Edit tour

Windows Analysis Report
172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Overview

General Information

Sample name:	172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe
Analysis ID:	1522870
MD5:	c515cb9490a76b18731e0ddeb339b00f
SHA1:	ccea963a43550069a16877ee2f4ef802137415b0
SHA256:	3fc957b37cf0b4e0ecfcde1dfad0bd220434e32545b5e16ebf0ef35e9c858762
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected DcRat

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe (PID: 6456 cmdline: "C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe" MD5: C515CB9490A76B18731E0DDEB339B00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": ")8\"zc", "Ports": "$A<IlE,84,7;&gV", "Version": "*wacp!]6l[e", "BDOS": "U^2", "AES_key": "R4OsSR16j3MjPEBlkfzyOGTLnlxVVuwW", "Mutex": "n#QO", "Certificate": "UDq5O^", "ServerSignature": "1", "Group": "Oy\\iql0S13XbS4sp1@PsWg:PGIw'~?Q;ifHa#3ef8L\"SpWzk,&&}s;$/?J9UH3>j3={V'nCn.PI*|e>4&k2[2Y\"w$T+^X_j9HSG[?b*'54eS5e_~(e#Z\"n,TX*T->_qfnrv]TM^:Sm1uBPI9|\\4a^^?R|av{V =9J2E|^{wS7Zq,=)a;uL uRaE\"K5bW ycl@NpcoGBww~DzGBkD+U1vws!$\"Awn}G}9cJ6;M^g4xsh'`s^(KX%.#m`^wc.Syd?~c\"Lsj>]?`qx7a!]~a7*CV\\/w6F+j0{&]M*&[7-]2Y</uTKz[gT&GM", "AntiProcess": "HB!<i[>IoEHueVuN1#fc!@?Z#TsdM.i5RX/xjjmOH +NC,v <85~NN!Z.)uebFY`", "PasteBin": "FLVl;"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9aec:$a2: timeout 3 > NUL 0x9b0c:$a3: START "" " 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9997:$s2: L2Mgc2NodGFza3MgL2 0x9916:$s3: QW1zaVNjYW5CdWZmZXI 0x9964:$s4: VmlydHVhbFByb3RlY3Q
172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cce:$q1: Select * from Win32_CacheMemory 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa146:$s1: DcRatBy

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x4e9:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2935177450.000000001BB22000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x108c:$b2: DcRat By qwqdanchun1
00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63fb:$a1: havecamera 0x98ec:$a2: timeout 3 > NUL 0x990c:$a3: START "" " 0x9797:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x984c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000000.00000002.2935177450.000000001BA70000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xaa9a0:$b2: DcRat By qwqdanchun1
00000000.00000002.2933228059.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x5438c:$b2: DcRat By qwqdanchun1 0x6e288:$b2: DcRat By qwqdanchun1
00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x5478:$b1: DcRatByqwqdanchun 0x3f6a4:$b2: DcRat By qwqdanchun1
00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x219374:$b2: DcRat By qwqdanchun1 0x276cd8:$b2: DcRat By qwqdanchun1 0x27e9fc:$b2: DcRat By qwqdanchun1 0x27ec4c:$b2: DcRat By qwqdanchun1
Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x41441:$a1: havecamera 0x67ef:$b1: DcRatByqwqdanchun 0x46024:$b1: DcRatByqwqdanchun 0x122d3:$b2: DcRat By qwqdanchun1 0x13962:$b2: DcRat By qwqdanchun1 0x18a14:$b2: DcRat By qwqdanchun1 0x26a18:$b2: DcRat By qwqdanchun1 0x2e625:$b2: DcRat By qwqdanchun1
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9aec:$a2: timeout 3 > NUL 0x9b0c:$a3: START "" " 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9997:$s2: L2Mgc2NodGFza3MgL2 0x9916:$s3: QW1zaVNjYW5CdWZmZXI 0x9964:$s4: VmlydHVhbFByb3RlY3Q
0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cce:$q1: Select * from Win32_CacheMemory 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa146:$s1: DcRatBy

