x4ef08	0x378	data
RT_MANIFEST	0x4f280	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	MSHTA.EXE
FileVersion	11.00.19041.1 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Internet Explorer
ProductVersion	11.00.19041.1
FileDescription	Microsoft (R) HTML Application host
OriginalFilename	MSHTA.EXE
Translation	0x0409 0x04b0

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
51.195.196.86192.168.2.48868497592848152 05/15/22-16:02:44.117605	TCP	2848152	ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)	8868	49759	51.195.196.86	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 15, 2022 16:02:43.329588890 CEST	49758	443	192.168.2.4	172.67.34.170
May 15, 2022 16:02:43.329658031 CEST	443	49758	172.67.34.170	192.168.2.4
May 15, 2022 16:02:43.329852104 CEST	49758	443	192.168.2.4	172.67.34.170
May 15, 2022 16:02:43.397267103 CEST	49758	443	192.168.2.4	172.67.34.170
May 15, 2022 16:02:43.397337914 CEST	443	49758	172.67.34.170	192.168.2.4
May 15, 2022 16:02:43.447746038 CEST	443	49758	172.67.34.170	192.168.2.4
May 15, 2022 16:02:43.447874069 CEST	49758	443	192.168.2.4	172.67.34.170
May 15, 2022 16:02:43.451015949 CEST	49758	443	192.168.2.4	172.67.34.170
May 15, 2022 16:02:43.451051950 CEST	443	49758	172.67.34.170	192.168.2.4
May 15, 2022 16:02:43.451559067 CEST	443	49758	172.67.34.170	192.168.2.4
May 15, 2022 16:02:43.594434023 CEST	49758	443	192.168.2.4	172.67.34.170
May 15, 2022 16:02:43.764369011 CEST	49758	443	192.168.2.4	172.67.34.170
May 15, 2022 16:02:43.804552078 CEST	443	49758	172.67.34.170	192.168.2.4
May 15, 2022 16:02:44.040117025 CEST	443	49758	172.67.34.170	192.168.2.4
May 15, 2022 16:02:44.040462971 CEST	443	49758	172.67.34.170	192.168.2.4
May 15, 2022 16:02:44.040565014 CEST	49758	443	192.168.2.4	172.67.34.170
May 15, 2022 16:02:44.049851894 CEST	49758	443	192.168.2.4	172.67.34.170
May 15, 2022 16:02:44.056957960 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:02:44.084883928 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:02:44.085007906 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:02:44.089303017 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:02:44.117604971 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:02:44.142091036 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:02:44.171973944 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:02:44.297573090 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:02:47.479326010 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:02:47.556494951 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:02:47.556670904 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:02:47.634474039 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:00.097378016 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:00.167735100 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:00.169349909 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:00.198082924 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:00.381047964 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:00.408828974 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:00.486548901 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:00.933783054 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:01.009604931 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:01.009803057 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:01.087819099 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:03.374211073 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:03.486773968 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:03.514421940 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:03.580527067 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:12.708717108 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:12.790910959 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:12.790987015 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:12.819607019 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:12.862549067 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:12.890208960 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:12.940591097 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:13.031327009 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:13.103355885 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:13.103450060 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:13.181490898 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:25.336507082 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:25.416110992 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:25.416331053 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:25.445461988 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:25.488691092 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:25.516350985 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:25.566689968 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:25.587389946 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:25.665888071 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:25.667443991 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:25.744103909 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:33.378076077 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:33.489933968 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:33.517673016 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:33.676786900 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:37.976527929 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:38.056765079 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:38.060415030 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:38.089015007 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:38.177124023 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:38.204905987 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:38.214260101 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:38.290854931 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:38.290961981 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:38.369344950 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:50.570097923 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:50.650182962 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:50.650283098 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:50.681286097 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:50.725064039 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:50.753855944 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:50.756496906 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:50.837765932 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:03:50.837884903 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:03:50.916083097 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:03.217396975 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:03.291313887 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:03.291515112 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:03.320224047 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:03.366832018 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:03.394640923 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:03.433937073 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:03.509586096 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:03.509716988 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:03.587743998 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:15.822544098 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:15.900331020 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:15.900454044 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:15.978324890 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:16.163450956 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:16.211707115 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:16.239636898 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:16.253887892 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:16.322318077 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:16.322438955 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:16.400333881 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:28.519732952 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:28.603180885 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:28.603313923 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:28.631611109 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:28.681416035 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:28.709263086 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:28.709978104 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:28.790750027 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:28.790858984 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:28.868969917 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:33.375427961 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:33.416256905 CEST	49759	8868	192.168.2.4	51.195.196.86
May 15, 2022 16:04:33.444101095 CEST	8868	49759	51.195.196.86	192.168.2.4
May 15, 2022 16:04:33.494355917 CEST	49759	8868	192.168.2.4	51.195.196.86

