popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

s.exe

AsyncRAT .NET framework(MSIL) UPX Malicious Packer PE File OS Processor Check PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 21, 2023, 8:42 p.m. July 21, 2023, 8:46 p.m.
Size 66.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 c9741d5bdc3286eff5ad5f9d86f83613
SHA256 3ce206d37bd3ec071ad24f0dd85e8e719252adeda8dd9a2111d0a4ea67a8b558
CRC32 00CD3C4D
ssdeep 1536:H2wukvF1ak9gcKu5UYFtIXmiT08JbXDbM/o2kM0GDgHtrPlTGpx:H2dkvF1ak9Ku5UYFtIpA8JbXM/yM7Dy4
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • AsyncRat - AsyncRat Payload
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
moneymaker.dynuddns.net
A 191.89.243.236
191.89.243.236
IP Address Status Action
164.124.101.2 Active Moloch
191.89.243.236 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 191.89.243.236:5757 -> 192.168.56.101:49163 2030673 ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) Domain Observed Used for C2 Detected
TCP 191.89.243.236:5757 -> 192.168.56.101:49163 2035595 ET MALWARE Generic AsyncRAT Style SSL Cert Domain Observed Used for C2 Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49163
191.89.243.236:5757 		CN=AsyncRAT Server CN=AsyncRAT Server c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

No signatures