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 89.117.23.22, DestinationIsIpv6: false, DestinationPort: 4455, EventID: 3, Image: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, Initiated: true, ProcessId: 6456, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Suricata Signatures

ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T19:26:03.592103+0200	2034847	1	Domain Observed Used for C2 Detected	89.117.23.22	4455	192.168.2.4	49731	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T19:26:03.592103+0200	2842478	1	Malware Command and Control Activity Detected	89.117.23.22	4455	192.168.2.4	49731	TCP

ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T19:26:03.592103+0200	2848048	1	Domain Observed Used for C2 Detected	89.117.23.22	4455	192.168.2.4	49731	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Avira: detected

Found malware configuration

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Malware Configuration Extractor: AsyncRAT {"Server": ")8\"zc", "Ports": "$A<IlE,84,7;&gV", "Version": "*wacp!]6l[e", "BDOS": "U^2", "AES_key": "R4OsSR16j3MjPEBlkfzyOGTLnlxVVuwW", "Mutex": "n#QO", "Certificate": "UDq5O^", "ServerSignature": "1", "Group": "Oy\\iql0S13XbS4sp1@PsWg:PGIw'~?Q;ifHa#3ef8L\"SpWzk,&&}s;$/?J9UH3>j3={V'nCn.PI*|e>4&k2[2Y\"w$T+^X_j9HSG[?b*'54eS5e_~(e#Z\"n,TX*T->_qfnrv]TM^:Sm1uBPI9|\\4a^^?R|av{V =9J2E|^{wS7Zq,=)a;uL uRaE\"K5bW ycl@NpcoGBww~DzGBkD+U1vws!$\"Awn}G}9cJ6;M^g4xsh'`s^(KX%.#m`^wc.Syd?~c\"Lsj>]?`qx7a!]~a7*CV\\/w6F+j0{&]M*&[7-]2Y</uTKz[gT&GM", "AntiProcess": "HB!<i[>IoEHueVuN1#fc!@?Z#TsdM.i5RX/xjjmOH +NC,v <85~NN!Z.)uebFY`", "PasteBin": "FLVl;"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Joe Sandbox ML: detected

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 89.117.23.22:4455 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 89.117.23.22:4455 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 89.117.23.22:4455 -> 192.168.2.4:49731

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: )8"zc

Uses dynamic DNS services

Source: unknown

DNS query: name: dczas.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 89.117.23.22:4455

Source: Joe Sandbox View

IP Address: 89.117.23.22 89.117.23.22

Source: Joe Sandbox View

ASN Name: LRTC-ASLT LRTC-ASLT

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: dczas.duckdns.org

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2935177450.000000001BB4D000.00000004.00000020.00020000.00000000.sdmp, 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933228059.0000000001175000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933228059.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en8f
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000000.00000002.2935177450.000000001BB22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2935177450.000000001BA70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2933228059.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Code function: 0_2_00007FFD9B898346	0_2_00007FFD9B898346
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Code function: 0_2_00007FFD9B89C56F	0_2_00007FFD9B89C56F
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Code function: 0_2_00007FFD9B8990F2	0_2_00007FFD9B8990F2
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Code function: 0_2_00007FFD9B8930E2	0_2_00007FFD9B8930E2

