Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2022, 1:13 p.m.	May 20, 2022, 1:19 p.m.

Size	162.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ee22e44649d164a89bdb5ff6ba8410ae`
SHA256	`d0158a2a3ac2aaeef2f5657c2431ffb59ea5650aff7676b2bdfebb3b4700aeac`
CRC32	`8B694E92`
ssdeep	`3072:HJ+vt+aFhb2ibAHgem9I3bko6Xiv8wihViJf1J2QDX1f:ovt+aFhbJAAemqb78OF1JRDX1`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 2
3044
- timeout.exe timeout 2
  1948
MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
900

Name	Response	Post-Analysis Lookup
www.jasonid.com	CNAME proxy-ssl-geo.webflow.com CNAME proxy-ssl.webflow.com A 54.250.33.70 A 13.115.25.84 A 13.112.212.160	13.115.25.84
uacdrc.cf	A 192.185.174.177	192.185.174.177
www.beadilowa.store
www.lqunnew.com	A 156.238.103.4	156.238.103.4

Flow	SID	Signature	Category
UDP 192.168.56.101:55871 -> 164.124.101.2:53	2025107	ET INFO DNS Query for Suspicious .cf Domain	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 156.238.103.4:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 156.238.103.4:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 156.238.103.4:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49161 -> 192.185.174.177:80	2031092	ET HUNTING Request to .CF Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 13.115.25.84:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 13.115.25.84:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 13.115.25.84:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 20, 2022, 1:13 p.m.	buffer: Waiting for 2 console_handle: 0x00000007	1	1	0
WriteConsoleW May 20, 2022, 1:13 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1	0

suspicious_features	GET method with no useragent header	suspicious_request	GET http://uacdrc.cf/n/Lcang_Qarrkkgi.png
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lqunnew.com/rx29/?lZ6l=tlAkrDQ7fwbEJS3Hr8zrfc95eA87tCkz9dtgGcCaS9Im0s+iFJ0ue5ctkukzeula70a118sC&vRipR=7nGx66NPeB
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.jasonid.com/rx29/?lZ6l=mHcFwNUVijBkQGx6cjD2hjPUY0thYO+cSfzHyL6zjWc4PIuCSTZNKMVOvZC7qqAHoen1iJ6S&vRipR=7nGx66NPeB

request	GET http://uacdrc.cf/n/Lcang_Qarrkkgi.png
request	GET http://www.lqunnew.com/rx29/?lZ6l=tlAkrDQ7fwbEJS3Hr8zrfc95eA87tCkz9dtgGcCaS9Im0s+iFJ0ue5ctkukzeula70a118sC&vRipR=7nGx66NPeB
request	GET http://www.jasonid.com/rx29/?lZ6l=mHcFwNUVijBkQGx6cjD2hjPUY0thYO+cSfzHyL6zjWc4PIuCSTZNKMVOvZC7qqAHoen1iJ6S&vRipR=7nGx66NPeB

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 900 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 20, 2022, 1:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Bkav	W32.AIDetectNet.01
Lionic	Trojan.MSIL.Seraph.a!c
MicroWorld-eScan	Trojan.GenericKD.49034425
FireEye	Generic.mg.ee22e44649d164a8
ALYac	Trojan.GenericKD.49034425
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.49034425
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.LVG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
Alibaba	TrojanDownloader:MSIL/AgentTesla.b971c211
ViRobot	Trojan.Win32.Z.Agent.166400.SS
Ad-Aware	Trojan.GenericKD.49034425
Emsisoft	Trojan.GenericKD.49034425 (B)
F-Secure	Trojan.TR/Dldr.Agent.yvmnu
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Avira	TR/Dldr.Agent.yvmnu
MAX	malware (ai score=88)
Microsoft	TrojanDownloader:MSIL/AgentTesla.ESH!MTB
Gridinsoft	Trojan.Win32.Downloader.sa
Arcabit	Trojan.Generic.D2EC34B9
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	Trojan.GenericKD.49034425
Cynet	Malicious (score: 100)
AhnLab-V3	Downloader/Win.AgentTesla.C5133019
McAfee	RDN/Generic Downloader.x
Malwarebytes	Trojan.Downloader.MSIL
TrendMicro-HouseCall	TROJ_GEN.R002H0DEH22
Tencent	Msil.Trojan-downloader.Agent.Alig
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.JDM!tr.dldr
BitDefenderTheta	Gen:NN.ZemsilF.34682.km0@a8x7AGo
AVG	Win32:DropperX-gen [Drp]
Avast	Win32:DropperX-gen [Drp]

cop.exe