Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

s.exe

AsyncRAT .NET framework(MSIL) UPX Malicious Packer PE File OS Processor Check PE32 .NET EXE

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 21, 2023, 8:42 p.m.	July 21, 2023, 8:46 p.m.

Size	66.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c9741d5bdc3286eff5ad5f9d86f83613`
SHA256	`3ce206d37bd3ec071ad24f0dd85e8e719252adeda8dd9a2111d0a4ea67a8b558`
CRC32	`00CD3C4D`
ssdeep	`1536:H2wukvF1ak9gcKu5UYFtIXmiT08JbXDbM/o2kM0GDgHtrPlTGpx:H2dkvF1ak9Ku5UYFtIpA8JbXM/yM7Dy4`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult AsyncRat - AsyncRat Payload Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
moneymaker.dynuddns.net	A 191.89.243.236	191.89.243.236

IP Address	Status	Action
164.124.101.2	Active	Moloch
191.89.243.236	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 191.89.243.236:5757 -> 192.168.56.101:49163	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected
TCP 191.89.243.236:5757 -> 192.168.56.101:49163	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49163 191.89.243.236:5757	CN=AsyncRAT Server	CN=AsyncRAT Server	c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

No signatures