Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2021, 10:27 a.m.	Nov. 1, 2021, 10:34 a.m.

Size	45.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d4b8b8cfd3b479a8138cd750c58a7c82`
SHA256	`1490f6303a675ded86c22841f87868c6f0867e922671e0426f499e46a72060d2`
CRC32	`C0A2E169`
ssdeep	`768:LuScq5TAYGTqWU8j+zmo2qLzKjGKG6PIyzjbFgX3ipayUcuhLpuvBDZbx:LuScq5TA5c2eKYDy3bCXSpayULhedbx`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Name	Response	Post-Analysis Lookup
asyncmoney.duckdns.org	A 103.151.123.194	103.151.123.194

IP Address	Status	Action
103.151.123.194	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49201 -> 103.151.123.194:7840	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.151.123.194:7840 -> 192.168.56.101:49201	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49201 103.151.123.194:7840	CN=AsyncRAT Server	CN=AsyncRAT Server	92:6c:c8:c2:f4:ea:22:63:7c:2c:a1:24:62:ec:7d:a8:50:70:64:39

Connects to a Dynamic DNS Domain (1 event)

domain

asyncmoney.duckdns.org

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen9.56514
MicroWorld-eScan	IL:Trojan.MSILZilla.1627
FireEye	Generic.mg.d4b8b8cfd3b479a8
CAT-QuickHeal	Trojan.IgenericFC.S14890850
McAfee	Fareit-FZT!D4B8B8CFD3B4
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.1334999
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Trojan ( 005678321 )
K7AntiVirus	Trojan ( 005678321 )
Arcabit	IL:Trojan.MSILZilla.D65B
BitDefenderTheta	Gen:NN.ZemsilF.34236.cm0@aWkt8Bh
Cyren	W32/MSIL_Troj.UP.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Agent.CFQ
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Samas-7998113-0
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
BitDefender	IL:Trojan.MSILZilla.1627
SUPERAntiSpyware	Trojan.Agent/Gen-Kryptik
Avast	Win32:DropperX-gen [Drp]
Ad-Aware	IL:Trojan.MSILZilla.1627
Sophos	ML/PE-A + Mal/Agent-AVM
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Fareit.pm
Emsisoft	Trojan.Agent (A)
Ikarus	Trojan.MSIL.Agent
Jiangmin	Backdoor.MSIL.cxnh
Webroot	W32.Trojan.Dropper
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan/Generic.ASMalwS.307DC1F
Microsoft	Backdoor:MSIL/AsyncRat.AD!MTB
GData	MSIL.Backdoor.DCRat.D
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Generic.R358277
ALYac	IL:Trojan.MSILZilla.1627
MAX	malware (ai score=86)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Backdoor.AsyncRAT
Rising	Trojan.AntiVM!1.CF63 (CLASSIC)
Yandex	Trojan.Agent!SFVW4JuVEGc
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.74418669.susgen
Fortinet	MSIL/CoinMiner.CFQ!tr
AVG	Win32:DropperX-gen [Drp]
Cybereason	malicious.fd3b47

AsyncClient.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All