Edit tour

Windows Analysis Report
17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Overview

General Information

Sample name:	17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe
Analysis ID:	1561768
MD5:	dc9544bf3a585c21a620bb1d85a4dfdc
SHA1:	0e9bb93482beff08eb211ff551de66bf0b8aa0d4
SHA256:	4e1597543c0d63cf44db982f9c5cdb0ebdb88343ab8e8711501103d5f2ebb06b
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, PureLog Stealer

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe" MD5: DC9544BF3A585C21A620BB1D85A4DFDC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2152224378.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2152224378.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe PID: 7420	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f00000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f00000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f06d60.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f06d60.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	ReversingLabs: Detection: 81%
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Virustotal: Detection: 61%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Joe Sandbox ML: detected

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: deadpoolstart2025.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.6:49721 -> 181.71.217.114:4203

Source: Joe Sandbox View

ASN Name: ColombiaMovilCO ColombiaMovilCO

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: deadpoolstart2025.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f06d60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2152224378.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe PID: 7420, type: MEMORYSTR

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, 00000000.00000000.2152251121.0000000000F16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Binary or memory string: OriginalFilenameClient.exe. vs 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, Settings.cs

Base64 encoded string: '/VQW6eKj3BmRNQSS4yGSEU44I2heqG6OqfTOH+deOmn5i/UhDvAfwJO0tGCRCydDHR7R4whHaO1wNpK5s8Iwyw==', 'TQySk7y9VGRdBU4iInHs8rwANE7KbWp+/8SABUchoDSRsgKxQn0EkGzwlM1nNk9UMP3gYPaeyiKg6G6oIy9HHpvJiYTCaJNExkoxnk5raRo=', 'ObETGEb8qNEfmwx/hiZhekYBt6QHKhWBi1n2Ifyx5yBpHu/0rYIT03hBuRwlTG7qxTVpCrNmh2/QaTLbLL6r9Q==', 'usAgB+qTmFP8sXTciCWJJNNBrAP9O6gdBCP9rMdWB992Fgtc76bYZcNj/oJ7jyg9FAiCQcUReAG+q6jnAXum9w==', 'kuW2e4Uo2Ng6xeXfsD2nWvbI6c/ErJ9YDOgHpows/QQ7BYn/8dzaLBMxtqQrVvS1Wqyj52fUO6+U+G/52mByqN4xfo4u+lsqvYWkrly/mGfciJnXoBSGIP3Eu4DixW92wZ7rmwek5zzvGITgU62Dn0JPApq5YnK47fcwoKXxgDAqXaQMz3OyHNDl8mzzcM/sFjz0/abYaB29xjdedkbrBtp4Bj+ea5rB2k/tsBySdvUinO8oLIv9WK95sM2uv93eJ80p3oy39ryGU4urHhFYT4g4XSKWZ8vrkZT72akDNPJthxmZO7IkDMD9yrAC+pFtrcgU53T3i5vlDmUvr9c/UGLzASBbqPwI8t4WAonUydnUelhWHp325J/wZ2DfaC205I18pPdJqZVOPOvaLhBwIS7x6y+TxgF18dfgMM1KoWUEuVuJ7Eo7I1uGPL7D6auswDUd9pa3BeJ+30S5jHWAFORuqN8UY9fzbA6nwWnuUCHd/2utECwoT6UAIYI3FnaVSZWfu1LCwLRYe3bA6YTl/C0R+IYGPHF9VxfDUFTOZDv6z5kCKhb8MtIxW+mKKBFN+Hh0pEQruo7IsBcgJG18T/3jYys++Ehl1il87fe93tIepokF4cwkTLVy+p4wMPbMF0bD9Fnw+os5O1/24G3sXzDZibJKx1zROj5TTXALxhgCoh0wr9pZ8MFRD/G4P8hKsORW3lmLdIdTuNs0PppLuCftEmBjlu16A/aX06H1DKQsh/QwlZP+2Nb4DKemcmekMjmMOd696zeOpkDaCDsrM0clumVUGFViqMaBWELSpQ3/m6yfE1P9Fg8dm97DFB7k/B3tfGAMc/Y939MbE9Bo/fxWiU1qySNqaXAILEHBbYEthRb2a47BnrFCoDoLJ2F/3nhn2+/T6EJgjvLsi4kgMEoEBXy54hJmAj8O2MYymVD3gOJbpIxATneCAQSHD3MnMY9kCxzACkGLRvJwYGvYqQ==', 'Jsw+llZQG7+3n4Z7289CJcGLSnN/TAP8XrYZc2YyQcTulDeS2VaTaRPTH2v7Q2yFN5SoCn0RCH6m1DTi2BhNSA==', 'r45aCZKvGCMxPKIbCM/S8nkKXgrBTRDFk0l2PaZFc5wy1wHF3Nahv9h5bF6DkG5mzPm/18CxpwRYL+H9RL6nUQ==', 'JCeKP1BxcWRJhcFEaSk/TlIirnkkDsOQZfJIXE+gW3AN2uyfvkGfZpJu6YDPHoRkWnhd9YMt52UVpNPsFf/k0g=='

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\cookies

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	ReversingLabs: Detection: 81%
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Virustotal: Detection: 61%

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Section loaded: schannel.dll	Jump to behavior

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, ztyRuKUUcJZ5bFtbir.cs

.Net Code: AjyaI4NoVhyBr4SSAkJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, BrEOWILUFmZ9AtRTw7.cs	.Net Code: je9vOnF1uu System.Reflection.Assembly.Load(byte[])
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, Packet.cs	.Net Code: sRvvV4W0c

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Static PE information: 0xC8008F07 [Thu Apr 30 13:43:35 2076 UTC]

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Code function: 0_2_00007FFD343700BD pushad ; iretd

