Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 29, 2024, 9:31 a.m. | March 29, 2024, 9:37 a.m. |
-
cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"' & exit
2992-
schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"'
2072
-
-
-
timeout.exe timeout 3
2080
-
Name | Response | Post-Analysis Lookup |
---|---|---|
leetboy.dynuddns.net | 185.196.11.223 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 185.196.11.223:1339 -> 192.168.56.101:49171 | 2400021 | ET DROP Spamhaus DROP Listed Traffic Inbound group 22 | Misc Attack |
TCP 185.196.11.223:1339 -> 192.168.56.101:49171 | 2030673 | ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) | Domain Observed Used for C2 Detected |
TCP 185.196.11.223:1339 -> 192.168.56.101:49171 | 2035595 | ET MALWARE Generic AsyncRAT Style SSL Cert | Domain Observed Used for C2 Detected |
UDP 192.168.56.101:59002 -> 164.124.101.2:53 | 2045995 | ET INFO DYNAMIC_DNS Query to a *.dynuddns .net Domain | Potentially Bad Traffic |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49171 185.196.11.223:1339 |
CN=AsyncRAT Server | CN=AsyncRAT Server | c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90 |
cmdline | schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"' |
file | C:\Users\test22\AppData\Roaming\svchos.exe |
file | C:\Users\test22\AppData\Roaming\svchos.exe |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | task schedule | rule | schtasks_Zero | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
cmdline | schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"' |
cmdline | schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"' |
Bkav | W32.AIDetectMalware.CS |
Lionic | Trojan.Win32.AsyncRAT.m!c |
Elastic | Windows.Generic.Threat |
CAT-QuickHeal | Backdoor.MsilFC.S14901152 |
Skyhigh | BehavesLike.Win32.Fareit.km |
ALYac | Generic.AsyncRAT.Marte.B.6A4546A1 |
Cylance | unsafe |
VIPRE | Generic.AsyncRAT.Marte.B.6A4546A1 |
Sangfor | Trojan.Win32.Save.a |
BitDefender | Generic.AsyncRAT.Marte.B.6A4546A1 |
Cybereason | malicious.8f05c5 |
Arcabit | Generic.AsyncRAT.Marte.B.6A4546A1 |
VirIT | Trojan.Win32.MSIL_Heur.B |
Symantec | MSIL.Trojan!gen7 |
ESET-NOD32 | a variant of MSIL/AsyncRAT.A |
APEX | Malicious |
McAfee | PWS-FCQR!C1ADE258F05C |
Avast | Win32:DropperX-gen [Drp] |
ClamAV | Win.Packed.Razy-9625918-0 |
Kaspersky | HEUR:Backdoor.MSIL.Crysan.gen |
Alibaba | Backdoor:MSIL/AsyncRat.749dc0b2 |
MicroWorld-eScan | Generic.AsyncRAT.Marte.B.6A4546A1 |
Rising | Trojan.AntiVM!1.CF63 (CLASSIC) |
Emsisoft | Generic.AsyncRAT.Marte.B.6A4546A1 (B) |
F-Secure | Trojan.TR/Dropper.Gen |
DrWeb | BackDoor.AsyncRATNET.2 |
TrendMicro | Backdoor.Win32.ASYNCRAT.YXEC2Z |
FireEye | Generic.mg.c1ade258f05c512e |
Sophos | Troj/AsyncRat-B |
Ikarus | Backdoor.AsyncRat |
Jiangmin | Backdoor.MSIL.gffx |
Detected | |
Avira | TR/Dropper.Gen |
MAX | malware (ai score=86) |
Kingsoft | malware.kb.c.1000 |
Gridinsoft | Backdoor.Win32.Generic.sa |
Microsoft | Backdoor:MSIL/AsyncRat.AD!MTB |
ZoneAlarm | HEUR:Backdoor.MSIL.Crysan.gen |
GData | MSIL.Backdoor.DCRat.D |
Varist | W32/Samas.B.gen!Eldorado |
AhnLab-V3 | Malware/Win32.RL_Generic.C4267562 |
BitDefenderTheta | Gen:NN.ZemsilF.36802.dm0@ayr3qSj |
DeepInstinct | MALICIOUS |
VBA32 | OScope.Backdoor.MSIL.Crysan |
Malwarebytes | Generic.Malware.AI.DDS |
Panda | Trj/GdSda.A |
TrendMicro-HouseCall | Backdoor.Win32.ASYNCRAT.YXEC2Z |
Tencent | Msil.Backdoor.Crysan.Ymhl |
SentinelOne | Static AI - Malicious PE |
Fortinet | MSIL/Agent.CFQ!tr |