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 15, 2022 16:02:43.292408943 CEST	60506	53	192.168.2.4	8.8.8.8
May 15, 2022 16:02:43.314044952 CEST	53	60506	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 15, 2022 16:02:43.292408943 CEST	192.168.2.4	8.8.8.8	0x1e07	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 15, 2022 16:02:43.314044952 CEST	8.8.8.8	192.168.2.4	0x1e07	No error (0)	pastebin.com	172.67.34.170	A (IP address)	IN (0x0001)
May 15, 2022 16:02:43.314044952 CEST	8.8.8.8	192.168.2.4	0x1e07	No error (0)	pastebin.com	104.20.67.143	A (IP address)	IN (0x0001)
May 15, 2022 16:02:43.314044952 CEST	8.8.8.8	192.168.2.4	0x1e07	No error (0)	pastebin.com	104.20.68.143	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49758	172.67.34.170	443	C:\Users\user\AppData\Local\Temp\ElWebsite.exe

Timestamp	Direction	Data
2022-05-15 14:02:43 UTC	OUT	GET /raw/tefSYKAL HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2022-05-15 14:02:44 UTC	IN	HTTP/1.1 200 OK Date: Sun, 15 May 2022 14:02:44 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Sun, 15 May 2022 02:27:49 GMT Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 70bc69b7995d9b5b-FRA
2022-05-15 14:02:44 UTC	IN	Data Raw: 31 32 0d 0a 35 31 2e 31 39 35 2e 31 39 36 2e 38 36 3a 38 38 36 38 0d 0a Data Ascii: 1251.195.196.86:8868
2022-05-15 14:02:44 UTC	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ezUEYpQhNN.exePID: 3308, Parent PID: 5928

General

Target ID:	0
Start time:	16:02:22
Start date:	15/05/2022
Path:	C:\Users\user\Desktop\ezUEYpQhNN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ezUEYpQhNN.exe"
Imagebase:	0x1140000
File size:	311296 bytes
MD5 hash:	B28DDF547716C0CDEE99D4E5F261704D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.272022034.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ElWebsite.exePID: 5652, Parent PID: 3308

General

Target ID:	4
Start time:	16:02:34
Start date:	15/05/2022
Path:	C:\Users\user\AppData\Local\Temp\ElWebsite.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\ElWebsite.exe"
Imagebase:	0x840000
File size:	48640 bytes
MD5 hash:	39FD56F4E5A67CCF23E627F371CA9A9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000004.00000002.501081381.0000000002B14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000004.00000002.502245246.0000000002D05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.253851947.0000000000842000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.254482249.0000000000842000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.498438501.0000000000842000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.254177754.0000000000842000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Local\Temp\ElWebsite.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 62%, Virustotal, Browse Detection: 85%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1100, Parent PID: 3308

General

Target ID:	5
Start time:	16:02:34
Start date:	15/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f
Imagebase:	0x1190000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2012, Parent PID: 1100

General

Target ID:	6
Start time:	16:02:35
Start date:	15/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 3432, Parent PID: 1100

General

Target ID:	7
Start time:	16:02:39
Start date:	15/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\Mshta\Mshta.exe'" /f
Imagebase:	0xb50000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3656, Parent PID: 3308

General

Target ID:	8
Start time:	16:02:40
Start date:	15/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C copy "C:\Users\user\Desktop\ezUEYpQhNN.exe" "C:\Users\user\AppData\Roaming\Mshta\Mshta.exe
Imagebase:	0x1190000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5608, Parent PID: 3656

General

Target ID:	9
Start time:	16:02:41
Start date:	15/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ezUEYpQhNN.exePID: 3308, Parent PID: 5928COMMON

Execution Graph

Execution Coverage:	27.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	3

Executed Functions

Function 011188D0 Relevance: 5.8, Strings: 1, Instructions: 4536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7, xrefs: 0111D604