0_2_00007FFD343700C1

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, Settings.cs	High entropy of concatenated method names: 'InitializeSettings', 'u6mbrL3S7', 'G0McnFnJquo7g7qGrF', 'ByQbFvmElDfIrGjAZ6', 'AvSvAwkiQLqdOTDtAx', 'PlYBDM04m1c2CYdqmS', 'HKsmHS7LCDwZ68yHyp', 'Nyhawj4ZkROBuEJWkZ', 'OtL6mLHuFknPTR805j'
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, BrEOWILUFmZ9AtRTw7.cs	High entropy of concatenated method names: 'lLHifFIsCLsZtjvFfN0i', 'je9vOnF1uu', 'flwvX1Px88', 'oyOp5hZsjHcfyGwrdjy', 'fqh5QCZjUv8clodjw2T', 'gLpdYCZf8lWFm4NHodo', 'z2Asa9ZxYJosshBA98f', 'YLqUMFZ2P5EwutUd9tC', 'DCVWVqZrraVn3wH99HJ', 'nZKU7rZVFYuVOOdPh1R'
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, ztyRuKUUcJZ5bFtbir.cs	High entropy of concatenated method names: 'lxkAa0ZKjCwMjBG5Hqe', 'komd5vZteSjXtKwx60C', 'FSwvvbyrDy', 'KDikMXewCI', 'bFEvFHJunD', 'sLOvUQQSPX', 'UrKvhteryJ', 'tUiv9MUeAQ', 'b8tIHofv94QW9', 'JXGggW2SZ'
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, IdSender.cs	High entropy of concatenated method names: 'SendInfo', 'zidG9l6txekmJtUA2Z', 'cFVmp5QDQbKu6hoDRY', 'CZyhYSsab74Ve313rA', 'VxGKN4jxsCdopfvRnP', 'ldk51CfmhUJknG6lrH', 'ntgIsrxciUi0drUyxd', 'W1RemF2rEXFJxD5YCe', 'sSR9iOPGqaFoJmO5kF', 'IWQeHXeFN6bnIgQWDx'
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, ClientSocket.cs	High entropy of concatenated method names: 'VuKXUcJZ5', 'bFtebirEm', 'QVysf8LyR', 'aBmQEo0Mp', 'JN0050Qod', 'gqN37CREc', 'oKcSd5v20', 'poot9NONb', 'SOXuBa3GW', 'InitializeClient'
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, Aes256.cs	High entropy of concatenated method names: 'Decrypt', 'ComputeHash', 'Decrypt', 'qkgCfxNdmdA0saDluUm', 'g1YO3tNy8lG0e4Z6Hf5', 'xJmkkCNFlgm5uOnHKn3', 'QBidRkN9GFyyENra1iF', 'jb2GniNRWwdeNyRnkmI', 'c7ElsxNMRrSq5uCommj', 'R41VtrNh3LOcdhx3l61'

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f06d60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2152224378.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe PID: 7420, type: MEMORYSTR

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f06d60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2152224378.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe PID: 7420, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Memory allocated: 1740000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Memory allocated: 1B130000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe TID: 7424

