Summary | ZeroBOX

unknown.exe

UPX Malicious Library Malicious Packer PWS PE File OS Processor Check PE32 .NET EXE
Category Machine Started Completed
FILE s1_win7_x6401 March 20, 2023, 7:54 a.m. March 20, 2023, 7:56 a.m.
Size 61.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 b61e626bf11cf496d6cb2dd7e470551b
SHA256 2eddddf352d936c0fa8c87727014d9c6c8128c5b07e3d9606b2d29c6890736e0
CRC32 9067CC13
ssdeep 1536:gG9YB1ANwvtVj5pQBuPUbJAW13+33Ur1qfLbMx:gG9YB1ANwrwBuPUbWVOYLQx
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
clsuplementos.ddns.net 141.255.152.14
IP Address Status Action
141.255.152.14 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2028675 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic
TCP 141.255.152.14:4440 -> 192.168.56.101:49163 2030673 ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) Domain Observed Used for C2 Detected
TCP 141.255.152.14:4440 -> 192.168.56.101:49163 2035595 ET MALWARE Generic AsyncRAT Style SSL Cert Domain Observed Used for C2 Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49163
141.255.152.14:4440
CN=AsyncRAT Server CN=AsyncRAT Server c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

domain clsuplementos.ddns.net