Memory Dump Source

Source File: 00000000.00000002.271657868.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1110000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 8b3af63dcfbd776b1a549f7696057adf19169dc74147695aced5e8d22d00b5c8
Instruction ID: c46749a1ef8bb5fc0efc3c2bd39dbfb4c03fff8811b85d6acac887c69f669d0d
Opcode Fuzzy Hash: 8b3af63dcfbd776b1a549f7696057adf19169dc74147695aced5e8d22d00b5c8
Instruction Fuzzy Hash: 48A33E71E052288FCB68EF78E99A698BBB2FB45304F0044E9D45CA3265DF385E84DF51

Uniqueness

Uniqueness Score: -1.00%

Function 053E0040 Relevance: 4.4, Instructions: 4420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.272163315.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53e0000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b25fa57799bf0e4c4075ad26ec498af07945681e47b443d1240183acabe7f7
Instruction ID: 6c3362f4c93e41d8ec64d547cc068778780b49143693f17fc206cf8edd93211a
Opcode Fuzzy Hash: b7b25fa57799bf0e4c4075ad26ec498af07945681e47b443d1240183acabe7f7
Instruction Fuzzy Hash: 1E931975E151288BCB64EF28E99669CBBF2FF48304F4048EAD448A7261DF346E84DF51

Uniqueness

Uniqueness Score: -1.00%

Function 053D5730 Relevance: 1.5, Instructions: 1529
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.272150240.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8dcf91190e02e005dcab6b27f3ba08864ecdc4e658f856e3c805d1e9e18ee1
Instruction ID: aed18590ade6d921118b802189fb69d4d3a3a09761c20e126a87c111ae0f43e3
Opcode Fuzzy Hash: ff8dcf91190e02e005dcab6b27f3ba08864ecdc4e658f856e3c805d1e9e18ee1
Instruction Fuzzy Hash: C8E22971E16168CFCB54EF38E99A6ACBBB2FB48300F0045E9D448A7225DB346E94DF51

Uniqueness

Uniqueness Score: -1.00%

Function 053D0006 Relevance: 1.5, Instructions: 1478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.272150240.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f322bba1e42457da4fe778ad5c0d9cda46a2859c2fe5cb0358408cc559b59ffa
Instruction ID: f7e5ffdd2ac29ab2a599145109cc281a79d69c078e8b2b312ba5d145684305ed
Opcode Fuzzy Hash: f322bba1e42457da4fe778ad5c0d9cda46a2859c2fe5cb0358408cc559b59ffa
Instruction Fuzzy Hash: EDE23975E152688FCB14EF38E99669DBBB2FB48300F0049E9D488A7261DF346E84DF51

Uniqueness

Uniqueness Score: -1.00%

Function 053DC560 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 053DC621

Memory Dump Source

Source File: 00000000.00000002.272150240.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_ezUEYpQhNN.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f8cc44d4c7798a98e1f9244eead74616be61443a4940917a92478a8387d60884
Instruction ID: 3a2a52c25bb7a16d8f4c515b5787c13ef634d1f0a0ca02470e6a91cbc675631b
Opcode Fuzzy Hash: f8cc44d4c7798a98e1f9244eead74616be61443a4940917a92478a8387d60884
Instruction Fuzzy Hash: CF4149B5A003098FCB14CF99C488AAAFBF5FB88314F14C499D519A7325C775A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 053ED620 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 053ED685

Memory Dump Source

Source File: 00000000.00000002.272163315.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53e0000_ezUEYpQhNN.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fc4de9087327b54bbcc4e25260031b5841daa5fc1529a7ae9e5cdf355875f4b7
Instruction ID: 4d46deb488dfea3ed508197166e276b14ea8c9f50a50fb2d6897fe26ae550604
Opcode Fuzzy Hash: fc4de9087327b54bbcc4e25260031b5841daa5fc1529a7ae9e5cdf355875f4b7
Instruction Fuzzy Hash: ED11F2B58003489FCB10CF99D885BDEFBF8EB49324F10881AE519A7640C3B5A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 053ED628 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 053ED685