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000000.1671267055.0000000000DDE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Binary or memory string: OriginalFilenameClient.exe" vs 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000000.00000002.2935177450.000000001BB22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2935177450.000000001BA70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2933228059.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, Settings.cs	Base64 encoded string: 'm1SVmzq41bUtAgiVmChGud35fX/aUNtosr8PYStFYOAnPrN+XR+IkjYiqiUpGtB3iVUC/dwECsCyuNfy8XiQAX4f4BhMF5n5tkjlBy9/rl0=', 'iL4iV3kbq9Wc0eHBghluHFSJGvtmXcYzxD3f8ndQ9uTnqLo5XWL/Ob2NJszbQS9lzFt1jtk75UQxLxfydXIBbg==', 'NiwdLwCGJgE9T7NLnBzBzUZfLUnyV6dx/ze20L7vWNWQ5mgVR+i6SjVmK91d/XSyq8PTQbbEpEgD0Xcz2y73QaWV99k2Y1Pt+k+9qXbk4PVBd+RqCLBna/DVB9TyjaEidnq1LUCkN2zxPmQaYaEvCgmRmdNoBfuk36jL1sYox30ftHy5iwhDgfI8fL3PpwAo3sNeka/8mx1KcBGR7oR1xVUtiKEzj2D/1D0w24ko+BPZT7PtOwOk/zDAz2BhLe2bfHbQfgQPn2k2xohtMzwXk2d1LJokIAhKOsfQJ3IsiLkxzOAXHL+Zz7hFHWBUaTa74PzCj7UfJlo9t7tL31QcU0Ut5s1Z7GDAxwuCsQ+4EzdbnwOAr3L13MzLh/+6y0AmG8WY9d2v7FLTX49s6HUqXpfCJRrXXHSXolFZyNXJqU03WuCVMP3GnWK91ZRKysddcBJYYLw7JcGX0jSLUaFDCOShBrZcR1uNqWGg3y5kzcjvkNKmSLFHUt2yApjlgOV3LvWJ10fwH+T7AP8aFNYnyqz/JKxqqIJI29IaIpV1p7PytVd8DrnVQxsy2MIw4VmUjU68usaUG1/Sq003yCFYdKuWDoYb9XReUAYDxzoG4KEcVXpQiIgn3zmO+fNWbIWUMeR50jVsNO8+HO30YezLEMATPkCTImVSQAeDK4Wm6pW16ivu30DMoIRVu+JE1Oxe1HkxdJZaT1fik4dKGO58CYSSeiUTyrUbI6kBZQnDVnBzkNu2Al6SwE73fajFQLal+oSGQ2T9MhdGgEGVOYUGWoI+0y9lX9fJGbdja0QpZ8IOom55sJJp2mAYPqxtpzULHJeDbSQto9MeA7meSBtk7rEJECdJHtIqe5Dd+7fWE4v68VSq+rkJr4ZzP6YIZ+Js0KXt1TWnQ22NcCZ3aooBNp7Lm/ZW706KP6Wj1Zn74tOEq78XWGXGPsZ2JvxQoCk45CTkBqTr58qnivpoprK+t+TL4LBqtyBV+iHUkivD4I+OfR1MRJm/SSoJKHHT0YgDwv+d/r9ZqNKvRP1sv456gPAESQDOHbKMPTM9qe+3KzFdhYSV6gRZfTnAPBjEnfSl', 'UB9UzwA9tGakGgTcozLufAUFQxQCuoOi+9ktVsBWG9zFIaU239Gos24AjhaHGQraIeSRRMO3GubTGWn/PCwrNYDzeS4gR3UOWKRrfG9785AWj+/K1SLSEQEyKczGXXNvpC+Yxv5Iymd50ZYpBzwc9x1ME3yP5inYKo5PAUjVoKBlbQlnkfav1AqoOrhH7ohpYYwiXO65nsLpVF8JreGq/VlAHr1JQ9fopC032bYNkBljQf6l83C+UrfxPGpwixgV84GrrDa4efbY4mhD/tCoGnoWO4dgjbGj+FO0qjoyq3E=', 'MIlzi1B7PthTHEHMqprZFE7qh2CwotWNt1bDN2lDdtoVWtDWHS/TzpIcw4Wbme2XtTl/hfh6Cu0vUdf8k+aIhQ==', 'K37OLhwW8YSNgPJaT0/aIK6XT8xXXyJ8hP5zAzYNpppfpBxw4RuVM3WlDbJs4ti69CCz6JpT8wlSjr3femWfpw==', 'j59e0As5uh5mS607NeJD0+mZaKrTbSvccTOP1iThRoCdeFwO1hE/wQ4vuh1aDrUI68wwcvmfYRuWnrMNT8SRhg=='
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@2/1

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Section loaded: msdmo.dll	Jump to behavior

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Code function: 0_2_00007FFD9B8900BD pushad ; iretd

0_2_00007FFD9B8900C1

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Memory allocated: 1720000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Memory allocated: 1B0D0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Window / User API: threadDelayed 7297			Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	Window / User API: threadDelayed 2558			Jump to behavior

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe TID: 6748	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe TID: 6744	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe TID: 6768	Thread sleep count: 7297 > 30	Jump to behavior
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe TID: 6768	Thread sleep count: 2558 > 30	Jump to behavior

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2935735781.000000001BC05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWIU
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2935735781.000000001BC05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933228059.0000000001244000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, Amsi.cs	Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.000000000340C000.00000004.00000800.00020000.00000000.sdmp, 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.000000000340C000.00000004.00000800.00020000.00000000.sdmp, 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.000000000313E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR

Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2935595084.000000001BBD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	100%	Avira	HEUR/AGEN.1307404
172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dczas.duckdns.org	89.117.23.22	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
)8"zc	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.117.23.22	dczas.duckdns.org	Lithuania		15419	LRTC-ASLT	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522870
Start date and time:	2024-09-30 19:25:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 88.221.110.91, 2.16.100.168
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Simulations

Behavior and APIs

Time	Type	Description
13:26:03	API Interceptor	2x Sleep call for process: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
89.117.23.22	sostener.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse
	1726981024eaba256966e5d64020ad74d345ce2969fae5805b304862945360330900888386844.dat-decoded.exe	Get hash	malicious	Remcos	Browse
	decode_ba297ca42bf569929d6fafd20a8ed9212b3012291d38a6ec2be3376d5488c4a5.exe	Get hash	malicious	Remcos	Browse
	decode_43048329e6cd6df3e144e8592c1194cf0da5e9113653ea155e664cbcc08b4b27.exe	Get hash	malicious	AsyncRAT	Browse
	1712325245721159bca57d1b66796bd3ddc0e68293cb290af6bbd263878d0bd09c0ee48caa758.dat-decoded.exe	Get hash	malicious	Njrat	Browse
	1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exe	Get hash	malicious	Remcos	Browse
	1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exe	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dczas.duckdns.org	sostener.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	89.117.23.22

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LRTC-ASLT	sostener.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	89.117.23.22
	mipsel.elf	Get hash	malicious	Gafgyt, Mirai	Browse	89.117.23.69
	shelld.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	89.117.23.69
	ppc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	89.117.23.69
	arm61.elf	Get hash	malicious	Gafgyt, Mirai	Browse	89.117.23.69
	sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	89.117.23.69
	586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	89.117.23.69
	dss.elf	Get hash	malicious	Gafgyt, Mirai	Browse	89.117.23.69
	mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	89.117.23.69
	co.elf	Get hash	malicious	Gafgyt, Mirai	Browse	89.117.23.69

Process:	C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.1226493792132195
Encrypted:	false
SSDEEP:	6:kKFo9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:VDnLNkPlE99SNxAhUe/3
MD5:	9F6F9C45E4AFD16124569BE3C575C958
SHA1:	B2D2EEA9AB4B74FD5C55692833262E3D8F3C9EF2
SHA-256:	5857F846F084BD66199A467EA48EA2D6A4F7BE73812BAE5FF28702CA55AEB022
SHA-512:	D9B78EF6D026A11A75CBE84F32EF978B9F1D5DA23C7DA52186E234BECE10B830084225AFCB72A90F6464B7C45EC7AF6A5240404D4AB300B849B3EA46A47989DD
Malicious:	false
Reputation:	low
Preview:	p...... ........-.N.]...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.619485173826498
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe
File size:	48'640 bytes
MD5:	c515cb9490a76b18731e0ddeb339b00f
SHA1:	ccea963a43550069a16877ee2f4ef802137415b0
SHA256:	3fc957b37cf0b4e0ecfcde1dfad0bd220434e32545b5e16ebf0ef35e9c858762
SHA512:	120aa8b5c4fed3ea6a6393a5dd449e57b135b541352e01e7592da284aca75e57a1549a7236eb5db6ca6bfe6221b3d6d708b19b8e09e3bb361ee40bbbf62c1f53
SSDEEP:	768:xGq+s3pUtDILNCCa+DiugjAWksLqR2k8A0Pip8YbggemWuNp7RvEgK/JLZVc6KN:8q+AGtQOuLWnLAHzbHpWunkJLZVclN
TLSH:	E9237D0037D8C136E2FD4BB8A9F2A1458279D6676903CB596CC811EA2F13BC597036FE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40cbbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60930A0B [Wed May 5 21:11:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb68	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0xdf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xabc4	0xac00	93cad8408fde35203b2ba080b2c497ab	False	0.502452761627907	data	5.64510050454448	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0xdf7	0xe00	2083376922615c09cdda9acfd9305376	False	0.4017857142857143	data	5.110607648061562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	82148d01c3935cf90ef81a3dd1fad607	False	0.044921875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2d4	data			0.4350828729281768
RT_MANIFEST	0xe374	0xa83	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.40245261984392416