Thread sleep time: -65000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Binary or memory string: YCaPJ0TQtLQT34nl4JauPm7XXPe4ksw3z/yY0/V18UiMaMSi/5xEiYtXCPsk9hF/zwNHKWJM0gw856vyndsHZKZFUtP0NGz0CMs9GQDnvHK0eRoYWx7IY+hODO6Dj5ud+7WDdfeUHEmxU0OO+9b+eSreLvCaLJwu5eZI7yZPrNYLaxTuOXhtpauJAn75ebCFQS7NxU0Bw+agXgEQFYrfbUlbflNJPioyEDj+ytsvl72CPeVFc9RlScUCpuDcaQtEUF7JsrHv/PiViPOM+q7UykgchOq7H4EdMigoyh3YRUzx9nM+ZiIhUKGOH2eZ8rd1WODczGmUE1mDA4UlFjvhow0rbTGXmjh/V9HT4smgEkpgQhrRjfCJW70eF3EfUlMptxLQ3/iWCnHLyirHCT7y2c7QKA83/6eqvBolQ4TVHJzm6tT7IHiW9J8zCk9Gl1gNkzBNmCUS7+3VGjXPFK68L1Sxh9v/V9MIEfrh5L1P8W1sUPTtFPOdRDcwKWRXstYVnbjDMPOQJqfsAxvI+7QlZ+qQL4dV9TlMUAY79MmFrBdYmcqzhB6eZJO60zwlsKSC+6VlYXs/QwGWTXEv6qRhwW0Q5rgQ+cXsw+v3NHSZdiefdt4PoIOEF9V6zwgwEe/q7gLVpagqnU2e46IjODP7Fz+/fBa0eueA4B1p0gqFfQNvIxAazhj+lCSvApHbKaaZvz8Tqb+wo7Hq9l0DVV+pexW17L4NKfHPlH4NpVfDJe8M9rO2oZTyv10RV+IqCNMnMznzqpU8atRuSJCtAm36V0VFAySa8sKc3PKehrNUtOTmujzulhPeQKE4+TuGqR71X/rEJsV90qisE7cM96KqO9dT3ZyCmcAd/jsCVF9QtPeopbFvwQSyXMkHJeR5JfpLI37sc2SYuqhrR2/GE02WjU1SCR4mgrxCLt/z4vTjkxyPtMVqzric+ljDdfbU3fdta7aE2CJCcQBvc8JV0E8Xw5bVFk8WL9uAgtx2zHY5mXhh9V7xq0zXnjFRmRR8xFWJQod6oG6jw/8NiyJBk70IQc0G+/HJuixy2OP4imVP2r4WA2pNMKWN6Q+WHJi5Sp2rqq168TFatLqybbRWt7/s/7t92knkLEqEMU2Z7z2mdyFVUivw6jciiqmh5Uxi6a2biRMaf46uE+l+65WSupq5k/5gMRu0lWO+BMid+tPy3TF/r2itmbSXFZi5QgbmRMw+lkKz3DfF3NH6Z7t9YncTDx6p7+TZVPU99b1BztpwqpC2PD9NDypdpJzK9ow2oiCE0P4yyV1sdrT3gvuWd4ljj+7mxPuEOn4X26+UurDi7YP4xaRYHawRV7vb80T3h9jwAqmenB9aWXu/4ZjAqCN5scpS6XTjxIOu7bHVCb31J5ZUvROY77KzGw9THA2K1hpdzWYANLJ/8cUoUWQ0SADjEbEwEvN1C5qpyJL1HSuTaHfXojqrRknyyKU3bJbCxPA0Nn2twuoR+hJI2DmrVc7NgF2w6LumqzYbY7kqd2KJc5rgC3WslLjD6WR1WdXGMKFD7M8wp/FE/qvzO8OFRoHydoU1pOIsIIEW7aVse334hL8DjMTwEVeE8CZKX5W1qaOEa8C3myMH+XeNbuOoV1bVJUdLMWEQe6igK2Ten6HO7OIuI/30xuERnpsnT/51Ty8mCDjUPGagce4dXoAITzPaD8hoGwh/atiQKzOBASxoV6Hjtv4oKaOm1GFI3HNB1JPH0E+PIbrHzaYmFJwqWOYaxfb4iQA8Pnp649N9pb9JWb52H3/vitE46xkKfcxX45Nly9tu4CtV3lLZwSLHJGwV1eo/jZGKPrMpWUTUM+gHd7UxQBM5fbn6/DJusFhEt1jBbz8VteF6Qt3jkcjUN/ZG2O4tiW3RmNw+fyA+pmU9EItPl+qJK8t7Zhyqgk1Ct3CM4BuSvTszYWEpOMrflBqNeRD5TCblPG6HNFPZnMaCL0Cugq4eUFJ8XgKfsEUZ7LvfHMzVv0X/bXeolADIJc9Dcw5Cf7PHxUrQsO6awPm6QjpY11F5bIwrwKYezKN1rcUUr99e8Qv61eO+XgC9rzYyO2OKVKDVDJmzXhTfx+qkgcanfO/277yKEEntB7Zm5wfknRzcvAO0oh8C1hH2454cG5m0pdMwCstyoNgG0Fhxc0R+lZQY/DV0fd58doFlhm93naDyMOib0hYXGo8u73Z0ZwfsX18m5bfA8Bh2/loTJVcKBNvpNZD5HqLw5kiiDDTEharQBvevGMzhDozKD5MPrJDGN+/gzRulTIq1mmtUDa0FiXHTYdgnRO2z+tTuXPdSUFEBaYuPbZEhdPSrXGcksulid/RuQQjM9Ctv6vcE3orA=
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	Binary or memory string: vmware
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, 00000000.00000002.3411943006.0000000003131000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,CaPJ0TQtLQT34nl4JauPm7XXPe4ksw3z/yY0/V18UiMaMSi/5xEiYtXCPsk9hF/zwNHKWJM0gw856vyndsHZKZFUtP0NGz0CMs9GQDnvHK0eRoYWx7IY+hODO6Dj5ud+7WDdfeUHEmxU0OO+9b+eSreLvCaLJwu5eZI7yZPrNYLaxTuOXhtpauJAn75ebCFQS7NxU0Bw+agXgEQFYrfbUlbflNJPioyEDj+ytsvl72CPeVFc9RlScUCpuDcaQtEUF7JsrHv/PiViPOM+q7UykgchOq7H4EdMigoyh3YRUzx9nM+ZiIhUKGOH2eZ8rd1WODczGmUE1mDA4UlFjvhow0rbTGXmjh/V9HT4smgEkpgQhrRjfCJW70eF3EfUlMptxLQ3/iWCnHLyirHCT7y2c7QKA83/6eqvBolQ4TVHJzm6tT7IHiW9J8zCk9Gl1gNkzBNmCUS7+3VGjXPFK68L1Sxh9v/V9MIEfrh5L1P8W1sUPTtFPOdRDcwKWRXstYVnbjDMPOQJqfsAxvI+7QlZ+qQL4dV9TlMUAY79MmFrBdYmcqzhB6eZJO60zwlsKSC+6VlYXs/QwGWTXEv6qRhwW0Q5rgQ+cXsw+v3NHSZdiefdt4PoIOEF9V6zwgwEe/q7gLVpagqnU2e46IjODP7Fz+/fBa0eueA4B1p0gqFfQNvIxAazhj+lCSvApHbKaaZvz8Tqb+wo7Hq9l0DVV+pexW17L4NKfHPlH4NpVfDJe8M9rO2oZTyv10RV+IqCNMnMznzqpU8atRuSJCtAm36V0VFAySa8sKc3PKehrNUtOTmujzulhPeQKE4+TuGqR71X/rEJsV90qisE7cM96KqO9dT3ZyCmcAd/jsCVF9QtPeopbFvwQSyXMkHJeR5JfpLI37sc2SYuqhrR2/GE02WjU1SCR4mgrxCLt/z4vTjkxyPtMVqzric+ljDdfbU3fdta7aE2CJCcQBvc8JV0E8Xw5bVFk8WL9uAgtx2zHY5mXhh9V7xq0zXnjFRmRR8xFWJQod6oG6jw/8NiyJBk70IQc0G+/HJuixy2OP4imVP2r4WA2pNMKWN6Q+WHJi5Sp2rqq168TFatLqybbRWt7/s/7t92knkLEqEMU2Z7z2mdyFVUivw6jciiqmh5Uxi6a2biRMaf46uE+l+65WSupq5k/5gMRu0lWO+BMid+tPy3TF/r2itmbSXFZi5QgbmRMw+lkKz3DfF3NH6Z7t9YncTDx6p7+TZVPU99b1BztpwqpC2PD9NDypdpJzK9ow2oiCE0P4yyV1sdrT3gvuWd4ljj+7mxPuEOn4X26+UurDi7YP4xaRYHawRV7vb80T3h9jwAqmenB9aWXu/4ZjAqCN5scpS6XTjxIOu7bHVCb31J5ZUvROY77KzGw9THA2K1hpdzWYANLJ/8cUoUWQ0SADjEbEwEvN1C5qpyJL1HSuTaHfXojqrRknyyKU3bJbCxPA0Nn2twuoR+hJI2DmrVc7NgF2w6LumqzYbY7kqd2KJc5rgC3WslLjD6WR1WdXGMKFD7M8wp/FE/qvzO8OFRoHydoU1pOIsIIEW7aVse334hL8DjMTwEVeE8CZKX5W1qaOEa8C3myMH+XeNbuOoV1bVJUdLMWEQe6igK2Ten6HO7OIuI/30xuERnpsnT/51Ty8mCDjUPGagce4dXoAITzPaD8hoGwh/atiQKzOBASxoV6Hjtv4oKaOm1GFI3HNB1JPH0E+PIbrHzaYmFJwqWOYaxfb4iQA8Pnp649N9pb9JWb52H3/vitE46xkKfcxX45Nly9tu4CtV3lLZwSLHJGwV1eo/jZGKPrMpWUTUM+gHd7UxQBM5fbn6/DJusFhEt1jBbz8VteF6Qt3jkcjUN/ZG2O4tiW3RmNw+fyA+pmU9EItPl+qJK8t7Zhyqgk1Ct3CM4BuSvTszYWEpOMrflBqNeRD5TCblPG6HNFPZnMaCL0Cugq4eUFJ8XgKfsEUZ7LvfHMzVv0X/bXeolADIJc9Dcw5Cf7PHxUrQsO6awPm6QjpY11F5bIwrwKYezKN1rcUUr99e8Qv61eO+XgC9rzYyO2OKVKDVDJmzXhTfx+qkgcanfO/277yKEEntB7Zm5wfknRzcvAO0oh8C1hH2454cG5m0pdMwCstyoNgG0Fhxc0R+lZQY/DV0fd58doFlhm93naDyMOib0hYXGo8u73Z0ZwfsX18m5bfA8Bh2/loTJVcKBNvpNZD5HqLw5kiiDDTEharQBvevGMzhDozKD5MPrJDGN+/gzRulTIq1mmtUDa0FiXHTYdgnRO2z+tTuXPdSUFEBaYuPbZEhdPSrXGcksulid/RuQQjM9Ctv6vcE3orA=
Source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, 00000000.00000002.3410743557.00000000014B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Queries volume information: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f06d60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2152224378.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe PID: 7420, type: MEMORYSTR