Memory Dump Source

Source File: 00000000.00000002.272163315.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53e0000_ezUEYpQhNN.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: eecb65c96051e1ab7802ecdaa2b0583238f6480da6ec4305f167fefca9c33f51
Instruction ID: 19eb7245293aa6c4c91a935df63e09cfc9eb99e66cc8255bc69862a905e23710
Opcode Fuzzy Hash: eecb65c96051e1ab7802ecdaa2b0583238f6480da6ec4305f167fefca9c33f51
Instruction Fuzzy Hash: BC11D0B58003499FDB10CF99D885BDEFBF8FB49324F10881AE519A7640C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271599189.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3713474091c978a0d26caf40c0b741d83f93e1e7b79781517f360ed80413640
Instruction ID: 18532e85efbf169bc048b61e858a0c33131937e4c713c405d208048592c76bc0
Opcode Fuzzy Hash: e3713474091c978a0d26caf40c0b741d83f93e1e7b79781517f360ed80413640
Instruction Fuzzy Hash: DA2125B1504244EFDB11DF54D9C0BAAFFA5FB8832CF24C5A9E9454B206C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271599189.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e315e63e7ba38f7aa3e2b76c4c5bd4ec3761022dcbbe1aa7ca08cac9038f19b
Instruction ID: 95b553be764dfee123dc4ba4062a8a718e06715fb888f0c4fa5102ab13c015b5
Opcode Fuzzy Hash: 1e315e63e7ba38f7aa3e2b76c4c5bd4ec3761022dcbbe1aa7ca08cac9038f19b
Instruction Fuzzy Hash: B4216AB1504244DFDB01DF54C9C0BAAFFA5FB84328F20C5A9E9454B207C73AE856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271612015.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce0203aeb602625e8d11f439bbbf0460bf9db750b26f96f0db55b07a02ca885
Instruction ID: 8d8f5b334913c9476c5a770d386ef079fc33a5f8cbcfeb297442821601f45f3e
Opcode Fuzzy Hash: 3ce0203aeb602625e8d11f439bbbf0460bf9db750b26f96f0db55b07a02ca885
Instruction Fuzzy Hash: ED21F171504244AFCB11DF98D4C0B2EBBA1EB84654F30C5BDE9894B246C336D807CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010CD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271612015.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0c88ae462411291c956913b7518d356f0177c0379bdea873ee3bc1d86ff9d1
Instruction ID: d6b6b012c35c9e2bda95a5ad2cc5450934a547092b88ad7a2a5ed4f3b6464a44
Opcode Fuzzy Hash: 4c0c88ae462411291c956913b7518d356f0177c0379bdea873ee3bc1d86ff9d1
Instruction Fuzzy Hash: EA2192755083809FCB03CF58D994B15BFB1EB46314F28C5EAD8858F257C33A984ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271599189.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf02d69050becd3d46a1a83d3057079996056aa0a7a8d5a39dcc4e83b01ae8c
Instruction ID: c1a552a54b0a8d4c21bc54d5a6a22ab94dd601b0de643cdac4031a876507a415
Opcode Fuzzy Hash: 5bf02d69050becd3d46a1a83d3057079996056aa0a7a8d5a39dcc4e83b01ae8c
Instruction Fuzzy Hash: E111B176504280DFCB52CF54D5C4B56FFB1FB84328F24C6A9D8450B616C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271599189.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf02d69050becd3d46a1a83d3057079996056aa0a7a8d5a39dcc4e83b01ae8c
Instruction ID: 89307857b96604f695ed11d325690d179ac6e682b6b22555f50f1a93ec128843
Opcode Fuzzy Hash: 5bf02d69050becd3d46a1a83d3057079996056aa0a7a8d5a39dcc4e83b01ae8c
Instruction Fuzzy Hash: A511AF76504280DFDB12CF54D5C4B96FFB1FB84324F24C6A9D8490B616C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02F100A9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828b46a1b4cc8138535f5f30df0a6490eb945b81ab57d51b4684b1f3521ee8af
Instruction ID: 57ab7b5315a173fdf7c6cf59b419aa317929bf0b933f30b35a054d66ed7ef589
Opcode Fuzzy Hash: 828b46a1b4cc8138535f5f30df0a6490eb945b81ab57d51b4684b1f3521ee8af
Instruction Fuzzy Hash: 3601A7317097815FD72646284822B667F625F82754F5980FFDA80DF567CA258C42C761

