Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 29, 2024, 9:31 a.m.	March 29, 2024, 9:37 a.m.

Size	63.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c1ade258f05c512e98ebc4d9d1165f8a`
SHA256	`447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759`
CRC32	`A7D7C05F`
ssdeep	`1536:SaKFoNbEkySYKumUYFOy5biAPY0JG4aRjnl7RUr+TG5x:SawoNbEkAKumUYFD5biF0JejxSsCx`
Yara	AsyncRat - AsyncRat Payload Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"' & exit
2992
- schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"'
  2072
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmpB919.tmp.bat""
3048
- timeout.exe timeout 3
  2080

Name	Response	Post-Analysis Lookup
leetboy.dynuddns.net	A 185.196.11.223	185.196.11.223

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.196.11.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.196.11.223:1339 -> 192.168.56.101:49171	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 185.196.11.223:1339 -> 192.168.56.101:49171	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected
TCP 185.196.11.223:1339 -> 192.168.56.101:49171	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	Domain Observed Used for C2 Detected
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2045995	ET INFO DYNAMIC_DNS Query to a *.dynuddns .net Domain	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49171 185.196.11.223:1339	CN=AsyncRAT Server	CN=AsyncRAT Server	c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 29, 2024, 9:32 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 29, 2024, 9:32 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0
WriteConsoleW March 29, 2024, 9:32 a.m.	buffer: SUCCESS: The scheduled task "svchos" has successfully been created. console_handle: 0x00000007	1	1	0

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"'

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\svchos.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\svchos.exe

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"'

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"'

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3048 resumed a thread in remote process 152
NtResumeThread March 29, 2024, 9:32 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 152	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.AsyncRAT.m!c
Elastic	Windows.Generic.Threat
CAT-QuickHeal	Backdoor.MsilFC.S14901152
Skyhigh	BehavesLike.Win32.Fareit.km
ALYac	Generic.AsyncRAT.Marte.B.6A4546A1
Cylance	unsafe
VIPRE	Generic.AsyncRAT.Marte.B.6A4546A1
Sangfor	Trojan.Win32.Save.a
BitDefender	Generic.AsyncRAT.Marte.B.6A4546A1
Cybereason	malicious.8f05c5
Arcabit	Generic.AsyncRAT.Marte.B.6A4546A1
VirIT	Trojan.Win32.MSIL_Heur.B
Symantec	MSIL.Trojan!gen7
ESET-NOD32	a variant of MSIL/AsyncRAT.A
APEX	Malicious
McAfee	PWS-FCQR!C1ADE258F05C
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Packed.Razy-9625918-0
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
Alibaba	Backdoor:MSIL/AsyncRat.749dc0b2
MicroWorld-eScan	Generic.AsyncRAT.Marte.B.6A4546A1
Rising	Trojan.AntiVM!1.CF63 (CLASSIC)
Emsisoft	Generic.AsyncRAT.Marte.B.6A4546A1 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	BackDoor.AsyncRATNET.2
TrendMicro	Backdoor.Win32.ASYNCRAT.YXEC2Z
FireEye	Generic.mg.c1ade258f05c512e
Sophos	Troj/AsyncRat-B
Ikarus	Backdoor.AsyncRat
Jiangmin	Backdoor.MSIL.gffx
Google	Detected
Avira	TR/Dropper.Gen
MAX	malware (ai score=86)
Kingsoft	malware.kb.c.1000
Gridinsoft	Backdoor.Win32.Generic.sa
Microsoft	Backdoor:MSIL/AsyncRat.AD!MTB
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
GData	MSIL.Backdoor.DCRat.D
Varist	W32/Samas.B.gen!Eldorado
AhnLab-V3	Malware/Win32.RL_Generic.C4267562
BitDefenderTheta	Gen:NN.ZemsilF.36802.dm0@ayr3qSj
DeepInstinct	MALICIOUS
VBA32	OScope.Backdoor.MSIL.Crysan
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Backdoor.Win32.ASYNCRAT.YXEC2Z
Tencent	Msil.Backdoor.Crysan.Ymhl
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Agent.CFQ!tr

start.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All