popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

RegSvcs.exe

UPX Malicious Library Malicious Packer PWS PE File OS Processor Check PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 29, 2023, 10:38 a.m. March 29, 2023, 10:51 a.m.
Size 62.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 7f47c9d043fcec52e995e98d21813482
SHA256 5f02848fc8b21a0bdc352e5ea23fc3a1fa94dab48b6d964268953a2dc8545ba3
CRC32 76B4A3F7
ssdeep 1536:pTnFkQMcYNVT5O0C6BVBjPjbOoTockVf7q7ox:pTnFkQMcYjT5O0fBVBjjbOoGVf7qMx
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
pop12.linkpc.net
A 15.204.170.1
15.204.170.1
IP Address Status Action
15.204.170.1 Active Moloch
164.124.101.2 Active Moloch
45.80.158.108 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:53004 -> 164.124.101.2:53 2034458 ET INFO Observed DNS Query to DynDNS Domain (linkpc .net) Potentially Bad Traffic
TCP 15.204.170.1:7707 -> 192.168.56.101:49164 2030673 ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) Domain Observed Used for C2 Detected
TCP 15.204.170.1:7707 -> 192.168.56.101:49164 2035595 ET MALWARE Generic AsyncRAT Style SSL Cert Domain Observed Used for C2 Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49164
15.204.170.1:7707 		CN=AsyncRAT Server CN=AsyncRAT Server c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

domain pop12.linkpc.net
host 45.80.158.108
dead_host 45.80.158.108:6666
dead_host 192.168.56.101:49163