Uniqueness

Uniqueness Score: -1.00%

Function 02F1084D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0273669e95c0cb44712884f680a3845033e8f9dd92311f434249a77db2900633
Instruction ID: 9b849b8a7246962a9f4988354f21ff4160cb6b66dee5a0574dd69457c0c2fb3e
Opcode Fuzzy Hash: 0273669e95c0cb44712884f680a3845033e8f9dd92311f434249a77db2900633
Instruction Fuzzy Hash: 5301F962F0D3D14FC71656A90870A1AABE35F860A035A84BFCA85CB297DE248C41C3E2

Uniqueness

Uniqueness Score: -1.00%

Function 02F100C8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd98de9cb2364ea3680738ac28d5ef0b583ddd737346fddbcc37846402ff5d5f
Instruction ID: b224385450dde3f285d306f4dd42c71b50001322c4d5e770bec793537583102a
Opcode Fuzzy Hash: cd98de9cb2364ea3680738ac28d5ef0b583ddd737346fddbcc37846402ff5d5f
Instruction Fuzzy Hash: 3AF0C232B046504FD724454D8421B2B62D69BC5FA0F65803EEA05AB758CE71CC8183E1

Uniqueness

Uniqueness Score: -1.00%

Function 02F1024D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03dc6dc242c1eb048659d724804ba8571c3eee206a4903ed265744d7c8ab478
Instruction ID: 83ca6b641b591a6404f05150a6591dffad492c6f14df7f1b4e17814c63bbaa16
Opcode Fuzzy Hash: e03dc6dc242c1eb048659d724804ba8571c3eee206a4903ed265744d7c8ab478
Instruction Fuzzy Hash: F0F0A426B0D7D24FC36B02B80825579BFA20E8755035A41EFC9858BA67CE248C86C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 02F1035D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd1e06d010d0e7e532c944791f5a0a4891651ae7a901e9abf332f1a274cba02
Instruction ID: 9149246a571c0a3357b2fcbe74740d8fae0328d12d05a77fa575b54826ad7c5f
Opcode Fuzzy Hash: ccd1e06d010d0e7e532c944791f5a0a4891651ae7a901e9abf332f1a274cba02
Instruction Fuzzy Hash: 80F04422F0D3D18FD76743684422169BBA10A8715475941EFCA85CBAA6CE258C8683A3

Uniqueness

Uniqueness Score: -1.00%

Function 02F10631 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3cef8dd9066ce963f55f9216f958d36213df53078967e108d85960a26417b4
Instruction ID: f2f47e2705e72170175ad8e0155aeb43fe105e564c9462ae5e2c4aa3b372fa4a
Opcode Fuzzy Hash: 5a3cef8dd9066ce963f55f9216f958d36213df53078967e108d85960a26417b4
Instruction Fuzzy Hash: B6F0F219A0E3E20FD72B133418A05A52F728EC301075E81EF95C0CF5EBCA18488ACB22

Uniqueness

Uniqueness Score: -1.00%

Function 02F10451 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc2ad68560f04dcbcd5537131b43d9c2b9a32bb898d379327e5d60f2e6be507
Instruction ID: cbd857bebf5b3196ef4cf4fa7cb3fe2134ca3d9010f60221e7f70438eeffba64
Opcode Fuzzy Hash: efc2ad68560f04dcbcd5537131b43d9c2b9a32bb898d379327e5d60f2e6be507
Instruction Fuzzy Hash: C2F0ED2A68E3C14FD70787704C65565BFB19D4711034A85EBD5C0CF1A7DA285C4ADB23

Uniqueness

Uniqueness Score: -1.00%

Function 02F104E1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3323f7b60d780f24c9b46a16dcf049b3b5f2720f1b4bc876a78687658d9c81dd
Instruction ID: 65d9f897dc2fd1f244a61c4b73c456a442c9dc5d6e5625baa96eb8e273f3dd1b
Opcode Fuzzy Hash: 3323f7b60d780f24c9b46a16dcf049b3b5f2720f1b4bc876a78687658d9c81dd
Instruction Fuzzy Hash: B7E07E5164E7D40FD70312242CB40987F78895706130A02DBD8C1CF5E3D54D180BE362

