popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

RegSvcs.exe

UPX Malicious Library Malicious Packer PWS PE File OS Processor Check PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 29, 2023, 11:04 a.m. March 29, 2023, 11:07 a.m.
Size 61.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 004a919e31049dce0f9b96699cbbec5e
SHA256 d1c039fb87895247898f0aa097da23c61417f6c248e335aa6da1b7df442e39e1
CRC32 9C29B67C
ssdeep 1536:em4JvBJ0twggJ7rU+aab0yFiSgj1Rr2Lbxx:em4RBJ0tw3rUdabF8Xr2LVx
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
4-hitler.publicvm.com
A 207.32.216.119
207.32.216.119
hitler5573.linkpc.net
A 142.202.240.126
142.202.240.126
IP Address Status Action
142.202.240.126 Active Moloch
164.124.101.2 Active Moloch
207.32.216.119 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53 2034458 ET INFO Observed DNS Query to DynDNS Domain (linkpc .net) Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2034457 ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com) Potentially Bad Traffic
TCP 142.202.240.126:6666 -> 192.168.56.103:49164 2030673 ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) Domain Observed Used for C2 Detected
TCP 142.202.240.126:6666 -> 192.168.56.103:49164 2035595 ET MALWARE Generic AsyncRAT Style SSL Cert Domain Observed Used for C2 Detected
UDP 192.168.56.103:50800 -> 8.8.8.8:53 2034458 ET INFO Observed DNS Query to DynDNS Domain (linkpc .net) Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49164
142.202.240.126:6666 		CN=AsyncRAT Server CN=AsyncRAT Server c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

domain 4-hitler.publicvm.com
domain hitler5573.linkpc.net
dead_host 207.32.216.119:5555