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f06d60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2152224378.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, type: SAMPLE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe.f06d60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2152224378.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	61%	Virustotal		Browse
17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	100%	Avira	TR/ATRAPS.Gen
17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
deadpoolstart2025.duckdns.org	1%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
deadpoolstart2025.duckdns.org	181.71.217.114	true	true	1%, Virustotal, Browse	unknown
ax-0001.ax-msedge.net	150.171.28.10	true	false		high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
181.71.217.114	deadpoolstart2025.duckdns.org	Colombia		27831	ColombiaMovilCO	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561768
Start date and time:	2024-11-24 08:41:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@1/0@2/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 39 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe, PID 7420 because it is empty
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
181.71.217.114	LETA_pdf.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
deadpoolstart2025.duckdns.org	LETA_pdf.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	181.71.217.114
fp2e7a.wpc.phicdn.net	4yOuoT4GFy.exe	Get hash	malicious	AsyncRAT	Browse	192.229.221.95
	file.exe	Get hash	malicious	Credential Flusher	Browse	192.229.221.95
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	192.229.221.95
	file.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	Credential Flusher	Browse	192.229.221.95
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	192.229.221.95
	decode_8dad31e2f9be3de071939da6e14b6f6e8366fd10a6e77ff91ad879dc0abe6334.exe	Get hash	malicious	PureLog Stealer	Browse	192.229.221.95
	file.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	n5QCsKJ0CP.exe	Get hash	malicious	RedLine	Browse	192.229.221.95
	file.exe	Get hash	malicious	Stealc	Browse	192.229.221.95
ax-0001.ax-msedge.net	ORDER 08757646566535857_95877465434-1.exe	Get hash	malicious	FormBook	Browse	150.171.28.10
	file.exe	Get hash	malicious	Stealc	Browse	150.171.27.10
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	150.171.27.10
	file.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	150.171.27.10
	file.exe	Get hash	malicious	Credential Flusher	Browse	150.171.27.10
	17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exe	Get hash	malicious	XWorm	Browse	150.171.27.10
	https://myqrcode.mobi/qr/3c3aa5e1/view	Get hash	malicious	Unknown	Browse	150.171.27.10
	file.exe	Get hash	malicious	Credential Flusher	Browse	150.171.27.10
	file.exe	Get hash	malicious	Stealc	Browse	150.171.27.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe	Get hash	malicious	Remcos	Browse	191.91.176.72
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	191.93.32.228
	173214786538d62370d8419c4e67fb1390e51b3edc777f72d69442d5f67bcb27b6dd851138241.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	191.91.176.72
	PNSBt.js	Get hash	malicious	AsyncRAT	Browse	191.93.117.49
	LETA_pdf.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	181.71.217.114
	aNZZ9YFI6g.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	191.93.117.49
	spc.elf	Get hash	malicious	Mirai	Browse	177.254.129.210
	xd.spc.elf	Get hash	malicious	Mirai	Browse	181.205.208.130
	xd.m68k.elf	Get hash	malicious	Mirai	Browse	181.71.150.123
	xd.arm.elf	Get hash	malicious	Mirai	Browse	191.91.160.75

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.534728739239857
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe
File size:	78'336 bytes
MD5:	dc9544bf3a585c21a620bb1d85a4dfdc
SHA1:	0e9bb93482beff08eb211ff551de66bf0b8aa0d4
SHA256:	4e1597543c0d63cf44db982f9c5cdb0ebdb88343ab8e8711501103d5f2ebb06b
SHA512:	38f8080ac2f271a5b00904cad596fd65312aaa6074d1c8230ec1f31467d5e46ae75d80439c1ec57fecd2b8c2c319380463d32d5c6539b884fd7befe8cc2609c9
SSDEEP:	768:vw8ObcTxPG1oj5hHCMI0boPaVr572GBWkDbVxPn9V/EItMiTBijcnAGEaDDx1plf:vrsOjWaSaVr5l3TijKAGXDx8UMZJi
TLSH:	4A735B187BABC526D1BDAA7984E113050775E7137203DB4F2CC8039A4F13BCB9F56A9A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..*...........H... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41482e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC8008F07 [Thu Apr 30 13:43:35 2076 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x147d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x364	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x12834	0x12a00	69c2f58209779c4decbad87a225cd7bb	False	0.4855940645973154	data	5.602838804056226	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x364	0x400	136f7f00ab55492c7e422d0746242c72	False	0.3544921875	data	2.719174979631242	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18000	0xc	0x200	9c30505608a56551f999df7668151f55	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x16058	0x30c	data			0.4269230769230769

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:42:50.762327909 CET	49721	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:42:50.881956100 CET	4203	49721	181.71.217.114	192.168.2.6
Nov 24, 2024 08:42:50.882626057 CET	49721	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:42:51.334517002 CET	49721	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:42:51.454181910 CET	4203	49721	181.71.217.114	192.168.2.6
Nov 24, 2024 08:42:53.120469093 CET	4203	49721	181.71.217.114	192.168.2.6
Nov 24, 2024 08:42:53.120973110 CET	49721	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:42:58.154359102 CET	49721	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:42:58.155833960 CET	49738	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:42:58.273931026 CET	4203	49721	181.71.217.114	192.168.2.6
Nov 24, 2024 08:42:58.275413990 CET	4203	49738	181.71.217.114	192.168.2.6
Nov 24, 2024 08:42:58.275537014 CET	49738	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:42:58.276139021 CET	49738	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:42:58.395617962 CET	4203	49738	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:00.459239960 CET	4203	49738	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:00.459388971 CET	49738	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:05.478080988 CET	49738	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:05.479104996 CET	49754	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:05.597567081 CET	4203	49738	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:05.598568916 CET	4203	49754	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:05.598664045 CET	49754	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:05.599044085 CET	49754	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:05.718552113 CET	4203	49754	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:07.875143051 CET	4203	49754	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:07.875276089 CET	49754	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:12.884393930 CET	49754	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:12.890769005 CET	49776	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:13.003940105 CET	4203	49754	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:13.010349035 CET	4203	49776	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:13.010442019 CET	49776	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:13.010930061 CET	49776	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:13.130378008 CET	4203	49776	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:15.257102013 CET	4203	49776	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:15.258750916 CET	49776	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:20.259387970 CET	49776	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:20.260242939 CET	49803	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:20.380300045 CET	4203	49776	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:20.380315065 CET	4203	49803	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:20.380429983 CET	49803	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:20.380791903 CET	49803	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:20.500160933 CET	4203	49803	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:22.646823883 CET	4203	49803	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:22.646929979 CET	49803	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:27.649955034 CET	49803	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:27.650934935 CET	49825	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:27.769468069 CET	4203	49803	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:27.770422935 CET	4203	49825	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:27.770522118 CET	49825	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:27.770958900 CET	49825	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:27.890892982 CET	4203	49825	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:30.007642031 CET	4203	49825	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:30.007726908 CET	49825	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:35.046921968 CET	49825	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:35.048594952 CET	49841	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:35.166373968 CET	4203	49825	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:35.168061972 CET	4203	49841	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:35.168133974 CET	49841	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:35.169826031 CET	49841	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:35.289268970 CET	4203	49841	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:37.411067963 CET	4203	49841	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:37.411151886 CET	49841	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:42.416610003 CET	49863	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:42.416610956 CET	49841	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:42.536155939 CET	4203	49841	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:42.536173105 CET	4203	49863	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:42.536322117 CET	49863	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:42.538655996 CET	49863	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:42.658217907 CET	4203	49863	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:44.828684092 CET	4203	49863	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:44.828753948 CET	49863	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:49.837491989 CET	49863	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:49.838468075 CET	49884	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:49.957032919 CET	4203	49863	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:49.957914114 CET	4203	49884	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:49.958030939 CET	49884	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:49.958465099 CET	49884	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:50.078275919 CET	4203	49884	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:52.211148977 CET	4203	49884	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:52.211235046 CET	49884	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:57.212630033 CET	49884	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:57.332221031 CET	4203	49884	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:57.554914951 CET	49901	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:57.674464941 CET	4203	49901	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:57.674606085 CET	49901	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:57.675199032 CET	49901	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:43:57.794642925 CET	4203	49901	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:59.917294025 CET	4203	49901	181.71.217.114	192.168.2.6
Nov 24, 2024 08:43:59.917375088 CET	49901	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:04.931229115 CET	49901	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:04.932282925 CET	49917	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:05.051568031 CET	4203	49901	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:05.051676035 CET	4203	49917	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:05.051827908 CET	49917	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:05.052212954 CET	49917	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:05.171618938 CET	4203	49917	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:07.317125082 CET	4203	49917	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:07.317179918 CET	49917	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:12.321917057 CET	49917	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:12.325567961 CET	49936	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:12.441957951 CET	4203	49917	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:12.445204020 CET	4203	49936	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:12.446866035 CET	49936	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:12.492228985 CET	49936	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:12.611855984 CET	4203	49936	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:14.697755098 CET	4203	49936	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:14.697820902 CET	49936	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:19.712658882 CET	49936	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:19.713728905 CET	49953	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:19.832227945 CET	4203	49936	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:19.833203077 CET	4203	49953	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:19.833285093 CET	49953	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:19.833723068 CET	49953	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:19.953697920 CET	4203	49953	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:22.089179993 CET	4203	49953	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:22.089270115 CET	49953	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:27.103605986 CET	49953	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:27.104530096 CET	49969	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:27.415653944 CET	49953	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:27.502784014 CET	4203	49953	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:27.502805948 CET	4203	49969	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:27.504745960 CET	49969	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:27.505781889 CET	49969	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:27.536201000 CET	4203	49953	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:27.536268950 CET	49953	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:27.626542091 CET	4203	49969	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:29.785168886 CET	4203	49969	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:29.785248995 CET	49969	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:34.791059017 CET	49969	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:34.792093039 CET	49988	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:34.910948992 CET	4203	49969	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:34.911878109 CET	4203	49988	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:34.911959887 CET	49988	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:34.912408113 CET	49988	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:35.031847954 CET	4203	49988	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:37.125224113 CET	4203	49988	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:37.128604889 CET	49988	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:42.134551048 CET	49988	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:42.135590076 CET	50004	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:42.254077911 CET	4203	49988	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:42.255207062 CET	4203	50004	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:42.255340099 CET	50004	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:42.255868912 CET	50004	4203	192.168.2.6	181.71.217.114
Nov 24, 2024 08:44:42.375391960 CET	4203	50004	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:44.447459936 CET	4203	50004	181.71.217.114	192.168.2.6
Nov 24, 2024 08:44:44.447554111 CET	50004	4203	192.168.2.6	181.71.217.114

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:42:50.388225079 CET	53266	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:42:50.715430975 CET	53	53266	1.1.1.1	192.168.2.6
Nov 24, 2024 08:43:57.213737011 CET	63156	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:43:57.553864956 CET	53	63156	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 08:42:50.388225079 CET	192.168.2.6	1.1.1.1	0x1686	Standard query (0)	deadpoolstart2025.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:43:57.213737011 CET	192.168.2.6	1.1.1.1	0xc082	Standard query (0)	deadpoolstart2025.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 08:42:38.884562016 CET	1.1.1.1	192.168.2.6	0x9012	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:42:38.884562016 CET	1.1.1.1	192.168.2.6	0x9012	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:42:50.715430975 CET	1.1.1.1	192.168.2.6	0x1686	No error (0)	deadpoolstart2025.duckdns.org		181.71.217.114	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:43:39.277957916 CET	1.1.1.1	192.168.2.6	0xeb57	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:43:39.277957916 CET	1.1.1.1	192.168.2.6	0xeb57	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:43:39.277957916 CET	1.1.1.1	192.168.2.6	0xeb57	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:43:57.553864956 CET	1.1.1.1	192.168.2.6	0xc082	No error (0)	deadpoolstart2025.duckdns.org		181.71.217.114	A (IP address)	IN (0x0001)	false

Analysis Process: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exePID: 7420, Parent PID: 4004

General

Target ID:	0
Start time:	02:42:41
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe"
Imagebase:	0xf00000
File size:	78'336 bytes
MD5 hash:	DC9544BF3A585C21A620BB1D85A4DFDC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2152224378.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2152224378.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exePID: 7420, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD343706A5 Relevance: 4.0, Strings: 3, Instructions: 237COMMON

Download Yara Rule

Strings

M_^", xrefs: 00007FFD343706C2
M_^I, xrefs: 00007FFD34370762
M_^$, xrefs: 00007FFD343706C9

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID: M_^"$M_^$$M_^I
API String ID: 0-434452784
Opcode ID: d908d399b10ab1b8473bd4ffca778fc32f637ec0140ee9d85a4303edb034ee68
Instruction ID: 390b9f1c1c6cd529107e4f8f79cca94838fa28add3ed3cbfdcb1875edc3bd3e4
Opcode Fuzzy Hash: d908d399b10ab1b8473bd4ffca778fc32f637ec0140ee9d85a4303edb034ee68
Instruction Fuzzy Hash: AC616D27B0D1995AE31177ACB8A50E97B94DF46339B0943B7D18CCB483DD1E618646C0

Function 00007FFD343706D3 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

M_^I, xrefs: 00007FFD34370762

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID: M_^I
API String ID: 0-81969055
Opcode ID: 5fb0b216401c8fc9a222bb680c48ab6b13b729444c150f7151755e137e58ccdd
Instruction ID: 9cbf03ed5ab31ea1cbb1f54f3fa123026cb703ee8c5705598f28e5fb09c408c6
Opcode Fuzzy Hash: 5fb0b216401c8fc9a222bb680c48ab6b13b729444c150f7151755e137e58ccdd
Instruction Fuzzy Hash: 55415B27B0919956E31177ACBCA60EE7B54DF86335B0943B7C2DCCB443AD2E614746C4

Function 00007FFD34370CBD Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

#CM_^, xrefs: 00007FFD34370DA8, 00007FFD34370E69

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID: #CM_^
API String ID: 0-2311673530
Opcode ID: 13f04236c673221dc54041e80cc3ef2ea23a19bd885eab95104af880eb4e5624
Instruction ID: 86ae1026d44295f896cba1d9c25145e9b7ebdc35f14ea6ffb9da5718ed7b1bb8
Opcode Fuzzy Hash: 13f04236c673221dc54041e80cc3ef2ea23a19bd885eab95104af880eb4e5624
Instruction Fuzzy Hash: BE517D20F8D7568AF765B76488B52FD6AB0AF46310F11817AD58AD71C3CE3DF840A352

Function 00007FFD34370DE6 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

#CM_^, xrefs: 00007FFD34370E69

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID: #CM_^
API String ID: 0-2311673530
Opcode ID: 2a390b118bcbdb7b8860f2529c0885b71c3691d0cda8a18994e76dfff493c46b
Instruction ID: d4871ba1f0e9035fe37d6dda3cce8cd4db4393cb929d1c50f65b41f44c5f2d87
Opcode Fuzzy Hash: 2a390b118bcbdb7b8860f2529c0885b71c3691d0cda8a18994e76dfff493c46b
Instruction Fuzzy Hash: DF018031E8D616CBE765B714C8A03FD7661EB42320F10C134C14AE72C6CE7DB841A790

Function 00007FFD34370E87 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

#CM_^, xrefs: 00007FFD34370DA8

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID: #CM_^
API String ID: 0-2311673530
Opcode ID: d23cdde1cb50a8898b9e85c1f96ba3180604fb877c745c0af5cccf34ad03f8bb
Instruction ID: f435f8086705b7758e4fa205e5fdce3a8bf2ea543da0f4d8fef965fa322cc74a
Opcode Fuzzy Hash: d23cdde1cb50a8898b9e85c1f96ba3180604fb877c745c0af5cccf34ad03f8bb
Instruction Fuzzy Hash: AEF0AF30F8D2568AF329B66488A43FA7671AB42310F00C279D58AD71DACF7DBC40A680

Function 00007FFD34371E37 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269b495f13779b2da02c509bd9717e0542cc2d28b4e43a9673e054190e561732
Instruction ID: c55d36c52ad75e8d9e8929853650765290d831624c3b42696a7d74b7ef6bcf12
Opcode Fuzzy Hash: 269b495f13779b2da02c509bd9717e0542cc2d28b4e43a9673e054190e561732
Instruction Fuzzy Hash: 6F415622B9D6820FE75577741C7A1F63FA5DF86310B0942BBE089C7693DC2D58838351

Function 00007FFD343706E0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd930e667c916c65b4099690577310d36f6ec667b2c47e5ae9438cb66fb79e3
Instruction ID: ad6acb12783629611ac6b60176c3dfd72fbab9432358b467c9113b2660b80ef5
Opcode Fuzzy Hash: 0dd930e667c916c65b4099690577310d36f6ec667b2c47e5ae9438cb66fb79e3
Instruction Fuzzy Hash: 5631EA22B1C9490BE7A4B76C88693B926D6EFD9351F50417AE09ED32D6DD2DAC028381

Function 00007FFD34371921 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e18b80cb3d8627fbc78f4215b18c3b2317358e663c6a2e57af0fda79a9b4f73
Instruction ID: 2fc11c379ac43d6e22ec03928f9a044de4cd0cd1071ff6ff468d0a65aefdff30
Opcode Fuzzy Hash: 7e18b80cb3d8627fbc78f4215b18c3b2317358e663c6a2e57af0fda79a9b4f73
Instruction Fuzzy Hash: 9A31FB31B0CB454FE759E76C98556B97BE1EB9A314F04017EE08EC3393DD2959068342

Function 00007FFD34371A7D Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a21864d78e7bd05d107bbd27d5c805bbde598bf4c08ccd294051cb4e236601
Instruction ID: 39d927b42cf9229665b0335265676369f821d8a38916715f93db25ee98733558
Opcode Fuzzy Hash: c9a21864d78e7bd05d107bbd27d5c805bbde598bf4c08ccd294051cb4e236601
Instruction Fuzzy Hash: 2B310831B4DA994FDB95E76888A43E93FE2FF89310F1441BAD089D7392CA795801D741

Function 00007FFD343721C7 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833efd16f7b61c955987130fe9ae6f217cfe3f5da4d8080931f0068e438626d1
Instruction ID: 0494ef9583367e84c577b26bb368a06e9e29b1c1b99052e3765e131de8719cfa
Opcode Fuzzy Hash: 833efd16f7b61c955987130fe9ae6f217cfe3f5da4d8080931f0068e438626d1
Instruction Fuzzy Hash: 5E31E131B0DA894FD795F77898A96A87BE1EF8A311B0444B6E449C72A3DD3C9C41C740

Function 00007FFD34371B5B Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0cacff4954f448e0c291a5de8296d8495a039953c2aaa4cb52ed7d7a2ad8a4
Instruction ID: 956f3798b117286c8f778f1420065f7a8741e281944161c86374fff7ff800070
Opcode Fuzzy Hash: cd0cacff4954f448e0c291a5de8296d8495a039953c2aaa4cb52ed7d7a2ad8a4
Instruction Fuzzy Hash: 6D21E432B4890D4FDF94FB6898A1AFDB7E1EB99310B00427AD45ED3391CD38AC015780

Function 00007FFD3437159C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f850ee0ac59516c64110727e00e089281e48c566ff788caa23544e3959f23e4
Instruction ID: 43412e27f2ec9bc0ebf31a2e5ae02e263745c1136b6282cf67b0726fa1c87ceb
Opcode Fuzzy Hash: 3f850ee0ac59516c64110727e00e089281e48c566ff788caa23544e3959f23e4
Instruction Fuzzy Hash: E5312B20B2491E8FEB94FB6C80A967876E2FF9D6157514075E80DD33ABDD38AC429740

Function 00007FFD343713FB Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a0a51048e320bfdd3cc870455ca7315594a7f9196776cdf8171d72bd6c20f9
Instruction ID: 75a70183f2a384a63d8cc12bb4f17426e4f7ea26f6861cdd9af9ad79693a2ee1
Opcode Fuzzy Hash: 65a0a51048e320bfdd3cc870455ca7315594a7f9196776cdf8171d72bd6c20f9
Instruction Fuzzy Hash: 79219521B2CA554FDBA9F77880A96B977E1EF59310B5044B9E44EC3297DD3CE8418340

Function 00007FFD34370F30 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f56fdd6605e69119de0edd8baf1cdbe1021bc3fe75e7c596bc843ab36bfcbc9
Instruction ID: 3111b5daa1d7ac7b3282cf27f93411f85a01f145fb17a9f8ee3adb1dcd74281f
Opcode Fuzzy Hash: 3f56fdd6605e69119de0edd8baf1cdbe1021bc3fe75e7c596bc843ab36bfcbc9
Instruction Fuzzy Hash: 5F215171B0891D8FDFA4EB5884A53ED7AE2FB98310F54417AD14EE3381CE39A842DB50

