Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 26, 2021, 11:43 a.m.	May 26, 2021, 11:44 a.m.

Size	248.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`87eb69c0cf08d284c76acc6666749a91`
SHA256	`2fb3b47f3d7019e0b9cf86522d44b19b858310178a3cff631d90d248bbcefa11`
CRC32	`1B205A55`
ssdeep	`6144:a4qvWS4KiXbQpGbeeqQsf7byPnhG0MJB:55dGGtqQsny/QTB`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

IMG_3615_763_8.exe C:\Users\test22\AppData\Local\Temp\IMG_3615_763_8.exe
1204

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
20.43.94.199	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 26, 2021, 11:44 a.m.	process_identifier: 1204 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00039600', u'virtual_address': u'0x00002000', u'entropy': 7.9400557132422165, u'name': u'.text', u'virtual_size': u'0x000394bc'}

entropy

7.94005571324

description

A section with a high entropy has been found

entropy

0.925403225806

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 26, 2021, 11:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

20.43.94.199

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.f2e21e
ESET-NOD32	a variant of Win32/Injector.EPKO
APEX	Malicious
Sophos	Generic ML PUA (PUA)
eGambit	Unsafe.AI_Score_99%
GData	MSIL.Trojan.BSE.XNY6ZA
BitDefenderTheta	Gen:NN.ZemsilCO.34692.pm0@amLPQQf
Malwarebytes	Malware.AI.3778805661
Ikarus	Trojan.MSIL.Inject
MaxSecure	Trojan.Malware.300983.susgen

IMG_3615_763_8.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All