popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sync.exe

task schedule Downloader UPX Malicious Library Malicious Packer FTP Code injection Create Service HTTP PWS ScreenShot Internet API KeyLogger P2P Http API DGA DNS Sniff Audio Escalate priviledges Steal credential Socket
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 29, 2023, 7:40 a.m. March 29, 2023, 7:42 a.m.
Size 45.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 3b7f9dcb3b83acf40f32d5f7c500fefb
SHA256 0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777
CRC32 64958AE9
ssdeep 768:vuK49TH4EjZWUR+ejmo2qrL/ot3APIPzjbogX3a7bsaN3KnVABDZXx:vuK49THf520s3lP3b/XKUaN3CWdXx
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "windllx" has successfully been created.
console_handle: 0x00000007
1 1 0
cmdline schtasks /create /f /sc onlogon /rl highest /tn "windllx" /tr '"C:\Users\test22\AppData\Roaming\windllx.exe"'
file C:\Users\test22\AppData\Roaming\windllx.exe
file C:\Users\test22\AppData\Roaming\windllx.exe
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Steal credential rule local_credential_Steal
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description File Downloader rule Network_Downloader
description task schedule rule schtasks_Zero
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communications over FTP rule Network_FTP
description Match Windows Http API call rule Str_Win32_Http_API
cmdline schtasks /create /f /sc onlogon /rl highest /tn "windllx" /tr '"C:\Users\test22\AppData\Roaming\windllx.exe"'
cmdline schtasks /create /f /sc onlogon /rl highest /tn "windllx" /tr '"C:\Users\test22\AppData\Roaming\windllx.exe"'
Process injection Process 2796 resumed a thread in remote process 2956
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2956
1 0 0
Bkav W32.AIDetectNet.01
Lionic Trojan.Win32.Crysan.4!c
Elastic Windows.Trojan.Asyncrat
MicroWorld-eScan Generic.AsyncRAT.Marte.B.4EA40F7B
FireEye Generic.mg.3b7f9dcb3b83acf4
CAT-QuickHeal Trojan.IgenericFC.S14890850
ALYac Generic.AsyncRAT.Marte.B.4EA40F7B
Malwarebytes Crypt.Trojan.MSIL.DDS
VIPRE Generic.AsyncRAT.Marte.B.4EA40F7B
Sangfor Suspicious.Win32.Save.a
K7AntiVirus Trojan ( 005678321 )
Alibaba Backdoor:MSIL/AsyncRat.8b499b5e
K7GW Trojan ( 005678321 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Generic.AsyncRAT.Marte.B.4EA40F7B
VirIT Trojan.Win32.MSIL_Heur.A
Cyren W32/Samas.B.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Agent.CFQ
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky HEUR:Backdoor.MSIL.Crysan.gen
BitDefender Generic.AsyncRAT.Marte.B.4EA40F7B
SUPERAntiSpyware Trojan.Agent/Gen-Kryptik
Avast Win32:DropperX-gen [Drp]
Tencent Trojan.Msil.Agent.zap
Emsisoft Trojan.Agent (A)
DrWeb Trojan.Siggen9.56514
Zillya Backdoor.Crysan.Win32.459
TrendMicro Backdoor.MSIL.ASYNCRAT.SMXSR
McAfee-GW-Edition BehavesLike.Win32.Fareit.pm
Sophos Troj/AsyncRat-B
SentinelOne Static AI - Malicious PE
Jiangmin Backdoor.MSIL.cxnh
Avira TR/Dropper.Gen
MAX malware (ai score=82)
Antiy-AVL Trojan[Backdoor]/MSIL.Crysan
Microsoft Backdoor:MSIL/AsyncRat.AD!MTB
ViRobot Trojan.Win.Z.Crysan.46080.BR
GData MSIL.Backdoor.DCRat.D
Google Detected
AhnLab-V3 Malware/Win.Generic.R414554
Acronis suspicious
McAfee Fareit-FZT!3B7F9DCB3B83
VBA32 OScope.Backdoor.MSIL.Crysan
Cylance unsafe
Rising Trojan.AntiVM!1.CF63 (CLASSIC)
Yandex Trojan.Agent!hQKftG0xkT0
Ikarus Trojan.MSIL.Agent