Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 23, 2021, 4:31 p.m.	June 23, 2021, 4:33 p.m.

Size	348.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b6ab9db1c2c1e606268a6f613cfcdf3d`
SHA256	`f4070df8414261f9d218626189c7d3c303457fc6ea442ea413a42131f57cca21`
CRC32	`2B3D93A7`
ssdeep	`6144:fvqQ4i1FFiEKKWDTzfkNqbCXlhN14KfrBF9dlldKePawhX:HplinTzMNLXlhL1F9/ltawhX`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Generic_Malware_Zero - Generic Malware IsPE32 - (no description)

schtasks.exe "schtasks" /create /tn "Realtek Audio Driver" /sc ONLOGON /tr "C:\Users\test22\AppData\Local\Temp\audio.exe" /rl HIGHEST /f
9132
schtasks.exe "schtasks" /create /tn "Realtek Audio Driver" /sc ONLOGON /tr "C:\Users\test22\AppData\Roaming\SubDir\Audio.exe" /rl HIGHEST /f
4012

Name	Response	Post-Analysis Lookup
microsoftupdate001.duckdns.org	A 54.233.121.202	54.233.121.202
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
208.95.112.1	Active	Moloch
54.233.121.202	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49811 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49808 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
UDP 192.168.56.102:61459 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 23, 2021, 4:32 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 23, 2021, 4:33 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 23, 2021, 4:32 p.m.	buffer: SUCCESS: The scheduled task "Realtek Audio Driver" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW June 23, 2021, 4:33 p.m.	buffer: SUCCESS: The scheduled task "Realtek Audio Driver" has successfully been created. console_handle: 0x00000007	1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

microsoftupdate001.duckdns.org

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Looks up the external IP address (1 event)

domain

ip-api.com

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader27.59888
MicroWorld-eScan	Generic.MSIL.PasswordStealerA.DB104F17
CAT-QuickHeal	Trojan.MsilFC.S19436557
McAfee	PWS-FCOI!B6AB9DB1C2C1
Cylance	Unsafe
Sangfor	Win.Malware.Generic-6623004-0
K7AntiVirus	Trojan ( 00521dab1 )
Alibaba	Backdoor:MSIL/Quasar.eed242fa
K7GW	Trojan ( 00521dab1 )
Cybereason	malicious.1c2c1e
BitDefenderTheta	Gen:NN.ZemsilF.34758.vm0@aCrIxak
Cyren	W32/MSIL_Mintluks.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	MSIL/Spy.Agent.AES
APEX	Malicious
Avast	MSIL:Rat-B [Trj]
ClamAV	Win.Trojan.Generic-6295765-0
Kaspersky	Trojan.MSIL.Agent.foww
BitDefender	Generic.MSIL.PasswordStealerA.DB104F17
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Agent.mCnJ
Rising	Backdoor.XRat!1.D01D (CLASSIC)
Ad-Aware	Generic.MSIL.PasswordStealerA.DB104F17
Emsisoft	Generic.MSIL.PasswordStealerA.DB104F17 (B)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TSPY_TINCLEX.SM1
McAfee-GW-Edition	BehavesLike.Win32.Generic.fh
FireEye	Generic.mg.b6ab9db1c2c1e606
Sophos	ML/PE-A + Troj/Subti-A
SentinelOne	Static AI - Malicious PE
GData	Generic.MSIL.PasswordStealerA.DB104F17
Jiangmin	Trojan.Generic.ajfvk
eGambit	Trojan.Generic
Avira	HEUR/AGEN.1135947
MAX	malware (ai score=81)
Arcabit	Generic.MSIL.PasswordStealerA.DB104F17
Microsoft	Backdoor:MSIL/Quasar.GG!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Subti.C4349370
Acronis	suspicious
ALYac	Generic.MSIL.PasswordStealerA.DB104F17
Malwarebytes	Generic.Trojan.Malicious.DDS
TrendMicro-HouseCall	TSPY_TINCLEX.SM1
Tencent	Msil.Trojan.Agent.Pgmt
Ikarus	Trojan.MSIL.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.BEU!tr
Webroot	W32.Trojan.Gen
AVG	MSIL:Rat-B [Trj]

audio.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All