Uniqueness

Uniqueness Score: -1.00%

Function 02F103C5 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b5af5b5e0cc2b9563470c016b9131bb29871551d39842eaf55ebf523eb1b09
Instruction ID: 8ec91f350dfde927000a16eff37543fa826b2ebfc5e54d67e2b1d09d9dc54f8b
Opcode Fuzzy Hash: f5b5af5b5e0cc2b9563470c016b9131bb29871551d39842eaf55ebf523eb1b09
Instruction Fuzzy Hash: 6BE01234A8D3C18FD71B46240830165BF71AD8350474D81FE8985CF1A7CE2988479753

Uniqueness

Uniqueness Score: -1.00%

Function 02F10B95 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1ef5d0c37f6ebc01768dba7fd7634c2eba2929d9f143bac6ad7e4e67c02d11
Instruction ID: 8ea731be4b419b0fcc0f1d6bd8a83c6c867a0d56724408cb65167eba57908be7
Opcode Fuzzy Hash: 0a1ef5d0c37f6ebc01768dba7fd7634c2eba2929d9f143bac6ad7e4e67c02d11
Instruction Fuzzy Hash: B5F06D3064E7C18FD707832448624203F715E4711434A40EFC581CF5B3DA188841C342

Uniqueness

Uniqueness Score: -1.00%

Function 02F10681 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982211f8c4a868a3cbbc55c8af977bd76b68daef989d0f757723407a2fc2a5ab
Instruction ID: f4dd46345ddb54b19685b1083cae2a6a6ec469cc3e8daf1da36599bf16fda126
Opcode Fuzzy Hash: 982211f8c4a868a3cbbc55c8af977bd76b68daef989d0f757723407a2fc2a5ab
Instruction Fuzzy Hash: B5F0C255A0E7C14FD717A33018694A8BFB14E4702075E49DFC0D1CB5F3D619484ACB27

Uniqueness

Uniqueness Score: -1.00%

Function 02F10409 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e703c20997c913c51bfb6144b89f7d6e1b4c3346bff7d4454197f5bb47134bc5
Instruction ID: 7510b07fdcc9a07933c3952f49dc6ce7021e5cd636c0e7725f4ed56d0150f78c
Opcode Fuzzy Hash: e703c20997c913c51bfb6144b89f7d6e1b4c3346bff7d4454197f5bb47134bc5
Instruction Fuzzy Hash: F0F0C92464E3D14FD71B43344925225BF725E83504B9E80FF8585CF1A7DE29884AC733

Uniqueness

Uniqueness Score: -1.00%

Function 02F109CD Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245643949e590587477f5da816778731799307d8f8a00b8e8951b9c7548636db
Instruction ID: bd4275716f80b0947527dd3542b392fb83b975d1e9e8aa15ac68af1b09edcbd4
Opcode Fuzzy Hash: 245643949e590587477f5da816778731799307d8f8a00b8e8951b9c7548636db
Instruction Fuzzy Hash: AEE0EC1164E3E10FD71B13341C350A97F608E1346035E09DFD5C1DF6E3D9481C4A83A6

Uniqueness

Uniqueness Score: -1.00%

Function 02F10519 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ef819cf2dce0229ecddad7f160e72e943d3e4d08245b5867a582e6d3d46952
Instruction ID: 612851b5dec9fde527b6841a1da48899f9088c33f99644263517d78edc24fde9
Opcode Fuzzy Hash: 46ef819cf2dce0229ecddad7f160e72e943d3e4d08245b5867a582e6d3d46952
Instruction Fuzzy Hash: 15E0121A24E3C14FD7030770087027A7F711A8708038A80EBDA84CB2E3DA1C8849DB32

Uniqueness

Uniqueness Score: -1.00%

Function 02F10F90 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6656aba22281b80a08b2f3bd3068294fdced21702a34f9e7946ab5a0d9843b24
Instruction ID: 2e2db142cd553e42184eb9b250110c2f1b0b84a70584489a33f39eb9857ce6ef
Opcode Fuzzy Hash: 6656aba22281b80a08b2f3bd3068294fdced21702a34f9e7946ab5a0d9843b24
Instruction Fuzzy Hash: A7D02B35F08B41CB571981284022416F2D3AFD2524318C43CCAC68A70CDF308C81CF53

Uniqueness

Uniqueness Score: -1.00%

Function 02F10BB0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a0b2e92789cc8e2dc794cd0d6901304ef5117277cd8223837afa08f2666c5d
Instruction ID: 228df0ddcdd3197a45c499c68bb1958aef6de850fd5f0be83c39394380260225
Opcode Fuzzy Hash: b5a0b2e92789cc8e2dc794cd0d6901304ef5117277cd8223837afa08f2666c5d
Instruction Fuzzy Hash: 29D0A739B01A0A8F5714D61DC11293933E75FC66187A480FDD60ACFB64EF30DC808641

