Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.26 09:04
228516-0.xml
04.26 05:04
crt.sh _ 17871143715.html
04.26 04:04
VirusTotal - File - b4...
04.26 04:04
VirusTotal - File - b4...
04.26 04:04
Network Trojan emilfec...
04.26 04:04
Network Trojan emilfec...
04.26 02:04
gothenticate.exe
04.26 02:04
gothenticate.exe
04.26 12:04
41e3f69ecc09290e_httpe...
04.25 02:04
Krośnieńska Podgląd wp...

Latest News
04.26 11:04
Hash Functions with th...
04.26 10:04
Elon Musk’s XAI Holdin...
04.26 09:04
Update: rtfdump.py Ver...
04.26 09:04
Only Google Can Run Ch...
04.26 09:04
Deel Sues Rippling for...
04.26 08:04
HHS OCR Settles HIPAA ...
04.26 08:04
XOR Gate as a Frequenc...
04.26 08:04
Microsoft Office 365 M...
04.26 08:04
Beating the AI Game, R...
04.26 07:04
Shopify Offered Carney...

Summary | ZeroBOX

AeroAdmin.exe

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 21, 2021, 3:59 p.m.	April 21, 2021, 4 p.m.

Size	3.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`42cf36e9d42beb230502e33d34ea0b05`
SHA256	`657cebf189115e7b8c2c64102392bd56299eef02711e6807331f992247206029`
CRC32	`35DFD2CE`
ssdeep	`49152:OcxFrsKnp7e7K6npEIGAJdfbgrWRmD86RKu+XT/4dKHMxfk0d/bYnadM02p:76KnvygcebVKafk`
PDB Path	aeroadmin.pdb
Yara	network_tcp_listen - Listen for incoming communication network_dropper - File downloader/dropper network_tcp_socket - Communications over RAW socket network_dns - Communications use DNS escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger sniff_audio - Record Audio win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

AeroAdmin.exe "C:\Users\test22\AppData\Local\Temp\AeroAdmin.exe"
2444

Name	Response	Post-Analysis Lookup
auth11.aeroadmin.com	A 37.48.87.53	37.48.87.53

IP Address	Status	Action
164.124.101.2	Active	Moloch
37.48.87.53	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 37.48.87.53:5665	2260001	SURICATA Applayer Wrong direction first Data	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 21, 2021, 3:59 p.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

aeroadmin.pdb

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW April 21, 2021, 3:59 p.m.	service_start_name: start_type: 2 password: display_name: AeroadminService filepath: C:\Users\test22\AppData\Local\Temp\"C:\Users\test22\AppData\Local\Temp\AeroAdmin.exe" s -sid 1 service_name: AeroadminService filepath_r: "C:\Users\test22\AppData\Local\Temp\AeroAdmin.exe" s -sid 1 desired_access: 983551 service_handle: 0x00731040 error_control: 1 service_type: 16 service_manager_handle: 0x00730fa0	1	7540800	0

Installs itself for autorun at Windows startup (1 event)

service_name

AeroadminService

service_path

C:\Users\test22\AppData\Local\Temp\"C:\Users\test22\AppData\Local\Temp\AeroAdmin.exe" s -sid 1