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T19:26:03.592103+0200	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	89.117.23.22	4455	192.168.2.4	49731	TCP
2024-09-30T19:26:03.592103+0200	2034847	ET MALWARE Observed Malicious SSL Cert (AsyncRAT)	1	89.117.23.22	4455	192.168.2.4	49731	TCP
2024-09-30T19:26:03.592103+0200	2848048	ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)	1	89.117.23.22	4455	192.168.2.4	49731	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 19:26:02.975022078 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:02.979851007 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:02.979943991 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:03.103795052 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:03.108633995 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:03.578365088 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:03.585633039 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:03.592103004 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:03.772414923 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:03.825778961 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:04.925486088 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:04.930356979 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:04.930428028 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:04.935242891 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:15.659555912 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:15.664908886 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:15.667177916 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:15.672121048 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:15.951904058 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:15.997849941 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:16.073275089 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:16.092294931 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:16.097054958 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:16.097150087 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:16.101977110 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:26.389312029 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:26.396758080 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:26.396826982 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:26.401953936 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:26.685760021 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:26.732101917 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:26.818392038 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:26.838044882 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:26.842869043 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:26.842948914 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:26.848830938 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:31.691037893 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:31.732058048 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:31.821161032 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:31.872698069 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:37.124174118 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:37.129187107 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:37.129262924 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:37.134598017 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:37.419847965 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:37.466486931 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:37.542428970 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:37.544387102 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:37.549180984 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:37.549254894 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:37.554059029 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:47.857639074 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:47.865606070 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:47.865659952 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:47.875864029 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:48.209296942 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:48.263344049 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:48.376854897 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:48.379714966 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:48.384752989 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:48.384838104 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:48.389976025 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:58.592633963 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:58.598229885 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:58.598315954 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:58.605026007 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:58.784645081 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:58.825896978 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:58.918900013 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:58.921278954 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:58.926074028 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:26:58.926157951 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:26:58.931011915 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:00.307725906 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:00.357090950 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:00.443069935 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:00.497797966 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:09.326359987 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:09.331218004 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:09.331343889 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:09.336482048 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:09.628664970 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:09.669598103 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:09.746120930 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:09.749620914 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:09.754393101 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:09.754477978 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:09.759352922 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:20.061691046 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:20.066637039 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:20.066728115 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:20.072573900 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:21.572782993 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:21.622729063 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:21.703440905 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:21.705737114 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:21.711597919 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:21.711678028 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:21.716454983 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:30.302850008 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:30.357136011 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:30.435988903 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:30.482150078 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:30.795116901 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:30.800188065 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:30.800270081 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:30.805187941 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:31.090950966 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:31.138463974 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:31.216512918 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:31.218383074 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:31.224740028 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:31.224795103 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:31.231228113 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:41.529463053 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:41.534537077 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:41.534689903 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:41.541759968 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:41.824270010 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:41.872756004 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:41.954829931 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:41.956759930 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:41.961584091 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:41.961685896 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:41.966578007 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:52.266056061 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:52.271003962 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:52.271054983 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:52.275813103 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:52.559330940 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:52.607326984 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:52.688034058 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:52.692657948 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:52.697501898 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:27:52.697571993 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:27:52.702464104 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:00.309998035 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:00.357167959 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:00.443717003 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:00.497776031 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:02.998327971 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:03.003072023 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:03.003165960 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:03.007951021 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:03.293884993 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:03.341581106 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:03.435340881 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:03.469825029 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:03.475316048 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:03.475496054 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:03.481698036 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:04.547863007 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:04.553597927 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:04.555990934 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:04.560781002 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:04.840620041 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:04.888474941 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:04.967617989 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:04.968406916 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:04.973551989 CEST	4455	49731	89.117.23.22	192.168.2.4
Sep 30, 2024 19:28:04.973620892 CEST	49731	4455	192.168.2.4	89.117.23.22
Sep 30, 2024 19:28:04.978511095 CEST	4455	49731	89.117.23.22	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 19:26:01.294095993 CEST	59303	53	192.168.2.4	1.1.1.1
Sep 30, 2024 19:26:02.294790983 CEST	59303	53	192.168.2.4	1.1.1.1
Sep 30, 2024 19:26:02.955117941 CEST	53	59303	1.1.1.1	192.168.2.4
Sep 30, 2024 19:26:02.955159903 CEST	53	59303	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 19:26:01.294095993 CEST	192.168.2.4	1.1.1.1	0x2cdc	Standard query (0)	dczas.duckdns.org	A (IP address)	IN (0x0001)	false
Sep 30, 2024 19:26:02.294790983 CEST	192.168.2.4	1.1.1.1	0x2cdc	Standard query (0)	dczas.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 19:26:02.955117941 CEST	1.1.1.1	192.168.2.4	0x2cdc	No error (0)	dczas.duckdns.org		89.117.23.22	A (IP address)	IN (0x0001)	false
Sep 30, 2024 19:26:02.955159903 CEST	1.1.1.1	192.168.2.4	0x2cdc	No error (0)	dczas.duckdns.org		89.117.23.22	A (IP address)	IN (0x0001)	false

Analysis Process: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exePID: 6456, Parent PID: 2580

General

Target ID:	0
Start time:	13:25:56
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe"
Imagebase:	0xdd0000
File size:	48'640 bytes
MD5 hash:	C515CB9490A76B18731E0DDEB339B00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2935177450.000000001BB22000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2935177450.000000001BA70000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2933228059.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exePID: 6456, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B89C56F Relevance: 3.0, Strings: 1, Instructions: 1722
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L, xrefs: 00007FFD9B89C95C

Memory Dump Source

Source File: 00000000.00000002.2936732828.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: a9a387641d25a216e7394be14e9d818cef5c6ccad01af29a394931a68e7aa220
Instruction ID: 6d015024ae8b8a7a2ea56e75d5fb65c1b0f691839348944f01179225593fe6cf
Opcode Fuzzy Hash: a9a387641d25a216e7394be14e9d818cef5c6ccad01af29a394931a68e7aa220
Instruction Fuzzy Hash: 85B22821B1DD0D4FEB6CEB6C94A5A7977D2EFA8300F1541BAD01EC31E7DE28A8428741