Function 00007FFD34372A49 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1927ff184dcf2d8b57de64b637510179555c48dd5cfb0ab93039dd4d38b7bee5
Instruction ID: e867decb0a9056e13a1f06a7a666715c6b73ae124aa42161d70daf291a32aa44
Opcode Fuzzy Hash: 1927ff184dcf2d8b57de64b637510179555c48dd5cfb0ab93039dd4d38b7bee5
Instruction Fuzzy Hash: 7721262164D5990FE76597588C28BE63BA5DF8A320F0541BBE08AC72C3CD2C990783A1

Function 00007FFD343707E8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf58fe909bd41b1f02f9f03f0a59214246e0b2e3da7a55d4f4764f4dfbe4662
Instruction ID: 06296a5c32fc6029bfb6b794be8fdb68f8050b67784b014a536313c5e7a0d69e
Opcode Fuzzy Hash: 7cf58fe909bd41b1f02f9f03f0a59214246e0b2e3da7a55d4f4764f4dfbe4662
Instruction Fuzzy Hash: E3113B17E0E1992AE32177ACB8B60EA3F68DF47339B094273D2CC9B493ED1D615582C5

Function 00007FFD3437212E Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023e6fc0c76ead51d534ea1b467468bdf2f8ab58a3922f8a8fefbb7a9bd4c792
Instruction ID: f2395c6e5d9b406d36a169a6326f6e14fb7b715c105b2c2d9ab03ba6666a007a
Opcode Fuzzy Hash: 023e6fc0c76ead51d534ea1b467468bdf2f8ab58a3922f8a8fefbb7a9bd4c792
Instruction Fuzzy Hash: F611E731F5C9098FE768BA6884A567933D3FB99310F158279D14EC32E6DE3CEC429240

Function 00007FFD34372FEB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f4428cf842a2329e199eef053a695b70d553d3a0c3c61ee3c0633928ec5e6d
Instruction ID: f68555b7f5124515a1168cfd1c3952c4ca5e3def30395de260849863865f705d
Opcode Fuzzy Hash: 36f4428cf842a2329e199eef053a695b70d553d3a0c3c61ee3c0633928ec5e6d
Instruction Fuzzy Hash: ED11D021B5C5598FE758BB6888B5B793BD1FB4A310F50817AC19EC32D2DE3CA801E701

Function 00007FFD343706F8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab7c7df92a9654fe9041a9d23fea7ca5990cee2873dd5344fd08de90d2ade62
Instruction ID: d2000ee94d5a4422db934dd4917063ff01608a39765fbe9cb27f50ab4cd3b1aa
Opcode Fuzzy Hash: 7ab7c7df92a9654fe9041a9d23fea7ca5990cee2873dd5344fd08de90d2ade62
Instruction Fuzzy Hash: 49114630B5C91B8AEA64B71498F0B793A91FF17314F555075E18ED3186CE3CA450A752

Function 00007FFD34370BF8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775371d57cbefd10fa07b39180f488aa48ee32fdd57fa05c4abb1f12cce9e771
Instruction ID: 690f804bb7712f069faf643564858e4e3277d6f6f76627de6e9c23afae64af8a
Opcode Fuzzy Hash: 775371d57cbefd10fa07b39180f488aa48ee32fdd57fa05c4abb1f12cce9e771
Instruction Fuzzy Hash: 23117331A4E6CA8FDB52A7644CB50E93FB0AF07210F4580FBD589DB0D3E93CA9099742

Function 00007FFD34370C28 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142b00d9202e21e2af6fdae83b9198120e2e196d7adc283fc8b1efb52aaee6f0
Instruction ID: 06b149bf879bf18f3c09f971f6c677011218fe3866bcdbc8a4fd2db7c2dd38dc
Opcode Fuzzy Hash: 142b00d9202e21e2af6fdae83b9198120e2e196d7adc283fc8b1efb52aaee6f0
Instruction Fuzzy Hash: 1C113C62A4E7C94FD752A7644CA51E97FB0AF07200F4940EBD589CB0E3EA2D99499342

Function 00007FFD34370C0F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe22bdf8aedf2d26d4c879adc97f5e61df7a71f6c90a10d6d311a5d959cf992
Instruction ID: e0a9b542b7d719b380d594266e11b464d9976506a5011f0144917acd52849528
Opcode Fuzzy Hash: 7fe22bdf8aedf2d26d4c879adc97f5e61df7a71f6c90a10d6d311a5d959cf992
Instruction Fuzzy Hash: E8015261E5E6CE8FDB52A7684CA50E97FB0AF56200F1441F6D589CB0D3EA3CA5099342

Function 00007FFD34372162 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02911c430f17818f82378fa10325f6ebee45940bfea33b300e2d0373a5e0efa0
Instruction ID: fa6dc296bc2e457dcdc92f9769e1d6d48438915c05f92d35ff05fbb46466adfb
Opcode Fuzzy Hash: 02911c430f17818f82378fa10325f6ebee45940bfea33b300e2d0373a5e0efa0
Instruction Fuzzy Hash: 23016232B4C8158FE768B61C94A96B932D3FB99310B1A8175E04DC32E6DE38AC42D280

Function 00007FFD3437136A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69feeb3f2e9bae181c9a7eb1eac1289be8083626921ffbbdde0a4d858298022d
Instruction ID: de092ebca74351201bfe39516dee5ececacfbcaffaa7167833ed39785b54beaa
Opcode Fuzzy Hash: 69feeb3f2e9bae181c9a7eb1eac1289be8083626921ffbbdde0a4d858298022d
Instruction Fuzzy Hash: 0101DF31B1881E8FEBA4F76880A467D76E3EF9932175080B1D84DD339ACD3CAC019780

Function 00007FFD34372FF7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a25cc557ad3d70b7b028e84606830d8eece289f4bcbd0d79ab1504c8a39c95
Instruction ID: 09bda5350c85bf9f7b3c60d27c9ed62a54334176403215bf44586e3d8b20b8d2
Opcode Fuzzy Hash: 42a25cc557ad3d70b7b028e84606830d8eece289f4bcbd0d79ab1504c8a39c95
Instruction Fuzzy Hash: 0F015220B5C5098FE398BB1888A973576D1FB4A314F904135D19ED32D6CE3C9801E701

Function 00007FFD34372B14 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3ee3cf58d1874cb22f24998455aa05aa4e19b6b8c721d7cef451e2d2778133
Instruction ID: 2a4687cf0b13d093918cdc95b15d556ec67c03b3b9acdfac4976264c937c1f5f
Opcode Fuzzy Hash: ae3ee3cf58d1874cb22f24998455aa05aa4e19b6b8c721d7cef451e2d2778133
Instruction Fuzzy Hash: B501D622B4C546C7E725AA589CA16F97BA0EB87330F54407AC6CAC31C2C93DB456A282

Function 00007FFD343727C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad56565cfa3b102acbd18f00d2b8700c3c553b45233a478a3109732dd75a0c7
Instruction ID: 43e0a0489521766b0bab8e1575ebca455f07c28f9e7e92049ef9cf650c814a1f
Opcode Fuzzy Hash: 9ad56565cfa3b102acbd18f00d2b8700c3c553b45233a478a3109732dd75a0c7
Instruction Fuzzy Hash: 16F0F412A0CB910FF355B3385CA91263FE1DB96690F0844BBE888D71EBD82C99418352

