popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

RegSvcs.exe

UPX Malicious Packer PWS PE File OS Processor Check PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us April 4, 2023, 7:10 a.m. April 4, 2023, 7:14 a.m.
Size 65.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 aab8a0f6b79b294bc551f015851624ee
SHA256 d2bd34e8c560568aa6337f470a99cbe9ccef27c8562b561064b1d920c3b223bd
CRC32 00B93A82
ssdeep 1536:3mfBSqHdw8bkP3ouFgWrtWdNSSsfnG+XYEbZrECHrWISLWIx:3m5SqHdwpSsfnGOYEbZjHrWtbx
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
185.81.157.209 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 185.81.157.209:2301 -> 192.168.56.103:49163 2030673 ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) Domain Observed Used for C2 Detected
TCP 185.81.157.209:2301 -> 192.168.56.103:49163 2035595 ET MALWARE Generic AsyncRAT Style SSL Cert Domain Observed Used for C2 Detected
TCP 185.81.157.209:2301 -> 192.168.56.103:49165 2030673 ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) Domain Observed Used for C2 Detected
TCP 185.81.157.209:2301 -> 192.168.56.103:49165 2035595 ET MALWARE Generic AsyncRAT Style SSL Cert Domain Observed Used for C2 Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49163
185.81.157.209:2301 		CN=AsyncRAT Server CN=AsyncRAT Server c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90
TLSv1
192.168.56.103:49165
185.81.157.209:2301 		CN=AsyncRAT Server CN=AsyncRAT Server c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

host 185.81.157.209