Function 00007FFD9B8930E2 Relevance: 2.0, Strings: 1, Instructions: 758
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 00007FFD9B89321A

Memory Dump Source

Source File: 00000000.00000002.2936732828.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 2516206c63268a754b9f4899f22b684e5b525072ffbdb54ce3bf5c2b8e18d7be
Instruction ID: 472366098087e8278bf4b1f5c146940781b71ac91543763e90b4bf6296be4358
Opcode Fuzzy Hash: 2516206c63268a754b9f4899f22b684e5b525072ffbdb54ce3bf5c2b8e18d7be
Instruction Fuzzy Hash: 8332E431B1994A8FEBA8EB6C847567977D2FF9C314F500179E41EC32DADE28AC428741

Function 00007FFD9B898346 Relevance: .5, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2936732828.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd87c78959d3f97b12d4a8a5f581e96c6799e0df0301b197fcfb3e52dbf265dc
Instruction ID: b895378eec34dd5a2e314bce24f30bc32cb3db46c2c944193ac4b200ae693d8f
Opcode Fuzzy Hash: dd87c78959d3f97b12d4a8a5f581e96c6799e0df0301b197fcfb3e52dbf265dc
Instruction Fuzzy Hash: 77F19630A09A4E8FEFA8DF28C8557E93BD1FF58350F04426EE84DC7295DB7499458B82

Function 00007FFD9B8990F2 Relevance: .5, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2936732828.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265f110b437ed40d359089fc3b32f69c33d142b136c1b92b3e3b0ae3f5e31be6
Instruction ID: 9d6e83e19b794fafc1d94b00f659d88362a6af7d285556763e36f9c803f57844
Opcode Fuzzy Hash: 265f110b437ed40d359089fc3b32f69c33d142b136c1b92b3e3b0ae3f5e31be6
Instruction Fuzzy Hash: 84E1D530A09A4E4FEFA8DF68C8697E97BD1FF58310F04426EE81DC7295DA7499418781

Function 00007FFD9B8929E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FFD9B892ABF

Memory Dump Source

Source File: 00000000.00000002.2936732828.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c325fb9d056198465e815d2219cb8e5b704c50bc771cfc771e1ff8363a037276
Instruction ID: 57b78655a951a542f15d46adb4e87b86a7e769fe60d44605a8ee3806c6b180a4
Opcode Fuzzy Hash: c325fb9d056198465e815d2219cb8e5b704c50bc771cfc771e1ff8363a037276
Instruction Fuzzy Hash: 73417F30A08A1C8FDB98DF98D855BEDBBF1FF99310F1041AAD04DD7296DA74A841CB41

Function 00007FFD9B892D3D Relevance: 1.6, APIs: 1, Instructions: 137
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFD9B892E1A

Memory Dump Source

Source File: 00000000.00000002.2936732828.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b28e504b10ded42f1a787fe27f7aff71487f63150bbc91a461fbe5cf241abc4e
Instruction ID: 66f9cbf645fe5ea404f88d8aacc63009c133d4c230520fa89b19569d5398cc82
Opcode Fuzzy Hash: b28e504b10ded42f1a787fe27f7aff71487f63150bbc91a461fbe5cf241abc4e
Instruction Fuzzy Hash: 4741063190D7884FDB1D9BA89C566AD7FE0EF56321F0442AFD099C31A3DA746406C782

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe

Function 00007FFD9B89C56F Relevance: 3.0, Strings: 1, Instructions: 1722
COMMON

Function 00007FFD9B8930E2 Relevance: 2.0, Strings: 1, Instructions: 758
COMMON

Function 00007FFD9B898346 Relevance: .5, Instructions: 471
COMMON

Function 00007FFD9B8990F2 Relevance: .5, Instructions: 457
COMMON

Function 00007FFD9B8929E1 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Function 00007FFD9B892D3D Relevance: 1.6, APIs: 1, Instructions: 137
memoryCOMMON