Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 26, 2025, 11:15 a.m.	March 26, 2025, 11:25 a.m.

Size	45.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`7e54eec2d10957178e6410ba1c899c21`
SHA256	`d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8`
CRC32	`99574FC2`
ssdeep	`768:suMDi+TDlxOZvWUjrFwONmo2qz1tnCa5S3APIczjbWgX3sypbm6+lvSsWEyajtBD:suMD1TDlsPF/28tjg3lc3bJXf1r+lvZ7`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) AsyncRat - AsyncRat Payload IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\test22\AppData\Local\Temp\WindowsUpdate.exe"' & exit
2964
- schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\test22\AppData\Local\Temp\WindowsUpdate.exe"'
  1120
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmpC723.tmp.bat""
3020
- timeout.exe timeout 3
  2080

Name	Response	Post-Analysis Lookup
chongmei33.publicvm.com	A 46.246.80.65	46.246.80.65

IP Address	Status	Action
142.250.66.35	Active	Moloch
157.240.215.63	Active	Moloch
185.11.61.15	Active	Moloch
185.11.61.16	Active	Moloch
185.156.72.27	Active	Moloch
185.156.72.58	Active	Moloch
185.42.12.21	Active	Moloch
185.42.12.45	Active	Moloch
185.7.214.51	Active	Moloch
185.7.214.57	Active	Moloch
164.124.101.2	Active	Moloch
46.246.80.65	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.11.61.16:431 -> 192.168.56.101:49175	2400028	ET DROP Spamhaus DROP Listed Traffic Inbound group 29	Misc Attack
TCP 185.156.72.27:431 -> 192.168.56.101:49178	2400030	ET DROP Spamhaus DROP Listed Traffic Inbound group 31	Misc Attack
TCP 185.156.72.58:431 -> 192.168.56.101:49176	2400030	ET DROP Spamhaus DROP Listed Traffic Inbound group 31	Misc Attack
TCP 185.11.61.15:431 -> 192.168.56.101:49177	2400028	ET DROP Spamhaus DROP Listed Traffic Inbound group 29	Misc Attack
TCP 185.7.214.57:487 -> 192.168.56.101:49244	2400028	ET DROP Spamhaus DROP Listed Traffic Inbound group 29	Misc Attack
TCP 185.7.214.51:431 -> 192.168.56.101:49181	2400028	ET DROP Spamhaus DROP Listed Traffic Inbound group 29	Misc Attack
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2034457	ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)	Potentially Bad Traffic
TCP 46.246.80.65:2703 -> 192.168.56.101:49171	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected
TCP 46.246.80.65:2703 -> 192.168.56.101:49171	2035595	ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49171 46.246.80.65:2703	CN=AsyncRAT Server	CN=AsyncRAT Server	69:a9:03:dc:37:e5:95:8d:62:b2:0e:e9:86:4c:1c:f7:35:ed:35:46

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 26, 2025, 11:16 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 26, 2025, 11:16 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0
WriteConsoleW March 26, 2025, 11:16 a.m.	buffer: SUCCESS: The scheduled task "WindowsUpdate" has successfully been created. console_handle: 0x00000007	1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

chongmei33.publicvm.com

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\test22\AppData\Local\Temp\WindowsUpdate.exe"'

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\WindowsUpdate.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\WindowsUpdate.exe

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\test22\AppData\Local\Temp\WindowsUpdate.exe"'

Communicates with host for which no DNS query was performed (10 events)

host	142.250.66.35
host	157.240.215.63
host	185.11.61.15
host	185.11.61.16
host	185.156.72.27
host	185.156.72.58
host	185.42.12.21
host	185.42.12.45
host	185.7.214.51
host	185.7.214.57

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\test22\AppData\Local\Temp\WindowsUpdate.exe"'

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3020 resumed a thread in remote process 2180
NtResumeThread March 26, 2025, 11:16 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2180	1	0	0

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.AsyncRAT.m!c
CAT-QuickHeal	Trojan.IgenericFC.S14890850
Skyhigh	BehavesLike.Win32.Fareit.pm
ALYac	Generic.AsyncRAT.Marte.B.53D1D6E3
Cylance	Unsafe
VIPRE	Generic.AsyncRAT.Marte.B.53D1D6E3
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.AsyncRAT.Marte.B.53D1D6E3
K7GW	Trojan ( 005c228f1 )
K7AntiVirus	Trojan ( 005c228f1 )
Arcabit	Generic.AsyncRAT.Marte.B.53D1D6E3
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Generic.Threat
ESET-NOD32	a variant of MSIL/AsyncRAT.A
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Packed.Razy-9625918-0
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
Alibaba	Backdoor:MSIL/AsyncRat.d3f81bdd
NANO-Antivirus	Trojan.Win32.Crysan.kwiyxk
SUPERAntiSpyware	Trojan.Agent/Gen-Kryptik
MicroWorld-eScan	Generic.AsyncRAT.Marte.B.53D1D6E3
Rising	Trojan.AntiVM!1.CF63 (CLASSIC)
Emsisoft	Generic.AsyncRAT.Marte.B.53D1D6E3 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.Siggen9.56514
Zillya	Trojan.Agent.Win32.1334350
TrendMicro	Backdoor.MSIL.ASYNCRAT.SMXSR
McAfeeD	ti!D7D374D650D3
CTX	exe.trojan.msil
Sophos	Troj/AsyncRat-B
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.7e54eec2d1095717
Jiangmin	Backdoor.MSIL.cxnh
Google	Detected
Avira	TR/Dropper.Gen
Kingsoft	malware.kb.c.1000
Gridinsoft	Trojan.Win32.AsyncRAT.tr
Microsoft	Backdoor:MSIL/AsyncRat.AD!MTB
ZoneAlarm	Troj/AsyncRat-B
GData	MSIL.Backdoor.DCRat.D
Varist	W32/Samas.B.gen!Eldorado
AhnLab-V3	Malware/Win.Generic.R414554
McAfee	ACL/Generic.QZKY
DeepInstinct	MALICIOUS
VBA32	OScope.Backdoor.MSIL.Crysan
Malwarebytes	Generic.Malware.AI.DDS

we.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All