popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

asyncclientaaa.exe

AsyncRAT Generic Malware Malicious Library Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 25, 2021, 12:15 a.m. June 25, 2021, 12:17 a.m.
Size 45.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 a4f6c257028460c7c5c28e51fba4cb19
SHA256 2f4ba73706cb67f8d443fce6371e28099f0990bc559613d8ef692cd72c49ea58
CRC32 5F139D6E
ssdeep 768:/uwCNToEjaNLWU3zKZmo2q7UVzllcIIPI4pjbEgX3ixpUCCM5iBlFhYU7M/BDZnx:/uwCNToqaS2vVl4JbLXSxpUMiTIU7udx
Yara
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • PE_Header_Zero - PE File Signature
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.217.25.14 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "test.txt" has successfully been created.
console_handle: 0x00000007
1 1 0
cmdline schtasks /create /f /sc onlogon /rl highest /tn "test.txt" /tr '"C:\Users\test22\AppData\Roaming\test.txt.exe"'
file C:\Users\test22\AppData\Roaming\test.txt.exe
file C:\Users\test22\AppData\Roaming\test.txt.exe
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Communications over FTP rule Network_FTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description Steal credential rule local_credential_Steal
description Take ScreenShot rule ScreenShot
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
cmdline schtasks /create /f /sc onlogon /rl highest /tn "test.txt" /tr '"C:\Users\test22\AppData\Roaming\test.txt.exe"'
host 172.217.25.14
cmdline schtasks /create /f /sc onlogon /rl highest /tn "test.txt" /tr '"C:\Users\test22\AppData\Roaming\test.txt.exe"'
Process injection Process 4672 resumed a thread in remote process 7316
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 7316
1 0 0