Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 30, 2021, 11:41 a.m.	Oct. 30, 2021, 11:44 a.m.

Size	45.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4c2634725187d2ccebaaaf92b231a1f0`
SHA256	`b7f3d1dd2aa804eb498480b7a3b03ea003efb665005e844e51be5b8ab9dc8e79`
CRC32	`7484230A`
ssdeep	`768:XuGs1THwoPNWUtmT1MHmo2qzbo3p5tByBlPIJzjb9gX3iXL1R2sCepBDZPx:XuGs1THb01m2Uo551J3bqXSf2u3dPx`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Adobe" /tr '"C:\Users\test22\AppData\Roaming\Adobe.exe"' & exit
2772
- schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Adobe" /tr '"C:\Users\test22\AppData\Roaming\Adobe.exe"'
  1276
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmpE9FB.tmp.bat""
2564
- timeout.exe timeout 3
  2892

Name	Response	Post-Analysis Lookup
asyncspread.duckdns.org	A 23.102.1.5	23.102.1.5

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.102.1.5	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.101:49208 -> 23.102.1.5:6121	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 23.102.1.5:6121 -> 192.168.56.101:49208	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49208 23.102.1.5:6121	CN=AsyncRAT Server	CN=AsyncRAT Server	92:6c:c8:c2:f4:ea:22:63:7c:2c:a1:24:62:ec:7d:a8:50:70:64:39

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 30, 2021, 11:42 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 30, 2021, 11:42 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0
WriteConsoleW Oct. 30, 2021, 11:42 a.m.	buffer: SUCCESS: The scheduled task "Adobe" has successfully been created. console_handle: 0x00000007	1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

asyncspread.duckdns.org

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "Adobe" /tr '"C:\Users\test22\AppData\Roaming\Adobe.exe"'

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\Adobe.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\Adobe.exe

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Escalate priviledges	rule	Escalate_priviledges
description	task schedule	rule	schtasks_Zero
description	File Downloader	rule	Network_Downloader
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "Adobe" /tr '"C:\Users\test22\AppData\Roaming\Adobe.exe"'

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "Adobe" /tr '"C:\Users\test22\AppData\Roaming\Adobe.exe"'

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 resumed a thread in remote process 1068
NtResumeThread Oct. 30, 2021, 11:42 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1068	1	0	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	IL:Trojan.MSILZilla.1627
CAT-QuickHeal	Trojan.IgenericFC.S14890850
McAfee	Fareit-FZT!4C2634725187
Malwarebytes	Backdoor.AsyncRAT.MSIL.Generic
Zillya	Trojan.Agent.Win32.1338469
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005678321 )
K7GW	Trojan ( 005678321 )
CrowdStrike	win/malicious_confidence_70% (D)
BitDefenderTheta	Gen:NN.ZemsilF.34236.cm0@aCs33Jf
Cyren	W32/MSIL_Troj.UP.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Agent.CFQ
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
BitDefender	IL:Trojan.MSILZilla.1627
SUPERAntiSpyware	Trojan.Agent/Gen-Kryptik
Avast	Win32:DropperX-gen [Drp]
Ad-Aware	IL:Trojan.MSILZilla.1627
Sophos	ML/PE-A + Mal/Agent-AVM
DrWeb	Trojan.Siggen9.56514
McAfee-GW-Edition	BehavesLike.Win32.Fareit.pm
Emsisoft	IL:Trojan.MSILZilla.1627 (B)
Ikarus	Trojan.MSIL.Agent
Jiangmin	Backdoor.MSIL.cxnh
Webroot	W32.Trojan.Dropper
Avira	TR/Dropper.Gen
Arcabit	IL:Trojan.MSILZilla.D65B
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
Microsoft	Backdoor:MSIL/AsyncRat.AD!MTB
AhnLab-V3	Trojan/Win32.RL_Generic.R358277
ALYac	IL:Trojan.MSILZilla.1627
MAX	malware (ai score=82)
Cylance	Unsafe
Rising	Trojan.AntiVM!1.CF63 (CLASSIC)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/CoinMiner.CFQ!tr
AVG	Win32:DropperX-gen [Drp]
Cybereason	malicious.25187d
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

AsyncClient6121.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All