Windows Analysis Report
17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe

Overview

General Information

Sample name: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe
Analysis ID: 1561552
MD5: 49dc4ee55a1efd095a37979f88b9080c
SHA1: fedf426141c227a67df1dcde19182abc46cac369
SHA256: 1896c48f7355a6d6f54df73e79e1176a069f2df15a7afb09f77974fd4d08cf5e
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

XWorm
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected XWorm
Machine Learning detection for sample
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: tse1.mm.bing.net

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
PE file does not import any functions
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe Binary or memory string: OriginalFilenamegangster90x.exe4 vs 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe
Uses 32bit PE files
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: classification engine Classification label: mal60.troj.winEXE@0/0@1/0
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561552 Sample: 17323828261cfef277a3375a886... Startdate: 23/11/2024 Architecture: WINDOWS Score: 60 6 tse1.mm.bing.net 2->6 8 ax-0001.ax-msedge.net 2->8 10 Malicious sample detected (through community Yara rule) 2->10 12 Yara detected XWorm 2->12 14 Machine Learning detection for sample 2->14 signatures3
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
ax-0001.ax-msedge.net 150.171.27.10 true
tse1.mm.bing.net unknown unknown