Spyware Keylogger Backdoor
Mal/Generic-S AsyncRAT
Created on 2023-01-18T22:45:13+00:00
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe
Remarks (2/2)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "5 minutes, 10 seconds" to "10 seconds" to reveal dormant functionality.
Remarks
(0x0200004F): Static Analysis failed to analyze file artifacts in this analysis due to an error. Check the static_analysis_log_f7fa19b5f4433cf9357d39a44f13d1f0d18ad75712d310ff62dd65febfad9e41.log file for further information.
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe | Sample File | Binary |
Malicious
|
...
|
Verdict |
Malicious
|
Names | Mal/Generic-S |
Image Base | 0x00400000 |
Entry Point | 0x00454E8E |
Size Of Code | 0x00053000 |
Size Of Initialized Data | 0x00000A00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-12-26 16:08 (UTC+1) |
Comments | mini calculator |
CompanyName | For users |
FileDescription | mini calculator |
FileVersion | 1.0.0.0 |
InternalName | mini calculator.exe |
LegalCopyright | Copyright © 2017 |
LegalTrademarks | - |
OriginalFilename | mini calculator.exe |
ProductName | - |
ProductVersion | 1.0.0.0 |
Assembly Version | 1.0.0.0 |
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00052E94 | 0x00053000 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.5 |
.sdata | 0x00456000 | 0x000001E8 | 0x00000200 | 0x00053400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.63 |
.rsrc | 0x00458000 | 0x000005E8 | 0x00000600 | 0x00053600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.16 |
.reloc | 0x0045A000 | 0x0000000C | 0x00000200 | 0x00053C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00054E68 | 0x00053268 | 0x00000000 |
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe | 1 | 0x00400000 | 0x0045BFFF | Relevant Image | 64-bit | - |
...
|
||
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe | 1 | 0x00400000 | 0x0045BFFF | Final Dump | 64-bit | - |
...
|
||
buffer | 1 | 0x1E130000 | 0x1E181FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
windowsdatac.exe | 2 | 0x00400000 | 0x0045BFFF | Relevant Image | 64-bit | - |
...
|
||
buffer | 2 | 0x1AB20000 | 0x1AB71FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
windowsdatac.exe | 8 | 0x00400000 | 0x0045BFFF | Relevant Image | 64-bit | - |
...
|
||
buffer | 8 | 0x1DB40000 | 0x1DB91FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
buffer | 8 | 0x1DBA0000 | 0x1DBF1FFF | Reflectively Loaded .NET Assembly | 64-bit | - |
...
|
||
windowsdatac.exe | 8 | 0x00400000 | 0x0045BFFF | Final Dump | 64-bit | - |
...
|
C:\Users\RDHJ0C~1\AppData\Local\Temp\wwst.exe | Dropped File | Binary |
Malicious
|
...
|
Image Base | 0x00400000 |
Entry Point | 0x0042D1BE |
Size Of Code | 0x0002B200 |
Size Of Initialized Data | 0x00000800 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2023-01-14 02:13 (UTC+1) |
Comments | - |
CompanyName | - |
FileDescription | Client |
FileVersion | 1.0.0.0 |
InternalName | Client.exe |
LegalCopyright | Copyright © 2021 |
LegalTrademarks | - |
OriginalFilename | Client.exe |
ProductName | Client |
ProductVersion | 1.0.0.0 |
Assembly Version | 1.0.0.0 |
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x0002B1C4 | 0x0002B200 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.92 |
.rsrc | 0x0042E000 | 0x00000600 | 0x00000600 | 0x0002B400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.03 |
.reloc | 0x00430000 | 0x0000000C | 0x00000200 | 0x0002BA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x0002D194 | 0x0002B394 | 0x00000000 |
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
wwst.exe | 3 | 0x00400000 | 0x00431FFF | Relevant Image | 32-bit | - |
...
|
||
wwst.exe | 10 | 0x00400000 | 0x00431FFF | Relevant Image | 32-bit | - |
...
|
||
buffer | 10 | 0x0433E000 | 0x0433FFFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 10 | 0x00195000 | 0x0019FFFF | First Network Behavior | 32-bit | - |
...
|
||
wwst.exe | 10 | 0x00400000 | 0x00431FFF | First Network Behavior | 32-bit | - |
...
|
||
wwst.exe | 10 | 0x00400000 | 0x00431FFF | Final Dump | 32-bit | - |
...
|
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
AsyncRAT | AsyncRAT | Backdoor |
5/5
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\Rnts.exe | Dropped File | Binary |
Malicious
|
...
|
Verdict |
Malicious
|
Names | Mal/Generic-S |
Image Base | 0x00400000 |
Entry Point | 0x0042522E |
Size Of Code | 0x00023400 |
Size Of Initialized Data | 0x00000800 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-12-24 20:51 (UTC+1) |
Comments | PerfWatso somes |
CompanyName | Santech Solutions |
FileDescription | PerfWatso |
FileVersion | 1.0.0.0 |
InternalName | PerfWatso.exe |
LegalCopyright | Copyright © 2017 |
LegalTrademarks | - |
OriginalFilename | PerfWatso.exe |
ProductName | PerfWatso v.32 |
ProductVersion | 1.0.0.0 |
Assembly Version | 1.0.0.0 |
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00023234 | 0x00023400 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.52 |
.rsrc | 0x00426000 | 0x000005EE | 0x00000600 | 0x00023600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.19 |
.reloc | 0x00428000 | 0x0000000C | 0x00000200 | 0x00023C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x000251FC | 0x000233FC | 0x00000000 |
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
runit.exe | 4 | 0x00030000 | 0x00059FFF | Relevant Image | 32-bit | 0x00047088 |
...
|
||
runit.exe | 9 | 0x00080000 | 0x000A9FFF | Relevant Image | 32-bit | 0x00097088 |
...
|
||
runit.exe | 9 | 0x00080000 | 0x000A9FFF | Final Dump | 32-bit | - |
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US.zip | Dropped File | ZIP |
Clean
|
...
|
Number of Files | 22 |
Number of Folders | 0 |
Size of Packed Archive Contents | 40.88 KB |
Size of Unpacked Archive Contents | 75.08 KB |
File Format | zip |
File Name | Packed Size | Unpacked Size | Compression | Is Encrypted | Modify Time | Verdict | Recursively Submitted | Actions |
---|---|---|---|---|---|---|---|---|
System\Windows.txt | 106 Bytes | 162 Bytes | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
Directories\Temp.txt | 757 Bytes | 1.10 KB | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
System\WorldWind.jpg | 36.21 KB | 54.68 KB | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Pictures\Camera Roll\desktop.ini | 133 Bytes | 190 Bytes | Deflate | False | 2021-02-17 09:09 (UTC+1) |
Clean
Known to be clean.
|
- |
...
|
Directories\Desktop.txt | 581 Bytes | 867 Bytes | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
Directories\Pictures.txt | 445 Bytes | 717 Bytes | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Desktop\desktop.ini | 149 Bytes | 282 Bytes | Deflate | False | 2021-02-11 12:23 (UTC+1) |
Clean
Known to be clean.
|
- |
...
|
Directories\Downloads.txt | 28 Bytes | 26 Bytes | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
System\ScanningNetworks.txt | 84 Bytes | 84 Bytes | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Documents\tH7ZiLMX-lNDz2T4flA\5-DZJSZ32WSdJ.xls | 20 Bytes | 2.68 KB | Deflate | False | 2022-09-04 11:51 (UTC+2) |
Clean
Known to be clean.
|
- |
...
|
Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Pictures\desktop.ini | 188 Bytes | 504 Bytes | Deflate | False | 2021-02-11 12:23 (UTC+1) |
Clean
Known to be clean.
|
- |
...
|
Directories\Startup.txt | 26 Bytes | 24 Bytes | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
Directories\OneDrive.txt | 27 Bytes | 25 Bytes | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Downloads\desktop.ini | 149 Bytes | 282 Bytes | Deflate | False | 2021-02-11 12:23 (UTC+1) |
Clean
Known to be clean.
|
- |
...
|
Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Documents\zuwnbRBCFb l.docx | 21 Bytes | 4.74 KB | Deflate | False | 2022-05-18 07:51 (UTC+2) |
Clean
Known to be clean.
|
- |
...
|
System\Process.txt | 476 Bytes | 1.49 KB | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Pictures\EZSCq5D5osPMTO5bb2Q.jpg | 21 Bytes | 4.78 KB | Deflate | False | 2022-09-05 10:41 (UTC+2) |
Clean
Known to be clean.
|
- |
...
|
Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Documents\desktop.ini | 171 Bytes | 402 Bytes | Deflate | False | 2021-02-11 12:23 (UTC+1) |
Clean
Known to be clean.
|
- |
...
|
Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Pictures\Saved Pictures\desktop.ini | 132 Bytes | 190 Bytes | Deflate | False | 2021-02-17 09:09 (UTC+1) |
Clean
Known to be clean.
|
- |
...
|
Directories\Videos.txt | 497 Bytes | 766 Bytes | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
Directories\Documents.txt | 762 Bytes | 1.17 KB | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
System\ProductKey.txt | 9 Bytes | 29 Bytes | Deflate | False | 2023-01-18 23:48 (UTC+1) |
Clean
|
- |
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\System\WorldWind.jpg | Dropped File | Image |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Pictures\EZSCq5D5osPMTO5bb2Q.jpg | Dropped File | Image |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Pictures\EZSCq5D5osPMTO5bb2Q.jpg | Dropped File | Stream |
Clean
Known to be clean.
|
...
|
Verdict |
Clean
Known to be clean.
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Documents\zuwnbRBCFb l.docx | Dropped File | ZIP |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Documents\zuwnbRBCFb l.docx | Dropped File | Stream |
Clean
Known to be clean.
|
...
|
Verdict |
Clean
Known to be clean.
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Documents\tH7ZiLMX-lNDz2T4flA\5-DZJSZ32WSdJ.xls | Dropped File | Unknown |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Documents\tH7ZiLMX-lNDz2T4flA\5-DZJSZ32WSdJ.xls | Dropped File | Stream |
Clean
Known to be clean.
|
...
|
Verdict |
Clean
Known to be clean.
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\System\Process.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Directories\Documents.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\Directories\Temp.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Directories\Desktop.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\Directories\Videos.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\Directories\Pictures.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Pictures\desktop.ini | Dropped File | Text |
Clean
Known to be clean.
|
...
|
Verdict |
Clean
Known to be clean.
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Documents\desktop.ini | Dropped File | Text |
Clean
Known to be clean.
|
...
|
Verdict |
Clean
Known to be clean.
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Downloads\desktop.ini | Dropped File | Text |
Clean
Known to be clean.
|
...
|
Verdict |
Clean
Known to be clean.
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Desktop\desktop.ini | Dropped File | Text |
Clean
Known to be clean.
|
...
|
Verdict |
Clean
Known to be clean.
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Pictures\Camera Roll\desktop.ini | Dropped File | Text |
Clean
Known to be clean.
|
...
|
Verdict |
Clean
Known to be clean.
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\Grabber\DRIVE-C\Users\RDhJ0CNFevzX\Pictures\Saved Pictures\desktop.ini | Dropped File | Text |
Clean
Known to be clean.
|
...
|
Verdict |
Clean
Known to be clean.
|
C:\Users\RDhJ0CNFevzX\AppData\Local\77d6f3ea3b56fc0f6b6f10284ad90596\RDhJ0CNFevzX@XC64ZB_en-US\System\Process.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\System\Windows.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\System\ScanningNetworks.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\System\ProductKey.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\Directories\Downloads.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\Directories\OneDrive.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\RDhJ0CNFevzX@XC64ZB_en-US\Directories\Startup.txt | Dropped File | Text |
Clean
|
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\a064c843e183ccea646badeb280e154a\msgid.dat | Dropped File | Stream |
Clean
Known to be clean.
|
...
|
c54143f949176485168a3bbadbc868c8017762f0c5ece1cb158db5bf5ba07703 | Downloaded File | Text |
Clean
|
...
|