popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Async.exe

Generic Malware Malicious Library Malicious Packer Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 27, 2021, 3:30 p.m. Aug. 27, 2021, 4:07 p.m.
Size 45.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 cfd0d3019414ab97ca0501e683121468
SHA256 1af4ec43ca70d9470db5612542c489d99d825d4a5bece64ef08dd465911bce94
CRC32 7F283DB3
ssdeep 768:vuiD1TUEFSuWUow3kmo2qzvlsCPEaMPIcTjbwgX3i50/PWIBDZWx:vuiD1TUKg2kJEaxcXb3XS5+BdWx
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • Malicious_Packer_Zero - Malicious Packer
  • OS_Processor_Check_Zero - OS Processor Check
  • Is_DotNET_EXE - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Name Response Post-Analysis Lookup
chromeclusterspectr.ddns.net
A 179.43.187.164
179.43.187.164
IP Address Status Action
164.124.101.2 Active Moloch
179.43.187.164 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53 2028675 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic
TCP 192.168.56.101:49209 -> 179.43.187.164:54842 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "chrome" has successfully been created.
console_handle: 0x00000007
1 1 0
domain chromeclusterspectr.ddns.net
cmdline schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr '"C:\Users\test22\AppData\Roaming\chrome.exe"'
file C:\Users\test22\AppData\Roaming\chrome.exe
file C:\Users\test22\AppData\Roaming\chrome.exe
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description Steal credential rule local_credential_Steal
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
cmdline schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr '"C:\Users\test22\AppData\Roaming\chrome.exe"'
cmdline schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr '"C:\Users\test22\AppData\Roaming\chrome.exe"'
Process injection Process 2552 resumed a thread in remote process 2768
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2768
1 0 0
Elastic malicious (high confidence)
DrWeb Trojan.Siggen9.56514
MicroWorld-eScan IL:Trojan.MSILZilla.1627
FireEye Generic.mg.cfd0d3019414ab97
CAT-QuickHeal Trojan.IgenericFC.S14890850
ALYac IL:Trojan.MSILZilla.1627
Cylance Unsafe
Zillya Trojan.Agent.Win32.1334603
K7AntiVirus Trojan ( 005678321 )
K7GW Trojan ( 005678321 )
CrowdStrike win/malicious_confidence_90% (W)
BitDefenderTheta Gen:NN.ZemsilF.34110.cm0@aizl@ri
Cyren W32/MSIL_Troj.UP.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Agent.CFQ
APEX Malicious
ClamAV Win.Packed.Samas-7998113-0
Kaspersky HEUR:Backdoor.MSIL.Crysan.gen
BitDefender IL:Trojan.MSILZilla.1627
SUPERAntiSpyware Trojan.Agent/Gen-Kryptik
Avast Win32:DropperX-gen [Drp]
Ad-Aware IL:Trojan.MSILZilla.1627
Sophos ML/PE-A + Mal/Agent-AVM
McAfee-GW-Edition BehavesLike.Win32.Fareit.pm
Emsisoft IL:Trojan.MSILZilla.1627 (B)
Ikarus Trojan.MSIL.Agent
Jiangmin Backdoor.MSIL.cxnh
Avira TR/Dropper.Gen
Antiy-AVL Trojan/Generic.ASMalwS.31012BF
Microsoft Backdoor:MSIL/AsyncRat.AD!MTB
ZoneAlarm HEUR:Backdoor.MSIL.Crysan.gen
GData MSIL.Trojan.PSE.12PV32N
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RL_Generic.R358277
McAfee Fareit-FZT!CFD0D3019414
MAX malware (ai score=81)
VBA32 TScope.Trojan.MSIL
Malwarebytes Generic.Trojan.Malicious.DDS
Rising Trojan.AntiVM!1.CF63 (CLASSIC)
Yandex Trojan.Agent!qbxK3YzAv7k
SentinelOne Static AI - Malicious PE
Fortinet MSIL/CoinMiner.CFQ!tr
AVG Win32:DropperX-gen [Drp]
Cybereason malicious.19414a
Panda Trj/GdSda.A