Function 00007FFD34371A3B Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e61a2e36d09af72f28f9a89927d325ea770837892a778bcbcd73ec40665f05
Instruction ID: 47d0a56391224073d336bbae63a27a614dafd4bc3dbcf9e19dc37155a232971d
Opcode Fuzzy Hash: 08e61a2e36d09af72f28f9a89927d325ea770837892a778bcbcd73ec40665f05
Instruction Fuzzy Hash: 04E0E57250D60C1EAB08A519AC478F67F98DA87238B00005FF19DC2153E112A5238256

Function 00007FFD34370850 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a39346be71a9f64c6ec79485fb415638f5eb8283309fcf45a206301d224e082
Instruction ID: 152fb0d657d8139bf67af9208d87e307da7fcf614b675c6835acdccfa53baaac
Opcode Fuzzy Hash: 5a39346be71a9f64c6ec79485fb415638f5eb8283309fcf45a206301d224e082
Instruction Fuzzy Hash: 4FF0A717A4D1D91AE721377C6CE70E73F64DF47228F094172E6CCCA043DD1D56569282

Function 00007FFD34370848 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef8cca4776ac5ee36d156e8aeb066ef4abf1181a10a1f5e8a1c6d7762814b38
Instruction ID: 576a703fb8e21bddef88d11be5cddb0b853db8b85d458627da25394645223a90
Opcode Fuzzy Hash: 4ef8cca4776ac5ee36d156e8aeb066ef4abf1181a10a1f5e8a1c6d7762814b38
Instruction Fuzzy Hash: 71F0596794D2C93ED3253768ACA20EA3F64EF03318F064173E1C8C70A3EE1D51248382

Function 00007FFD34370A35 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae815d80855b50bb95ce02c24c79f1ef6f2bafe86b202170610865269292a3c
Instruction ID: ef10d52f33cdb5a8163308c4ccac6d80da2d16fc8c0bfb322e896bbdc45aa037
Opcode Fuzzy Hash: 6ae815d80855b50bb95ce02c24c79f1ef6f2bafe86b202170610865269292a3c
Instruction Fuzzy Hash: 51F0B460A9C38A9FD361B37448E00B97FB0AF4B214F9040B3D48AD32C3D83C96456712

Function 00007FFD34372831 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a32935a85e3b8a8a20683011d16ed986cd80f161e29771c0bdc0a34dc811a4
Instruction ID: 8c94ac30a2b0f07225252716f148d9645daf5b6010d0ed85db353a973d848c4f
Opcode Fuzzy Hash: c6a32935a85e3b8a8a20683011d16ed986cd80f161e29771c0bdc0a34dc811a4
Instruction Fuzzy Hash: FAE02C32C9C38C0FDF61AA1008A30EA3FA0EF12200F40018AEA0886052EA2895088382

Function 00007FFD34371F8F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfeac3264a46d5835a3d8a3510988a7905d8d5781697cd222025aa447c964e00
Instruction ID: 3249d5163931882db199ccdac311a9d07ba7385892397b6866f0415ecd9fb0f2
Opcode Fuzzy Hash: dfeac3264a46d5835a3d8a3510988a7905d8d5781697cd222025aa447c964e00
Instruction Fuzzy Hash: 13E04F21B148194FFF44BBEC94662FCB2E5EB5C211F10017AD50DD3282DE2CA4018790

Function 00007FFD343732BF Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a193113218b4875a5d2c16f802439d78c8323b429e25df926fe69f8efcafeb
Instruction ID: 5dadceedf38f5c3931fc364834536f8c926873be0f3ae7c3185bbcb3cc0caa49
Opcode Fuzzy Hash: 90a193113218b4875a5d2c16f802439d78c8323b429e25df926fe69f8efcafeb
Instruction Fuzzy Hash: B7F01230B4C209CBDB64FF24C4A156837A2BF46304F604478D59AD7285CF3EE441EB52

Function 00007FFD34371B91 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b133274d51e6a98ceb5b32d7005378df506ed9513f48b016acf895891fe4dc28
Instruction ID: ed110551cc94d61f590e94865986e3620e32a316810f0ef0005a23784cd2cdd1
Opcode Fuzzy Hash: b133274d51e6a98ceb5b32d7005378df506ed9513f48b016acf895891fe4dc28
Instruction Fuzzy Hash: 47E039326084198BEB54FB04C894AA833A1E755310F088265C419D32D4DB38A980CB80

Function 00007FFD34370A09 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e7dc34d3cdb2ccaaf587f583ae6761e7eb618ee0f3c299c1e80238464e5ac1
Instruction ID: 93d6bc60c9b775e78a62b61951baab19eb4a67050150293527107241d4b6d504
Opcode Fuzzy Hash: c2e7dc34d3cdb2ccaaf587f583ae6761e7eb618ee0f3c299c1e80238464e5ac1
Instruction Fuzzy Hash: 4FD06C4188E7CA4FD30732740DB20953F705E57250B8B41E3E684CA4A3E92D99499B62

Function 00007FFD343718C9 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22885650339a9fed17d29eddb8080b1639e05bd2e4b2ff9b1e934e48693acd59
Instruction ID: 2c5164175f6aed46ef429208a6099681bba3eaad6fe2ff801918b4032ed55828
Opcode Fuzzy Hash: 22885650339a9fed17d29eddb8080b1639e05bd2e4b2ff9b1e934e48693acd59
Instruction Fuzzy Hash: 4FD05E31B4440E8BCF50E784D8614FE7B31FF86214F408031D20DE3181C93868159781

Function 00007FFD34371389 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895b380804f0c89119dddbd24540bbd93c4ec746a1fd1e3e460f9d10bbdab2a9
Instruction ID: 76aa2c109f28c22492aaca5c847dbfb850bf1b6e347dad7020c35c55e64405b5
Opcode Fuzzy Hash: 895b380804f0c89119dddbd24540bbd93c4ec746a1fd1e3e460f9d10bbdab2a9
Instruction Fuzzy Hash: 77C01233F4C12D9DDF00E984A8410FDB7F0EB092B1F101473D289E3141D52EA91057A0

Function 00007FFD343730F3 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3414161992.00007FFD34370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34370000_17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb91.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b467e3041919afb781cc0137cdb09c4ed7f8f2bceec4006924d9d6d6424a3c83
Instruction ID: 2b25159e6d804b157f477bd2324b59366d6f2c247e1533862ab0d9b90d98da2a
Opcode Fuzzy Hash: b467e3041919afb781cc0137cdb09c4ed7f8f2bceec4006924d9d6d6424a3c83
Instruction Fuzzy Hash: A7C01270A0851DCFC7569F50C95555C3FB0FF15340B454169D106E71D1D7255846CB11

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exe