Source: G53ADrk4YR.exe |
Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "82.9.14.4", "Ports": "4646", "Version": "| Edit by Vinom Rat", "Autorun": "false", "Install_Folder": "YlI4UnRocUdNejc0T0tMOUhRdTZYTjg2VEZ6NkdUbXM=", "Install_File": "9szcpXIQxGWxvmQS8p44gtl5LdbDWmPDbhg+2XdmCeFwoZYQ6hKy9UoJQeeL1WdkBZN6SITykc/uKqIRqt72GFPyOiY3TLQYsVr71wluteQ=", "AES_key": "bR8RthqGMz74OKL9HQu6XN86TFz6GTms", "Mutex": "FYdxVQLEq97jMehFcwgJqzqlnDAUlmInYoDx/hk1bdzQGqlav3RjsfsaczHWtIhDvKfVFTtuOwizbFILqa02AzqMKqKoEoB78eBuBk+eUgsaEpUKRvuIygTgf9L/RuHaXdmSx4kMwAZjj6DNIPDQ/XixQTpWWstM1UMKneI9BDFvobFTSrD+/Nsirb3vb+W45MiLzB85w7At/f6STUpY3P5jUga06nH4vVLL7474pDUCyqJ49dsJabJKfV8B+Yevfc98C/VqIJcVGKy4pRQmRUwzKOkoA/TSTQTvnm5rtPumdfnfQ1t7Qm9UzmW4VsALzFI1G1pLql6hJ9RJ6WEJdXvV081TClJFnvxQlIpZLyaqBhUvC/gEPyO3tEXGyBO4Hou8gewSQ2/MH7KQpRKVOu0pNbl468EL4VNQvyUkG/yOXCR6c/5YdQrkPnc7n/JR8HehEaRt7Z8tGgkq+5XEcoejiMIXjNRlMg8/Qluc5Lkc71mJKU4wXZMbtAQMM5rxcS2x5KLNO6ZrwRoOXqg71qopkK7kQQWZ0zMsI/0sJbEBh67bYFMLrwHhAWP5edT8Io223ZQzjeEfIh/G1zW+jm3yd+RYq9Hn85eHCbXednD0wjR/ewYmDRftYZMnj+VtD504PAF2E4bExlQaxt7tazGYF3hph2qFASwnLMyc0sE=", "Certificate": "false", "ServerSignature": "false", "BDOS": "false", "Startup_Delay": "3", "Group": "null"} |
Source: G53ADrk4YR.exe |
ReversingLabs: Detection: 76% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: G53ADrk4YR.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: G53ADrk4YR.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Network traffic |
Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 82.9.14.4:4646 -> 192.168.2.4:49730 |
Source: Network traffic |
Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 82.9.14.4:4646 -> 192.168.2.4:49730 |
Source: Network traffic |
Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 82.9.14.4:4646 -> 192.168.2.4:49730 |
Source: Network traffic |
Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 82.9.14.4:4646 -> 192.168.2.4:49730 |
Source: Yara match |
File source: G53ADrk4YR.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE |
Source: global traffic |
TCP traffic: 192.168.2.4:49730 -> 82.9.14.4:4646 |
Source: Joe Sandbox View |
IP Address: 82.9.14.4 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.9.14.4 |
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: G53ADrk4YR.exe, 00000000.00000002.4132627033.0000000005316000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabD |
Source: G53ADrk4YR.exe, 00000000.00000002.4131354920.0000000001137000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enr |
Source: G53ADrk4YR.exe, 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Yara match |
File source: G53ADrk4YR.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR |
Source: G53ADrk4YR.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: G53ADrk4YR.exe, type: SAMPLE |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: dump.pcap, type: PCAP |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000000.00000002.4132627033.0000000005316000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Code function: 0_2_02DBD2F0 |
0_2_02DBD2F0 |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Code function: 0_2_02DB7040 |
0_2_02DB7040 |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Code function: 0_2_02DB7910 |
0_2_02DB7910 |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Code function: 0_2_02DB7E10 |
