Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 27, 2021, 4:45 p.m.	April 27, 2021, 4:48 p.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d2be9aab83d330520dbd61c621ffede3`
SHA256	`7ebcf21372bbdf855301b99f28618be062898a5a2a7a6f93b29fdfd2a6095b9b`
CRC32	`A515516A`
ssdeep	`49152:E6HKNn4GoNDYQ8xJsiMJeIKpubGU1uqGn40D4avn67:vAsVeI/bGUEf`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult win_mutex - Create or check mutex

Name	Response	Post-Analysis Lookup
2.tcp.ngrok.io	A 3.131.207.170	52.14.18.129

IP Address	Status	Action
164.124.101.2	Active	Moloch
3.131.207.170	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2022642	ET POLICY DNS Query to a *.ngrok domain (ngrok.io)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49205 -> 3.131.207.170:11797	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49201 -> 3.131.207.170:11797	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49203 -> 3.131.207.170:11797	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49205 -> 3.131.207.170:11797	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49201 -> 3.131.207.170:11797	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49203 -> 3.131.207.170:11797	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49208 -> 3.131.207.170:11797	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49208 -> 3.131.207.170:11797	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49204 -> 3.131.207.170:11797	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 3.131.207.170:11797	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49202 -> 3.131.207.170:11797	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49202 -> 3.131.207.170:11797	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49209 -> 3.131.207.170:11797	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 3.131.207.170:11797	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49206 -> 3.131.207.170:11797	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49206 -> 3.131.207.170:11797	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2022642	ET POLICY DNS Query to a *.ngrok domain (ngrok.io)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49207 -> 3.131.207.170:11797	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.101:49207 -> 3.131.207.170:11797	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic

Suricata TLS

No Suricata TLS

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Elastic	malicious (high confidence)
DrWeb	BackDoor.AsyncRATNET.1
MicroWorld-eScan	Trojan.GenericKD.36605901
FireEye	Generic.mg.d2be9aab83d33052
ALYac	Trojan.GenericKD.36605901
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.1907040
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0055e1351 )
Alibaba	Backdoor:MSIL/AsyncRAT.b924e8e2
K7GW	Trojan ( 0055e1351 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34670.co0@aCfV@ib
Cyren	W32/MSIL_Agent.BTI.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Agent.CFW
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Packed.Razy-9625918-0
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
BitDefender	Trojan.GenericKD.36605901
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.36605901
Sophos	Generic ML PUA (PUA)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DCT21
McAfee-GW-Edition	BehavesLike.Win32.Generic.vh
Emsisoft	Trojan.GenericKD.36605901 (B)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Avira	HEUR/AGEN.1121262
Microsoft	Backdoor:MSIL/AsyncRAT.GG!MTB
Arcabit	Trojan.Generic.D22E8FCD
GData	Trojan.GenericKD.36605901
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.RL_Generic.C4139220
McAfee	Fareit-FZT!D2BE9AAB83D3
MAX	malware (ai score=86)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Backdoor.AsyncRAT.MSIL.Generic
TrendMicro-HouseCall	TROJ_GEN.R002C0DCT21
Rising	Trojan.AntiVM!1.CF63 (CLOUD)
Ikarus	Trojan.MSIL.Agent
MaxSecure	Trojan.Malware.74418669.susgen
Fortinet	MSIL/Agent.CFQ!tr
AVG	Win32:DropperX-gen [Drp]
Cybereason	malicious.b83d33
Panda	Trj/GdSda.A
Qihoo-360	Win32/Backdoor.AsyncRAT.HwMAPaQA

test.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All