Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

schtasks.exe

AsyncRAT .NET framework(MSIL) UPX Malicious Packer PE File OS Processor Check PE32 .NET EXE

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 12, 2023, 8:11 a.m.	July 12, 2023, 8:13 a.m.

Size	66.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`24cd86ecb2c7e499e830f681f6308f41`
SHA256	`5873948842cd4f265c9f9035c8ecc72f73926a5c263f180ec43263d0da69e901`
CRC32	`DC8C346E`
ssdeep	`1536:m2wukvF1ak9gcKu5UYFLZazbUZrZlFHIhteg4rPlTGJx:m2dkvF1ak9Ku5UYFLZazbUB04dKx`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult AsyncRat - AsyncRat Payload Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
code2023.kozow.com	A 179.14.8.129	179.14.8.129

IP Address	Status	Action
164.124.101.2	Active	Moloch
179.14.8.129	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 179.14.8.129:8000 -> 192.168.56.101:49165	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected
TCP 179.14.8.129:8000 -> 192.168.56.101:49165	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49165 179.14.8.129:8000	CN=AsyncRAT Server	CN=AsyncRAT Server	c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

No signatures