popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

schtasks.exe

AsyncRAT .NET framework(MSIL) UPX Malicious Packer PE File OS Processor Check PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 16, 2023, 10:58 a.m. Oct. 16, 2023, 11:10 a.m.
Size 47.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 72aa1d054af015d3b90588e9e0cf04ae
SHA256 9f3e493d79719bd183d6336f6e91f620eedb13d5600ab978a2a8e85733c4fab5
CRC32 ED072F09
ssdeep 768:luScK5TAYGTqWU8C+zmo2qLYCL52qkZt6YPI2o6dqbPN30b8RkDKhqWe1VUBDZQx:luScK5TA5/2EL5TCti2oZFkb8REK6odC
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Packer_Zero - Malicious Packer
  • AsyncRat - AsyncRat Payload
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Is_DotNET_EXE - (no description)
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
itskmc.run.place
A 74.207.245.195
A 172.234.16.70
74.207.245.195
IP Address Status Action
164.124.101.2 Active Moloch
74.207.245.195 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2042829 ET INFO DYNAMIC_DNS Query to a *.run .place Domain Potentially Bad Traffic
TCP 74.207.245.195:8808 -> 192.168.56.103:49164 2030673 ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) Domain Observed Used for C2 Detected
TCP 74.207.245.195:8808 -> 192.168.56.103:49164 2035595 ET MALWARE Generic AsyncRAT Style SSL Cert Domain Observed Used for C2 Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49165
74.207.245.195:8808 		None None None
TLSv1
192.168.56.103:49164
74.207.245.195:8808 		CN=AsyncRAT Server CN=AsyncRAT Server 91:7f:5f:7a:e0:5b:39:3f:65:05:64:70:91:57:d6:03:63:78:f6:52

No signatures