Report - swag.exe

AsyncRAT backdoor

ScreenShot

Info
Location map


Created	2021.04.19 08:51	Machine	s1_win7_x6401
Filename	swag.exe
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score	6	Behavior Score	3.4
ZERO API	file : clean
VT API (file)	44 detected (malicious, high confidence, Razy, Fareit, Unsafe, Save, Eldorado, Attribute, HighConfidence, DropperX, Samas, Crysan, Ahxw, Siggen9, R + Mal, Static AI, Malicious PE, AsyncRat, 1P6RO87, score, ZemsilF, cm0@amF, ai score=89, AntiVM, CLOUD, CoinMiner, confidence, 100%, QVM03)
md5	e708a1326e771df1d327cf23fce3e5ec
sha256	b5674319bcebd9014b56b75c0a0f425ba8163c7798dfa0d27950313e2e5c3ba1
ssdeep	768:RuwCfTg46YbWUn9jjmo2qr30ewtDcy0oiZPIHzjbGgX3iZfh2DW/B8BDZjf+:RuwCfTgpM28wRPiWH3bZXS3AWpadjf+
imphash	f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy	3:rGsLdAIEK:tf

Network IP location

Signature (3cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	File has been identified by 44 AntiVirus engines on VirusTotal as malicious
watch	Communicates with host for which no DNS query was performed

Rules (8cnts)

Level	Name	Description	Collection
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check Signature Zero	binaries (upload)
info	PE_Header_Zero	PE File Signature Zero	binaries (upload)
info	IsNET_EXE	(no description)	binaries (upload)
info	IsWindowsGUI	(no description)	binaries (upload)
info	Win32_Trojan_PWS_Azorult_Net_1_Zero	Win32 Trojan PWS .NET Azorult	binaries (upload)
info	Win_Backdoor_AsyncRAT_Zero	Win Backdoor AsyncRAT	binaries (upload)
info	win_mutex	Create or check mutex	binaries (upload)

Network (1cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
144.202.124.67 whois		AS-CHOOPA	144.202.124.67		clean

Suricata ids

PE API

IAT(Import Address Table) Library

mscoree.dll
0x402000 _CorExeMain

EAT(Export Address Table) is none

Similarity measure (PE file only) - Checking for service failure