popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

test.exe

AsyncRAT .NET framework(MSIL) Malicious Library Malicious Packer Downloader task schedule UPX HTTP DNS ScreenShot Create Service KeyLogger Internet API P2P DGA Http API FTP Socket Escalate priviledges Code injection PWS Sniff Audio Steal credential
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 8, 2023, 6:38 p.m. Aug. 8, 2023, 6:43 p.m.
Size 45.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 65c06c0404ce69f08491b0f868e0b635
SHA256 ea04850fa21b0c32d74e4f6dfd09540efb4674cb64e6836b4842d8a7e6ae587a
CRC32 3653428B
ssdeep 768:jujYm1TUET1/WUTQV9mo2qz+8V1vBTcPI1zjbkgX3iKKeS6XGdmLhufvfBDZ/x:jujYm1TU0I2P8VnTh13brXSR+iyGvpdp
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • AsyncRat - AsyncRat Payload
  • Is_DotNET_EXE - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "UpdateHost" has successfully been created.
console_handle: 0x00000007
1 1 0
cmdline schtasks /create /f /sc onlogon /rl highest /tn "UpdateHost" /tr '"C:\Users\test22\AppData\Roaming\UpdateHost.exe"'
file C:\Users\test22\AppData\Roaming\UpdateHost.exe
file C:\Users\test22\AppData\Roaming\UpdateHost.exe
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communications over P2P network rule Network_P2P_Win
description Communication using DGA rule Network_DGA
description Steal credential rule local_credential_Steal
description Match Windows Http API call rule Str_Win32_Http_API
description task schedule rule schtasks_Zero
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Take ScreenShot rule ScreenShot
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Match Windows Inet API call rule Str_Win32_Internet_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description File Downloader rule Network_Downloader
cmdline schtasks /create /f /sc onlogon /rl highest /tn "UpdateHost" /tr '"C:\Users\test22\AppData\Roaming\UpdateHost.exe"'
cmdline schtasks /create /f /sc onlogon /rl highest /tn "UpdateHost" /tr '"C:\Users\test22\AppData\Roaming\UpdateHost.exe"'
Process injection Process 2792 resumed a thread in remote process 2952
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2952
1 0 0
Lionic Trojan.Win32.Crysan.4!c
Elastic Windows.Trojan.Asyncrat
MicroWorld-eScan Generic.AsyncRAT.Marte.B.DE67D757
CAT-QuickHeal Trojan.IgenericFC.S14890850
ALYac Generic.AsyncRAT.Marte.B.DE67D757
Cylance unsafe
Sangfor Suspicious.Win32.Save.a
K7AntiVirus Trojan ( 005678321 )
K7GW Trojan ( 005678321 )
Cybereason malicious.404ce6
VirIT Trojan.Win32.MSIL_Heur.A
Cyren W32/Samas.B.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Agent.CFQ
Cynet Malicious (score: 100)
APEX Malicious
ClamAV Win.Packed.Razy-9625918-0
Kaspersky HEUR:Backdoor.MSIL.Crysan.gen
Alibaba Backdoor:MSIL/AsyncRat.6064a8e8
SUPERAntiSpyware Trojan.Agent/Gen-Kryptik
Avast Win32:DropperX-gen [Drp]
Tencent Trojan.Msil.Agent.zap
F-Secure Trojan.TR/Dropper.Gen
DrWeb Trojan.Siggen9.56514
Zillya Backdoor.Crysan.Win32.425
TrendMicro Backdoor.MSIL.ASYNCRAT.SMXSR
Sophos Troj/AsyncRat-B
Ikarus Trojan.MSIL.Agent
Jiangmin Backdoor.MSIL.cxnh
Avira TR/Dropper.Gen
Antiy-AVL Trojan[Backdoor]/MSIL.Crysan
Arcabit Generic.AsyncRAT.Marte.B.DE67D757
ZoneAlarm HEUR:Backdoor.MSIL.Crysan.gen
Google Detected
AhnLab-V3 Malware/Win.Generic.R414558
Acronis suspicious
VBA32 OScope.Backdoor.MSIL.Crysan
Malwarebytes Generic.Malware.AI.DDS
Panda Trj/CI.A
Rising Trojan.AntiVM!1.CF63 (CLASSIC)
Yandex Trojan.Agent!cRLETgvVh9s
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.74418669.susgen
Fortinet MSIL/Agent.CFQ!tr
BitDefenderTheta Gen:NN.ZemsilF.36348.cm0@aKjYc3d
AVG Win32:DropperX-gen [Drp]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)