Report - done.exe

AsyncRAT backdoor

ScreenShot

Info
Location map


Created	2021.04.05 13:25	Machine	s1_win7_x6401
Filename	done.exe
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
AI Score	7	Behavior Score	2.8
ZERO API	file : malware
VT API (file)	35 detected (malicious, high confidence, GenericKD, Artemis, Unsafe, Save, Kryptik, Dothetuk, Eldorado, dbljc, Wacatac, score, ai score=90, PossibleThreat, PALLASNET, confidence, H8kATgYA)
md5	4e62febb0ac594a5f0e92021ae54850f
sha256	16486755e20c9abda9b01c31fa8bdd80033f5c2c5320fa1611645942b4612987
ssdeep	768:7c9TdcNfhldBQCTsWA6zSdmQUjfcsiB7FPPVUn3VmiAJbcxOXyu+yTdxOGFqRD10:eK9hlICTbfWxUjfiBYgiSE4dUSrUY
imphash
impfuzzy	3::

Network IP location

Signature (7cnts)

Level	Description
danger	File has been identified by 35 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid

Rules (6cnts)

Level	Name	Description	Collection
info	IsPE64	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check Signature Zero	binaries (upload)
info	PE_Header_Zero	PE File Signature Zero	binaries (upload)
info	ImportTableIsBad	ImportTable Check	binaries (upload)
info	IsWindowsGUI	(no description)	binaries (upload)
info	Win_Backdoor_AsyncRAT_Zero	Win Backdoor AsyncRAT	binaries (upload)

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none

Similarity measure (PE file only) - Checking for service failure