popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

RegSvcs.exe

UPX Malicious Library Malicious Packer PWS PE File OS Processor Check PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 5, 2023, 8:54 a.m. April 5, 2023, 8:58 a.m.
Size 58.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 a75accacdd53a79c96b99261ebe0affe
SHA256 1d8a36da2b1a8195c18c190c17cfdc93d3a7ccf0644e8e50e90d95bf0213b819
CRC32 7F125C04
ssdeep 768:OLrBlOGhV1Xj+IfxXRs4yPbE5He/fD/kq9Iq5LUbXg1UIY7Q8e6og6inDXGHN7Yx:OPrVFns05+zMqCqKbw1t/o6inDXq7Yx
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
xxxprofxxx.dnsdojo.com
A 185.252.178.121
185.252.178.121
IP Address Status Action
164.124.101.2 Active Moloch
185.252.178.121 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2042691 ET INFO DYNAMIC_DNS Query to a *.dnsdojo .com Domain Potentially Bad Traffic
TCP 185.252.178.121:5126 -> 192.168.56.101:49163 2030673 ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) Domain Observed Used for C2 Detected
TCP 185.252.178.121:5126 -> 192.168.56.101:49163 2035595 ET MALWARE Generic AsyncRAT Style SSL Cert Domain Observed Used for C2 Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49163
185.252.178.121:5126 		CN=AsyncRAT Server CN=AsyncRAT Server c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

No signatures