Uniqueness

Uniqueness Score: -1.00%

Function 02F106B3 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271998999.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f10000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc276df98899b790de72c82f756f7211966965b9780270a284928fe161b85cb5
Instruction ID: c0e4fc725f24ac5dd7fc746dff74e1e672b61782f6169dd789d98491dd018322
Opcode Fuzzy Hash: fc276df98899b790de72c82f756f7211966965b9780270a284928fe161b85cb5
Instruction Fuzzy Hash: 3AB09202B456A10297C8A16870202EE60838BC8410B19C8B4125A9A68DED204C8201A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 053DAD35 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272150240.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955daf3666d4d523811c362cdc5d62bc3c5c058f3a5c51e16d58eef774eea506
Instruction ID: f30e495a8a70f20fe814aa5f269341642cc0f1bfab1f195341dc2a0c347f5c54
Opcode Fuzzy Hash: 955daf3666d4d523811c362cdc5d62bc3c5c058f3a5c51e16d58eef774eea506
Instruction Fuzzy Hash: 26E1436245E7C58FD3036778AD69169BFB0AE07210B0A45EBC4D1CB0B3DA68491EC377

Uniqueness

Uniqueness Score: -1.00%

Function 053DADC4 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.272150240.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_ezUEYpQhNN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388070275bb8a3ad27e80d57594c0491820f3eb206ff380a1d0b05d109d74d25
Instruction ID: 95d6bed79da6db6f4de2f2771863bd0c0dcafc13b96e6aff8484836523c724e1
Opcode Fuzzy Hash: 388070275bb8a3ad27e80d57594c0491820f3eb206ff380a1d0b05d109d74d25
Instruction Fuzzy Hash: 6BB1456245E7C58FD3036B78A969159BFB4AE07210B0A05EBD4D1DB1B3DA28491DC3B3

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ElWebsite.exePID: 5652, Parent PID: 3308COMMON

Execution Graph

Execution Coverage:	20.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFF7F5C2121 Relevance: 1.7, APIs: 1, Instructions: 151
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FFF7F5C21FF

Memory Dump Source

Source File: 00000004.00000002.505511025.00007FFF7F5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fff7f5c0000_ElWebsite.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 47248dd40262f8c2b3cf344853312c9f5917cf33cda9b6999227cc339fba0347
Instruction ID: e58f53999bd9c6d8e8c5b551fabc70c68662902de544c68c91e148405f3d9737
Opcode Fuzzy Hash: 47248dd40262f8c2b3cf344853312c9f5917cf33cda9b6999227cc339fba0347
Instruction Fuzzy Hash: 5E413C31908A1C8FDB98EF58D855BEDBBF1FF59310F00426AD04ED7292DA74A846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF7F5C24AA Relevance: 1.6, APIs: 1, Instructions: 121
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFF7F5C255A

Memory Dump Source

Source File: 00000004.00000002.505511025.00007FFF7F5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F5C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fff7f5c0000_ElWebsite.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 82426006dee1c68e6910d2c7213c1071b658949efc2c7a4cc35746dc23a94e0f
Instruction ID: ea08a5a1154edeff382531e49bc000024923d79edf703281d9550076ab7a1aa0
Opcode Fuzzy Hash: 82426006dee1c68e6910d2c7213c1071b658949efc2c7a4cc35746dc23a94e0f
Instruction Fuzzy Hash: EB31823291CB484FDB18DB9C98466FDBBE1FB95721F04426FE04AD3292DA756806C782

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ezUEYpQhNN

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ezUEYpQhNN.exe.log

C:\Users\user\AppData\Local\Temp\ElWebsite.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Windows Analysis Report
ezUEYpQhNN

Function 011188D0 Relevance: 5.8, Strings: 1, Instructions: 4536
COMMON

Function 053E0040 Relevance: 4.4, Instructions: 4420
COMMON

Function 053D5730 Relevance: 1.5, Instructions: 1529
COMMON

Function 053D0006 Relevance: 1.5, Instructions: 1478
COMMON

Function 053DC560 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 053ED620 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Function 053ED628 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre