Edit tour

Windows Analysis Report
bJyz.exe

Overview

General Information

Sample Name:	bJyz.exe
Analysis ID:	798022
MD5:	90631c5269980f1ea596b3c76974d262
SHA1:	889a1edb9b462ed0d3a5cc8ecf0427696d6095c5
SHA256:	c40f3216652866e041fd154c38dab5f443f65da7e995e45ce473bf2662e2f7e4
Tags:	DcRatexe
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected DcRat

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AsyncRAT

Snort IDS alert for network traffic

.NET source code references suspicious native API functions

Machine Learning detection for sample

.NET source code contains potential unpacker

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

bJyz.exe (PID: 6064 cmdline: C:\Users\user\Desktop\bJyz.exe MD5: 90631C5269980F1EA596B3C76974D262)

cleanup

Malware Configuration

Threatname: AsyncRAT

{
  "Server": "20.197.196.201",
  "Ports": "7749",
  "Version": "1.0.7",
  "Autorun": "false",
  "Install_Folder": "%AppData%",
  "AES_key": "IOghFCfdtBils6in0krvPECQbwYlTDFw",
  "Mutex": "hAtBdUenfThOelUfgThs",
  "Certificate": "MIICMDCCAZmgAwIBAgIVAOjllOP9zNPUy+DnkGOHUy3mGTVpMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDQyNDE1MjgzN1oXDTMzMDEzMTE1MjgzN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIujHxepNb1ZMaM/7U9Ac2ZDicXXTdHTpo/6XA/ky49AD2dUo+ePhXh4s+My7WBVBmlt2hXjcIrlIplIg8POgolDwcb0bTzxNYXQhM2HilyC7cLGr32TqfuGhEVbwwhgmLS1t6058JWg3b6tuv/G5GQR/a9My/Gxh5rK6u2PM8eNAgMBAAGjMjAwMB0GA1UdDgQWBBQ0QxBOSKnNRkub/6AdzM7homSj7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAFzhhnVymiCni+g3hEBBG2jHHeb1iGfonR6X654l9T3ky24n9ipvG5fE1hH/oxPe8oKjC0zkgKkmYBCgaSHWDTxRiGBYepfIkdoZGMM8BvqXyNPYxF1JbhuffoABxk9xhO+Xjr4PQFdE7WtCWw7SU8dw6LEV8pJKktsCnL+yxGw6",
  "ServerSignature": "dgDI1myGDyPM9XWXeA88YG7N/1KnJR8YgCSCx1CrAnHUsF8ouSsi1LoEkMSQw3ZRVEUUonWw/RkwIVk3gzqBSjPMgx9dlVyJVMBpjCnKZ9Ri9plQ8ttW41hYWOFvFtdMSweZRawV9CyHunTmIeZ5f9W10juIxTtM6CHruPOTuP0=",
  "BDOS": "null"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bJyz.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
bJyz.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a20:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x996b:$s2: L2Mgc2NodGFza3MgL2 0x98ea:$s3: QW1zaVNjYW5CdWZmZXI 0x9938:$s4: VmlydHVhbFByb3RlY3Q
bJyz.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9ca2:$q1: Select * from Win32_CacheMemory 0x9ce2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d30:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9d7e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
bJyz.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa11a:$s1: DcRatBy
bJyz.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65f7:$a1: havecamera 0x9ac0:$a2: timeout 3 > NUL 0x9ae0:$a3: START "" " 0x996b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a20:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x17895:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63f7:$a1: havecamera 0x98c0:$a2: timeout 3 > NUL 0x98e0:$a3: START "" " 0x976b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9820:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000002.513588500.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x14e50:$b2: DcRat By qwqdanchun1 0x4c68c:$b2: DcRat By qwqdanchun1 0x5e7f8:$b2: DcRat By qwqdanchun1
00000000.00000002.524628508.000000001C690000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x30885:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x307d4:$s2: L2Mgc2NodGFza3MgL2
00000000.00000002.515092769.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.515092769.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x50a0:$b1: DcRatByqwqdanchun 0x3e1cc:$b2: DcRat By qwqdanchun1
Process Memory Space: bJyz.exe PID: 6064	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: bJyz.exe PID: 6064	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: bJyz.exe PID: 6064	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1a17:$a1: havecamera 0x65e9:$b1: DcRatByqwqdanchun 0x6037a:$b1: DcRatByqwqdanchun 0x6ba75:$b2: DcRat By qwqdanchun1 0x6d752:$b2: DcRat By qwqdanchun1
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.bJyz.exe.9e0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.bJyz.exe.9e0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a20:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x996b:$s2: L2Mgc2NodGFza3MgL2 0x98ea:$s3: QW1zaVNjYW5CdWZmZXI 0x9938:$s4: VmlydHVhbFByb3RlY3Q
0.0.bJyz.exe.9e0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9ca2:$q1: Select * from Win32_CacheMemory 0x9ce2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d30:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9d7e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.bJyz.exe.9e0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa11a:$s1: DcRatBy
0.0.bJyz.exe.9e0000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65f7:$a1: havecamera 0x9ac0:$a2: timeout 3 > NUL 0x9ae0:$a3: START "" " 0x996b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a20:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.2.bJyz.exe.1c690000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x30885:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x307d4:$s2: L2Mgc2NodGFza3MgL2
0.2.bJyz.exe.12e36930.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x2ea85:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x2e9d4:$s2: L2Mgc2NodGFza3MgL2
0.2.bJyz.exe.1c690000.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x2ea85:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x2e9d4:$s2: L2Mgc2NodGFza3MgL2
0.2.bJyz.exe.12e36930.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x30885:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x307d4:$s2: L2Mgc2NodGFza3MgL2
Click to see the 4 entries

Snort Signatures

ET TROJAN Observed Malicious SSL Cert (AsyncRAT) - Source IP: 20.197.196.201 - Destination IP: 192.168.2.3

Timestamp:	20.197.196.201192.168.2.37749496962034847 02/03/23-17:09:07.069273
SID:	2034847
Source Port:	7749
Destination Port:	49696
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) - Source IP: 20.197.196.201 - Destination IP: 192.168.2.3

Timestamp:	20.197.196.201192.168.2.37749496962848152 02/03/23-17:09:07.069273
SID:	2848152
Source Port:	7749
Destination Port:	49696
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bJyz.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: bJyz.exe

ReversingLabs: Detection: 74%

Machine Learning detection for sample

Source: bJyz.exe

Joe Sandbox ML: detected

Source: bJyz.exe

Malware Configuration Extractor: AsyncRAT {"Server": "20.197.196.201", "Ports": "7749", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "IOghFCfdtBils6in0krvPECQbwYlTDFw", "Mutex": "hAtBdUenfThOelUfgThs", "Certificate": "MIICMDCCAZmgAwIBAgIVAOjllOP9zNPUy+DnkGOHUy3mGTVpMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDQyNDE1MjgzN1oXDTMzMDEzMTE1MjgzN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIujHxepNb1ZMaM/7U9Ac2ZDicXXTdHTpo/6XA/ky49AD2dUo+ePhXh4s+My7WBVBmlt2hXjcIrlIplIg8POgolDwcb0bTzxNYXQhM2HilyC7cLGr32TqfuGhEVbwwhgmLS1t6058JWg3b6tuv/G5GQR/a9My/Gxh5rK6u2PM8eNAgMBAAGjMjAwMB0GA1UdDgQWBBQ0QxBOSKnNRkub/6AdzM7homSj7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAFzhhnVymiCni+g3hEBBG2jHHeb1iGfonR6X654l9T3ky24n9ipvG5fE1hH/oxPe8oKjC0zkgKkmYBCgaSHWDTxRiGBYepfIkdoZGMM8BvqXyNPYxF1JbhuffoABxk9xhO+Xjr4PQFdE7WtCWw7SU8dw6LEV8pJKktsCnL+yxGw6", "ServerSignature": "dgDI1myGDyPM9XWXeA88YG7N/1KnJR8YgCSCx1CrAnHUsF8ouSsi1LoEkMSQw3ZRVEUUonWw/RkwIVk3gzqBSjPMgx9dlVyJVMBpjCnKZ9Ri9plQ8ttW41hYWOFvFtdMSweZRawV9CyHunTmIeZ5f9W10juIxTtM6CHruPOTuP0=", "BDOS": "null"}

Source: bJyz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 20.197.196.201:7749 -> 192.168.2.3:49696
Source: Traffic	Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 20.197.196.201:7749 -> 192.168.2.3:49696

Source: global traffic

TCP traffic: 192.168.2.3:49696 -> 20.197.196.201:7749

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.196.201

Source: bJyz.exe, 00000000.00000002.523143371.000000001B814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bJyz.exe, 00000000.00000002.523143371.000000001B814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: bJyz.exe, 00000000.00000002.513588500.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab.dll
Source: bJyz.exe, 00000000.00000002.513588500.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab2v
Source: bJyz.exe, 00000000.00000003.259161441.000000001B6A4000.00000004.00000020.00020000.00000000.sdmp, bJyz.exe, 00000000.00000003.259910112.000000001B6A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ff96b8938
Source: bJyz.exe, 00000000.00000002.515092769.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: bJyz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bJyz.exe PID: 6064, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: bJyz.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: bJyz.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: bJyz.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: bJyz.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.bJyz.exe.1c690000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.bJyz.exe.12e36930.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.bJyz.exe.1c690000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.bJyz.exe.12e36930.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.513588500.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.524628508.000000001C690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 00000000.00000002.515092769.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: bJyz.exe PID: 6064, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: bJyz.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: bJyz.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: bJyz.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: bJyz.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.bJyz.exe.1c690000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.bJyz.exe.12e36930.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.bJyz.exe.1c690000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.bJyz.exe.12e36930.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.513588500.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.524628508.000000001C690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 00000000.00000002.515092769.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: bJyz.exe PID: 6064, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: bJyz.exe, 00000000.00000002.513588500.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs bJyz.exe
Source: bJyz.exe, 00000000.00000002.521724418.0000000012DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOptions.dll" vs bJyz.exe
Source: bJyz.exe, 00000000.00000000.247674173.00000000009EE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs bJyz.exe
Source: bJyz.exe, 00000000.00000002.524628508.000000001C690000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOptions.dll" vs bJyz.exe
Source: bJyz.exe	Binary or memory string: OriginalFilenameClient.exe" vs bJyz.exe

Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3BCDB5
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3BDCC8
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3ECD78
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3BDD98
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3ECD90
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3C2D38
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3B7FD2
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3E7F08
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3B01F8
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3B7226
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3BC8B9
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3BEAE0
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3BE828
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3BCDB5
Source: C:\Users\user\Desktop\bJyz.exe	Code function: 0_2_00007FFBAD3BE369

Source: bJyz.exe

ReversingLabs: Detection: 74%

Source: bJyz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bJyz.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: bJyz.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\bJyz.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\Desktop\bJyz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: bJyz.exe, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: bJyz.exe, Client/Settings.cs	Base64 encoded string: '+VuhiX8wAuIzJg0y2sDaNJlfSABM4HBwS+ggFKdNDorWRQOYVGX/Yi+VBZYQk2q4lBblBL6qvXmH9/NlJoUQtw==', '+vT7svnvOo5HDLbtthVVniW6tXSC1gbptNcOiu1TO6McphAnD/s9mu9seE7prV7uNFk2GYRjhPtdUS5R1hzXwg==', 'Xfs7ocqUvcIdVZnav/2kUlhcr+R+ZIcnOa8+dZdYBnWeJK8CrRJ2P3Y8gzp6mv2ueimfFMymeRPpoHGMJz4yBt5D9DNO1ksaVnIKhZjSpB8=', 'YYAEZY7vsCR09whMhD26/o3E1xElfV01ZvxFTqroA/Hvg7BCtiCOeozqnEYS/KH5R72L9h3WLfARZ0to2hVaMNRcYQsMFnRp0WjxWlpJEu8SP/xmUSN42RK1/h63mBgTvtmOdJu8OXRzsahGlx2zQVaSOLigVGInkfLkdAdwM1hCI0MQBOqS97xu4CclyBZj//tKVQKmqSpiSJgGHdqXptAt7hneJFiIVMEoejK4f2a9uCVsRY4lf+X6b+42332kbA19iaGh1j3XrhncdyxMHIMhOKb95sbObUaUUF6cgkET51WtVnYf/2jU6fhJeykvva4YLWkpXe1gv/KsoPEvSQeH18W4xxtxgFYfUBKKQv3fbNwbd10eQnIPRZlMxBpYLxXW9rrb95wU5DY42j5ZS2O2/t5N1zgwes5fbMGRG+mVy2VRIP4lo11QOZjgPbBPlFLOsWEibqMcCeqcjg/TbM8VhGMFIEym1dM3Ck4xhm2BXonrduRD5T3ox8NzUiK1ONhtjK3147mAyk/fFCQ8l61lMIrgNyuUfaxrQeO9vB/aS/S5Ip0mCe0FvGHJ2t+NLsrvtAVMnG0PT4TyOXOMCaJ7y5PLsf7CaM0jlvB2Jg5ipLqVdSdU997NbLopqLem4jAu6Bd4frhz1C1Z0qifq/CvhymYnJjPHbok91wG3JOHFXuYdY0GNZhmx0HesH7KJoKF20mPO+QSOC21qgZnXtDZx79YO8U/NGZG6YfVhH9GBH84L3dkKo8zb9vecpcOPph5RI0wWdpG3XoB8gitL3oCpUja+igjyRppVLdGwE8xDe5n8va9mXQWkzJUfyU3/FiqekxIK6BB4WrSPEYmBDjqtLQivbCWrngXW4CspHKP+m3fc6vYF1IAtUQpd29tjaswv8EkGp9KziLoeHoFbuMn6C7yV7BsSPZGZgVYtSpQ0C0GLwjlqY6eg3eVjvqloobSOzjrrpjnGoM1Yw7BkOZNxxSLKOa7ykDnfu5lULbAlxElWn0crURf8H8aqg1LxtqglOqPA0gU0q2fC1km8kj6YhCaYcXvHw5wJG2S8TIiSW4rsENfpCpFI6yn6cVK', 'Vhbz6cfclY+bNKpAIzygP4zP05iKavujuVTTV/0kzBCtaaD5hs3GR6xyannYysLzwQ+K5Lg/ZzODSugUorvuHYA/llTlpF5u4v0GbQFT3rAj+YKCNsIFc2DWnsG38MNsEcSzsYPQvYTZ5sEdRCc4CBjLhdTho6NY0Aw84TwQzDLl+DSOYXjKlbPyzm0B/Odps+3w8jyoPT46unrMx/rx3t+s4CBWDNzfef9JMzbx8TUT10qwgQhIh9tjvQX/FTWyVOYjm+S4jB2VZcRtGZBtRw4NNxIXIkCFU8zUERv0iQ8=', 'SKy1tijvkkt7kKm0YDVW8lQc8JwhRE60Dq3e/+s78ekhEaoctp9HA73wXQaNxE53nyUhs//lSDiFzZPn/T4ysw==', 'NE91OsuPLOSqAxceFroykNOcCZz2Md9a0uS/T60F58ZHCzZcZQpXeOF5owrnCYEsFsUwaTXbUXXfi9Sqw+us/Q==', 'qyRcgA6UNK/24fppjrErbsb62zhIiPR7uisHk8aj/2sch8ciyyGnhTA94psgQ+Kf4opRWlX2R5L+Hm37xiy0qA=='
Source: 0.0.bJyz.exe.9e0000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 0.0.bJyz.exe.9e0000.0.unpack, Client/Settings.cs	Base64 encoded string: '+VuhiX8wAuIzJg0y2sDaNJlfSABM4HBwS+ggFKdNDorWRQOYVGX/Yi+VBZYQk2q4lBblBL6qvXmH9/NlJoUQtw==', '+vT7svnvOo5HDLbtthVVniW6tXSC1gbptNcOiu1TO6McphAnD/s9mu9seE7prV7uNFk2GYRjhPtdUS5R1hzXwg==', 'Xfs7ocqUvcIdVZnav/2kUlhcr+R+ZIcnOa8+dZdYBnWeJK8CrRJ2P3Y8gzp6mv2ueimfFMymeRPpoHGMJz4yBt5D9DNO1ksaVnIKhZjSpB8=', 'YYAEZY7vsCR09whMhD26/o3E1xElfV01ZvxFTqroA/Hvg7BCtiCOeozqnEYS/KH5R72L9h3WLfARZ0to2hVaMNRcYQsMFnRp0WjxWlpJEu8SP/xmUSN42RK1/h63mBgTvtmOdJu8OXRzsahGlx2zQVaSOLigVGInkfLkdAdwM1hCI0MQBOqS97xu4CclyBZj//tKVQKmqSpiSJgGHdqXptAt7hneJFiIVMEoejK4f2a9uCVsRY4lf+X6b+42332kbA19iaGh1j3XrhncdyxMHIMhOKb95sbObUaUUF6cgkET51WtVnYf/2jU6fhJeykvva4YLWkpXe1gv/KsoPEvSQeH18W4xxtxgFYfUBKKQv3fbNwbd10eQnIPRZlMxBpYLxXW9rrb95wU5DY42j5ZS2O2/t5N1zgwes5fbMGRG+mVy2VRIP4lo11QOZjgPbBPlFLOsWEibqMcCeqcjg/TbM8VhGMFIEym1dM3Ck4xhm2BXonrduRD5T3ox8NzUiK1ONhtjK3147mAyk/fFCQ8l61lMIrgNyuUfaxrQeO9vB/aS/S5Ip0mCe0FvGHJ2t+NLsrvtAVMnG0PT4TyOXOMCaJ7y5PLsf7CaM0jlvB2Jg5ipLqVdSdU997NbLopqLem4jAu6Bd4frhz1C1Z0qifq/CvhymYnJjPHbok91wG3JOHFXuYdY0GNZhmx0HesH7KJoKF20mPO+QSOC21qgZnXtDZx79YO8U/NGZG6YfVhH9GBH84L3dkKo8zb9vecpcOPph5RI0wWdpG3XoB8gitL3oCpUja+igjyRppVLdGwE8xDe5n8va9mXQWkzJUfyU3/FiqekxIK6BB4WrSPEYmBDjqtLQivbCWrngXW4CspHKP+m3fc6vYF1IAtUQpd29tjaswv8EkGp9KziLoeHoFbuMn6C7yV7BsSPZGZgVYtSpQ0C0GLwjlqY6eg3eVjvqloobSOzjrrpjnGoM1Yw7BkOZNxxSLKOa7ykDnfu5lULbAlxElWn0crURf8H8aqg1LxtqglOqPA0gU0q2fC1km8kj6YhCaYcXvHw5wJG2S8TIiSW4rsENfpCpFI6yn6cVK', 'Vhbz6cfclY+bNKpAIzygP4zP05iKavujuVTTV/0kzBCtaaD5hs3GR6xyannYysLzwQ+K5Lg/ZzODSugUorvuHYA/llTlpF5u4v0GbQFT3rAj+YKCNsIFc2DWnsG38MNsEcSzsYPQvYTZ5sEdRCc4CBjLhdTho6NY0Aw84TwQzDLl+DSOYXjKlbPyzm0B/Odps+3w8jyoPT46unrMx/rx3t+s4CBWDNzfef9JMzbx8TUT10qwgQhIh9tjvQX/FTWyVOYjm+S4jB2VZcRtGZBtRw4NNxIXIkCFU8zUERv0iQ8=', 'SKy1tijvkkt7kKm0YDVW8lQc8JwhRE60Dq3e/+s78ekhEaoctp9HA73wXQaNxE53nyUhs//lSDiFzZPn/T4ysw==', 'NE91OsuPLOSqAxceFroykNOcCZz2Md9a0uS/T60F58ZHCzZcZQpXeOF5owrnCYEsFsUwaTXbUXXfi9Sqw+us/Q==', 'qyRcgA6UNK/24fppjrErbsb62zhIiPR7uisHk8aj/2sch8ciyyGnhTA94psgQ+Kf4opRWlX2R5L+Hm37xiy0qA=='

Source: C:\Users\user\Desktop\bJyz.exe

Mutant created: \Sessions\1\BaseNamedObjects\hAtBdUenfThOelUfgThs

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\bJyz.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: 0.0.bJyz.exe.9e0000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.bJyz.exe.9e0000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: bJyz.exe, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: bJyz.exe, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: bJyz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bJyz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: bJyz.exe, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.bJyz.exe.9e0000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: bJyz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bJyz.exe PID: 6064, type: MEMORYSTR

Source: C:\Users\user\Desktop\bJyz.exe

Key value created or modified: HKEY_CURRENT_USER\Software\BA7AEA76E9385949810A F7A2CF016280A5E7A24A46D6E81A704BFCCD6486B35AFEFC4601A8330895F85F

Jump to behavior

Source: C:\Users\user\Desktop\bJyz.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bJyz.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: bJyz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bJyz.exe PID: 6064, type: MEMORYSTR

Source: C:\Users\user\Desktop\bJyz.exe

Window / User API: threadDelayed 9779

Source: C:\Users\user\Desktop\bJyz.exe TID: 2244	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\bJyz.exe TID: 1164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\bJyz.exe TID: 1164	Thread sleep count: 119 > 30
Source: C:\Users\user\Desktop\bJyz.exe TID: 5112	Thread sleep count: 9779 > 30

Source: C:\Users\user\Desktop\bJyz.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\bJyz.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\bJyz.exe

File Volume queried: C:\ FullSizeInformation

Source: bJyz.exe, 00000000.00000003.259910112.000000001B6C2000.00000004.00000020.00020000.00000000.sdmp, bJyz.exe, 00000000.00000002.513588500.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, bJyz.exe, 00000000.00000003.259161441.000000001B6BF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\bJyz.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\bJyz.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: bJyz.exe, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: bJyz.exe, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 0.0.bJyz.exe.9e0000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 0.0.bJyz.exe.9e0000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')

Source: bJyz.exe, 00000000.00000003.388373992.000000001B65F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: bJyz.exe, 00000000.00000002.522734708.000000001B654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager280A5E7A24A46D6E81A704BFCCD6486B35AFEFC4601A8330895F85F

Source: C:\Users\user\Desktop\bJyz.exe	Queries volume information: C:\Users\user\Desktop\bJyz.exe VolumeInformation
Source: C:\Users\user\Desktop\bJyz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Desktop\bJyz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation

Source: C:\Users\user\Desktop\bJyz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: bJyz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bJyz.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bJyz.exe PID: 6064, type: MEMORYSTR

Source: bJyz.exe, 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: bJyz.exe, 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: bJyz.exe, 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\bJyz.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.515092769.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bJyz.exe PID: 6064, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.515092769.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bJyz.exe PID: 6064, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Process Injection	1 Modify Registry	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Software Packing	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
bJyz.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.AsyncRAT
bJyz.exe	100%	Avira	HEUR/AGEN.1202835
bJyz.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.bJyz.exe.9e0000.0.unpack	100%	Avira	HEUR/AGEN.1202835		Download File

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	bJyz.exe, 00000000.00000002.515092769.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.197.196.201	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	798022
Start date and time:	2023-02-03 17:08:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	bJyz.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 62% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:09:07	API Interceptor	1x Sleep call for process: bJyz.exe modified

Process:	C:\Users\user\Desktop\bJyz.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 62932 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	62932
Entropy (8bit):	7.9958071285043335
Encrypted:	true
SSDEEP:	1536:pvl2gmukMiArbge/oKIxf+Q9yNJLaRCfIElhUuDz:pvl2gmZhpehIxfJsJLawfIElhUu3
MD5:	FC4666CBCA561E864E7FDF883A9E6661
SHA1:	2F8D6094C7A34BF12EA0BBF0D51EE9C5BB7939A5
SHA-256:	10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B
SHA-512:	C71F54B571E01F247F072BE4BBEBDF5D8410B67EB79A61E7E0D9853FE857AB9BD12F53E6AF3394B935560178107291FC4BE351B27DEB388EBA90BA949633D57D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I.................oU.s .authroot.stl......5..CK..8U[...q.yL;sf!d.D..."2."C...2....RRRHnT...\...!2.)QQ2..nN.\7.....lgYk;.^.....}..h4.....Kc.cG.q.tY..Drg<..G.D....c.qnx..G.......r.8.....w...;.Q6..o.xf:f..:NL[.`..]I.@ ,W..J..Qf.z9.<.../.D.p:0R...#..I,.%.+."...B.n)...[Y=.,0...R.#..G5..2..]........$p..3.M.O...._L.......g.....?=.J..!...G~.#.J:.Wj.........9(:..g.8,.o.b...3..C..t.7L=..+~%pc...%..b(.q.......F.'...@~P .6CA.(d.Z~..6....=.).9......A........p...Gy....7U.L....S...^.R.T.p...R..:.hr./..8...a&p.l(....g.3a)...[.M..v.......g,.U..l.F..._kJv.4.rG.{.K.6.X.rz.8.r..&..G.j..p".z...L...EUX.......;...Y.................j}..FrT.,J3.d?T.T}Q..hn.?.4F...~K...........'...c...X,.v..yk..0._.j\|.(.q4k1....^b..6...z..\9'}.%....S.[..D.k....J.../D$.#..O.o~%S.9u....\|61.........~....Q+.w.e....7}..:.....^.p.mKm._9v......'.3T..bY3..9a..p.'1..Lx.O.g..J5w+.r..K.R.P.....E0bf*r...c..;...`.j...i.;y.C..#\|L.e.(.....w.X'...z../.-...c.......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\bJyz.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1622517087080704
Encrypted:	false
SSDEEP:	6:kKfkbqz7ksN+SkQlPlEGYRMY9z+4KlDA3RUe+OGNglcy:3gkPlE99SNxAhUefblcy
MD5:	9791687408C92B574852664A2A139FBE
SHA1:	1953F9F8AE25F0A092F97CDE6B0C0449B6D3F47E
SHA-256:	2CD222148E55434B95D78075A312B0D17F9F887CDE03351A80B497C82C59BE24
SHA-512:	C5730A8737C3CB86AF552B060ACB367327002B36D5897B4726F4F677B6592C4F6D46A0C7D6C74F0D766BFE5760E187E6F164558C2046BA1AE6DB49A56FD3C091
Malicious:	false
Reputation:	low
Preview:	p...... ........<}.H58..(....................................................... .........g.%.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.a.1.6.7.1.3.2.5.4.d.9.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.613815254840868
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	bJyz.exe
File size:	48640
MD5:	90631c5269980f1ea596b3c76974d262
SHA1:	889a1edb9b462ed0d3a5cc8ecf0427696d6095c5
SHA256:	c40f3216652866e041fd154c38dab5f443f65da7e995e45ce473bf2662e2f7e4
SHA512:	c129df24c9302a9c0cae09cbe1a5c9efca3848719cc80e1801cf8ccdac9d1a714c03cb590446394e2e14ba16dc8bb8e7e6c1ae1110271dcf0896e08634cbb9cd
SSDEEP:	768:dOEuILWCKi+DiBtelDSN+iV08YbygemmbbeUZvEgK/J9lZVc6KN:dOtmBtKDs4zb1CbeMnkJ3ZVclN
TLSH:	E0235D4037A88136F2BD4BB4ACF3E6418679D6672903CB596CC814EA1F13BC596136FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40cb8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60930A0B [Wed May 5 21:11:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb3c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xab94	0xac00	False	0.5017941497093024	data	5.638708895934839	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0xdf7	0xe00	False	0.4017857142857143	data	5.110607648061562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe0a0	0x2d4	data
RT_MANIFEST	0xe374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
20.197.196.201192.168.2.37749496962034847 02/03/23-17:09:07.069273	TCP	2034847	ET TROJAN Observed Malicious SSL Cert (AsyncRAT)	7749	49696	20.197.196.201	192.168.2.3
20.197.196.201192.168.2.37749496962848152 02/03/23-17:09:07.069273	TCP	2848152	ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)	7749	49696	20.197.196.201	192.168.2.3

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 3, 2023 17:09:06.607144117 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:06.813460112 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:06.813837051 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:06.862319946 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:07.069272995 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:07.078433037 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:07.287728071 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:07.336616993 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:10.136526108 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:10.395560026 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:10.397387028 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:10.645347118 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:20.613480091 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:20.863555908 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:20.863729000 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:21.070712090 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:21.150341988 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:21.356370926 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:21.462884903 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:21.818762064 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:22.069905996 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:22.070169926 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:22.321868896 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:30.714652061 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:30.960663080 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:30.960901022 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:31.168541908 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:31.213999033 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:31.419823885 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:31.463843107 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:31.467777967 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:31.726895094 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:31.727005005 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:31.979392052 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:35.538480997 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:35.589293003 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:35.795751095 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:35.839358091 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:39.683552027 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:39.730190039 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:39.936290979 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:39.972337961 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.232105970 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.232273102 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.479365110 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492341995 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492414951 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492474079 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492532969 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492590904 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492647886 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492664099 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.492664099 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.492710114 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492768049 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492786884 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.492825985 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492851973 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.492883921 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492942095 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.492999077 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.493057966 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.493098974 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699225903 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699265957 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699300051 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699342012 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699368000 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699408054 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699438095 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699457884 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699460030 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699460030 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699479103 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699500084 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699520111 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699525118 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699525118 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699539900 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699559927 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699579000 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699588060 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699599981 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699608088 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699620962 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699641943 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699644089 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699661970 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699681044 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699697018 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699700117 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699721098 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699738026 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699740887 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.699779034 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.699805975 CET	49696	7749	192.168.2.3	20.197.196.201
Feb 3, 2023 17:09:40.906342983 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.906413078 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.906459093 CET	7749	49696	20.197.196.201	192.168.2.3
Feb 3, 2023 17:09:40.906502962 CET	7749	49696	20.197.196.201	192.168.2.3

Target ID:	0
Start time:	17:09:02
Start date:	03/02/2023
Path:	C:\Users\user\Desktop\bJyz.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\bJyz.exe
Imagebase:	0x9e0000
File size:	48640 bytes
MD5 hash:	90631C5269980F1EA596B3C76974D262
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.247662620.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.513588500.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: 00000000.00000002.524628508.000000001C690000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.515092769.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.515092769.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bJyz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

TCP Packets

Windows Analysis Report
bJyz.exe