Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 1, 2021, 9:25 a.m.	June 1, 2021, 9:27 a.m.

Size	490.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`51ee29d68a7aefead4a82af353bab78c`
SHA256	`65b35ba772d10c08be142c05e1110a79050d4fcea0e6c9d1ae57a4a7277bc3ee`
CRC32	`516573C9`
ssdeep	`6144:6C3LNVD6hV1A3Lw/sijQ2fRSKKOojYSv7HNBNgsHEdC997C4MvDQU9:v3f3ijQs3/G7tLfHEqc`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.134.233
ip-api.com	A 208.95.112.1	208.95.112.1
yz.videomarket.eu	A 185.157.161.205	185.157.161.205

IP Address	Status	Action
162.159.129.233	Active	Moloch
164.124.101.2	Active	Moloch
185.157.161.205	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49206 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49198 -> 162.159.129.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 162.159.129.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49198 162.159.129.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.101:49201 162.159.129.233:443	None	None	None

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://cdn.discordapp.com/attachments/844641656991907850/846437254331367444/ClassLibrary1.dll

Performs some HTTP requests (2 events)

request	GET http://ip-api.com/json/
request	GET https://cdn.discordapp.com/attachments/844641656991907850/846437254331367444/ClassLibrary1.dll

Looks up the external IP address (1 event)

domain

ip-api.com

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00044400', u'virtual_address': u'0x00002000', u'entropy': 7.9785687955263604, u'name': u'.text', u'virtual_size': u'0x0004429e'}

entropy

7.97856879553

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00036200', u'virtual_address': u'0x00048000', u'entropy': 6.896579124656167, u'name': u'.rsrc', u'virtual_size': u'0x00036163'}

entropy

6.89657912466

description

A section with a high entropy has been found

entropy

0.998979591837

description

Overall entropy of this PE file is high

Yara rule detected in process memory (13 events)

description	Communications use DNS	rule	Network_DNS
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanDownloader:MSIL/Seraph.bdaf608f
K7GW	Trojan-Downloader ( 0057d1d81 )
Cybereason	malicious.47e4fc
Cyren	W32/MSIL_Kryptik.EHH.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.HYZ
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Seraph.a!c
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
FireEye	Generic.mg.51ee29d68a7aefea
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Win32.Trojan.Agent.32GSXV
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Genmalmil.C4495838
McAfee	Artemis!51EE29D68A7A
Malwarebytes	Malware.AI.2766681978
TrendMicro-HouseCall	TROJ_GEN.R002H0CEV21
Rising	Downloader.Agent!8.B23 (CLOUD)
Ikarus	Trojan.MSIL.Inject
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/Agent.HYZ!tr.dldr
BitDefenderTheta	Gen:NN.ZemsilF.34692.Em0@aaPWrHb
AVG	Win32:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_80% (W)
MaxSecure	Trojan.Malware.300983.susgen

QUAConsoleApp5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All