0_2_02DB7E10 |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Code function: 0_2_02DB6CF8 |
0_2_02DB6CF8 |
Source: G53ADrk4YR.exe, 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameStub.exe" vs G53ADrk4YR.exe |
Source: G53ADrk4YR.exe |
Binary or memory string: OriginalFilenameStub.exe" vs G53ADrk4YR.exe |
Source: G53ADrk4YR.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: G53ADrk4YR.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: G53ADrk4YR.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: dump.pcap, type: PCAP |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000000.00000002.4132627033.0000000005316000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: G53ADrk4YR.exe, lXnGtZidHgLo.cs |
Base64 encoded string: 'GuRiM19iuqX1GtKSJ1ZF0/gPiPO9KOIMJU2Bh8UJREzFg0V86wvpuzNmNEuzVtkYMQfny+9iIIYHAK7iU1T3eA==', 'ldhr5vkC5wOU0G2UQlhjj4QAohFV4O8oM/DuEBwVQ6DdKK0lALgkzIqClzaGwvRjiic3xyaz1fKzjG36Wdukjw==', 'jurFDIrciJ2xEW7O9kTZb+9k7sFa5fhegyem9AwA9NwPnk+XKM23PusIn8diBRRCcO6FGGUusyw8CAyhVEa5Kxd9P/BmkBb/H4NlYbAdN2I=', 'QOs8RAAfkhJvefchDddr6I4j4MfBDrAg4UVMjYEPiGTptVjy9rccA5ZDaex5Tn/q5ZJeNRG4+/CGvKOMyR0WsQ==', 'pcd+NKUDDqVeXFuw6O4EV0RVchx7U/kNr2mi2wPJZp/eGrJBq3s4HAlUqy82pgGeNZmaJYO4etBIhDIGdi1GQQ==', 'lRjhlWBTFdpdC0v5+I6DYKmhx5jCmRpqRt9DViMNNCVFNVpcw2hi++IuYbtaATcfRDBWreywnvceOkqHpju1Ow==' |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@1/2@0/1 |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Mutant created: NULL |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk |
Source: G53ADrk4YR.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: G53ADrk4YR.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: G53ADrk4YR.exe |
ReversingLabs: Detection: 76% |
Source: G53ADrk4YR.exe |
String found in binary or memory: YfFk15d95gzW3KZUz/tbQfzWm7YNhj4kERBL6vfjH6NlWUa5m0JsbneyuLm1UZ+UDL3JgsGNkMcvRnFWP8b593FEZYQMYAfVrfU97CDqLOXun/Bs5ttrbAAhuul/Kiwa4rcZZdAtzUW2fLoj2C/OLJDIJmwbmpcdaHnGEe6HiPFuS6fD84oElytTTuFBwXhaaa9Qu9wdcHcwyT+dtikMmLheB9rgR72DotD0mJgy0RiPAY1xpMQl1Padj6Vz8t8gZ2VCico+sy0s6UsRZCbu7avanGLNWIdPjob8Q/yce3L9+i1Rhq25T/hybg2I7zKmynLePYExVcwQJ2vUysRSIyGU2UoAq4rBOV44vwdYBbDKt2gZg2N8dXSHVF4ctFMw8LUr/YKEdMaDQaRAHyZFRtZF11xjSkyhdQXwlx5UbZJhPKLOqaPELK9+9dKxF8C5nOtqIcgT4oBJa8KSN5ycypxLDNe9RMm/HJ2cIQoKLtn/LOkalw128JEUiuxC+fus+UihX2T8SkozbZN0lSrIQaai427vzHiipO2/uh6hRI36sCNhypu8Y2fWqOw0jpooPAbfuMWcQesPG4HQkSu1ceAi1BTpYqwYfrBXN5VezYpRE0/m3oq0/o1vXB/N2jvBrKgwrgezaRdzwF+whz7RY6K1zm1HKkpZxkcI2zHtmdO3PGsf0PSbSTB31OmYn7gJW51m+UUQErFDmjryMfXepHe7YRnPy0P0AbNu5srLVGbnrPEE6+e/ByxeLPICxTc+3KvIjUSzz0cAcwBZV4kqjxc1Zlwbd845aSDhDrceJgMR0R4qQJig1RgZhr/9tX+ijXnJdcWY9SCHb7JZvDEaLLnMKAHVCapLOTKZHdvT5VgcroBhdrlCJrN/rbLsdBi0dAA/wlaP3z0QVcbsFAep2WsaOR3bZx0cXAB4fqB4u6R+4lzvIGyLNihckhxwd6vOh5VLobkkIwvCnyzqdZ3rZbSkGTOwI+u6Xgn05FgOvrNG3bFWJo2szQLjI5QHST2LS2LhFyhtHr8rm507SkkWjPu5eFsKh7EPoRzr7+I+Qj9y4L+H10e0zYuNum/pkWoLq6b+GJYH8hXrtMYJQbG0TmU9lP/0dxwGyLnzaAct1mPYfqNLUMVimyjeISTdchvJmoCsWqhasAEpaGRrhLmIEfwvfDJeaj6/OibY6jkKtzNGgI69zMKFn3mcn1L+dRaaGGNwLsn5l0wmZgUNB4P1rDEOM7ZP4Mx+3TeiyUuOPZopF7uNCNwBdWeWWz6Mzympanv/kgphduEeO1XJetTvYxhFQ6d7ttdPdNsOJNNHW8lDTFD/jkQndUexNnskm0ks2LEeGNQJZDimYFDIzAlbQOuDtw6nfVTZlOTmLZwQwWsGHsq1KYR2MGlPkiwEO74xEpSq8bHUcYwgwWsEuGZbimLmCbMRZiArbHIWyZwbvoQL/EY5rjWpD+DMFtgpZTbh+V1iwH/2ecrnvYtmUHIyk9hDwR2lYhFYqEBmjR3JNWGlAVHRjqXlaxW2iZtuL26hDVy3b6