Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 14, 2023, 1:38 p.m.	April 14, 2023, 1:40 p.m.

Size	45.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f249ab6266b09f71f05c85a966f8f3d7`
SHA256	`e22683de5510cbc523e79448c8695ae6c07e03b6548acbd8960ce243282594c0`
CRC32	`36005BD5`
ssdeep	`768:wuwCfTg46YbWUn8jjmo2qrl8khEamPIvFjbegX3ipgb089eHVTsOazHOuBDZmx:wuwCfTgp/28EaPvNbhXSpgbcVwjLOgdE`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Malicious_Packer_Zero - Malicious Packer Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
wbem.ddns.net	A 147.189.170.192	147.189.170.192

IP Address	Status	Action
147.189.170.192	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 147.189.170.192:6666 -> 192.168.56.102:49163	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected
TCP 147.189.170.192:6666 -> 192.168.56.102:49165	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected
TCP 147.189.170.192:6666 -> 192.168.56.102:49163	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	Domain Observed Used for C2 Detected
TCP 147.189.170.192:6666 -> 192.168.56.102:49165	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49163 147.189.170.192:6666	CN=AsyncRAT Server	CN=AsyncRAT Server	33:ca:ec:34:b4:66:16:1b:6e:4d:7a:f2:38:5a:35:d1:e6:40:2d:50
TLSv1 192.168.56.102:49165 147.189.170.192:6666	CN=AsyncRAT Server	CN=AsyncRAT Server	33:ca:ec:34:b4:66:16:1b:6e:4d:7a:f2:38:5a:35:d1:e6:40:2d:50

Connects to a Dynamic DNS Domain (1 event)

domain

wbem.ddns.net

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectNet.01
Elastic	Windows.Trojan.Asyncrat
MicroWorld-eScan	Generic.AsyncRAT.Marte.B.7713EB42
ClamAV	Win.Packed.Razy-9625918-0
FireEye	Generic.mg.f249ab6266b09f71
CAT-QuickHeal	Trojan.IgenericFC.S14890850
McAfee	Fareit-FZT!F249AB6266B0
Malwarebytes	Generic.Trojan.MSIL.DDS
Zillya	Trojan.Agent.Win32.1334302
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005678321 )
K7GW	Trojan ( 005678321 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Generic.AsyncRAT.Marte.B.7713EB42
BitDefenderTheta	Gen:NN.ZemsilF.36132.cm0@a4te13j
VirIT	Trojan.Win32.Genus.NFZ
Cyren	W32/Samas.B.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Agent.CFQ
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
BitDefender	Generic.AsyncRAT.Marte.B.7713EB42
Avast	Win32:DropperX-gen [Drp]
Tencent	Trojan.Msil.Agent.zap
Emsisoft	Trojan.Agent (A)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.Siggen9.56514
VIPRE	Generic.AsyncRAT.Marte.B.7713EB42
TrendMicro	Backdoor.MSIL.ASYNCRAT.SMXSR
McAfee-GW-Edition	BehavesLike.Win32.Fareit.pm
Sophos	Troj/AsyncRat-B
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor.MSIL.cxnh
Avira	TR/Dropper.Gen
MAX	malware (ai score=89)
Antiy-AVL	Trojan[Backdoor]/MSIL.Crysan
Microsoft	Backdoor:MSIL/AsyncRat.AD!MTB
SUPERAntiSpyware	Trojan.Agent/Gen-Kryptik
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
GData	MSIL.Backdoor.DCRat.D
Google	Detected
AhnLab-V3	Malware/Win32.RL_Generic.C3558490
Acronis	suspicious
VBA32	OScope.Backdoor.MSIL.Crysan
ALYac	Generic.AsyncRAT.Marte.B.7713EB42
Cylance	unsafe
Rising	Trojan.AntiVM!1.CF63 (CLASSIC)
Yandex	Trojan.Agent!xaLpst2UPE0
Ikarus	Trojan.MSIL.Agent

payload2.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All