wAe8XSmG9Ye5j0Dlpw6Xth9BD07VtBbKeKw2Pl3ncG9VmlL1oEdrpQOnQFn3svLDzJnM/E4u/R7EmMIDQQYPxAGucurIaYTrAUoT7/ZDNzIpWGQbJsshh4ZfLR9RjhO/+66kXVv16lDneQqMBam6ss2HqAX7RCMKsIlj0CfQlzaHMRVRoxSyugU4LcJFK1hxM3wfZ6pW1lPjb1nlkUHlnHd1DzVC+AXmqvIgLPVxZigwKQ+WkwXQ7KGcvMZMk/OKyGO5HYgjgVdvxWIptlLdPUyogR2/g/2WctX0q5aA14SBnmF9uf58Qswq6kgoU0R9OLpc/KHP7T5aaXGQYJxgkxYMkCKHckZjsko+5Lhw95QkyTl4ijXnwXopCLWVcxXNv7PldUKG6xXc8pV9AJRBb86T+B0eKSa5q5T3t5ClerzI1yZJjeUV0RyBDPrJ/hDeq5Y6t+1J6qTMusY7Bgqqryu6OIpNPzJQbiTPOOdlOOFu5wOv6Q0A/8qL6h8WYS81QNZXkyQ2JAACyOiRijVGGVFdaEwZT/OMa5aLeisyQ4mXP/7EmZA8T3W3HsXznWH+599Dny0Oo+yuA3Z+kb6tb2Yzv3UMMs5xf+dp/aDDPSik94mobTWCEy7NwtYJhIlIXogA0vKYgi+4skatKWYLAIwv5/1UtkR/Wfi40PIqMag7uy/iy3v9MBj8Q6aFNSTsWXX8/hPG/t42UPa+s72NrGf7OXYrpvS01EZ7D5HA6sff0JgAOlBs7Zq+IESi+ydQovqIiLrB5DU0A5jqM/Uha5JKivmNyUmqt1hFXs= |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: cryptnet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
Jump to behavior |
Source: G53ADrk4YR.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: G53ADrk4YR.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: G53ADrk4YR.exe, KdFPrLOtZUk.cs |
.Net Code: ncJKSELuxvd System.AppDomain.Load(byte[]) |
Source: G53ADrk4YR.exe, QHxyWjZbREABBUw.cs |
High entropy of concatenated method names: 'efxRXWypncsLXrAQu', 'PYLvoHILFhE', 'juePExhPez', 'mgtajXylhGhK', 'kDTkqiqCZSb', 'sSTdfozEiMK', 'qPLqRQipKlxgRclh', 'KHzUxDzPTWW', 'jYKOfWwZNgOt', 'tUrGtsUCPVfrk' |
Source: Yara match |
File source: G53ADrk4YR.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Yara match |
File source: G53ADrk4YR.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR |
Source: G53ADrk4YR.exe |
Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Memory allocated: 1460000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Memory allocated: 2E50000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Memory allocated: 1460000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Window / User API: threadDelayed 3086 |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Window / User API: threadDelayed 6741 |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe TID: 5304 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe TID: 280 |
Thread sleep count: 41 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe TID: 280 |
Thread sleep time: -37815825351104557s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe TID: 764 |
Thread sleep count: 3086 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe TID: 764 |
Thread sleep count: 6741 > 30 |
Jump to behavior |
Source: G53ADrk4YR.exe |
Binary or memory string: vmware |
Source: G53ADrk4YR.exe, 00000000.00000002.4131497141.00000000011D1000.00000004.00000020.00020000.00000000.sdmp, G53ADrk4YR.exe, 00000000.00000002.4132627033.0000000005316000.00000004.00000020.00020000.00000000.sdmp, G53ADrk4YR.exe, 00000000.00000002.4132844548.0000000005390000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Queries volume information: C:\Users\user\Desktop\G53ADrk4YR.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: G53ADrk4YR.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR |
Source: G53ADrk4YR.exe, 00000000.00000002.4131497141.00000000011F9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe |
Source: C:\Users\user\Desktop\G53ADrk4YR.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct |