popup

Report - RegSvcs.exe

PWS .NET framework RAT UPX Malicious Library Malicious Packer OS Processor Check .NET EXE PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.29 11:09 Machine s1_win7_x6403
Filename RegSvcs.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
6
 Behavior Score
1.4
ZERO API file : clean
VT API (file)
md5 004a919e31049dce0f9b96699cbbec5e
sha256 d1c039fb87895247898f0aa097da23c61417f6c248e335aa6da1b7df442e39e1
ssdeep 1536:em4JvBJ0twggJ7rU+aab0yFiSgj1Rr2Lbxx:em4RBJ0tw3rUdabF8Xr2LVx
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (2cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
notice Connects to a Dynamic DNS Domain

Rules (9cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (upload)
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
4-hitler.publicvm.com
whois
US 1GSERVERS 207.32.216.119 clean
hitler5573.linkpc.net
whois
US 1GSERVERS 142.202.240.126 clean
207.32.216.119
whois
US 1GSERVERS 207.32.216.119 clean
142.202.240.126
whois
US 1GSERVERS 142.202.240.126 clean

Suricata ids

ET INFO Observed DNS Query to DynDNS Domain (linkpc .net)
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure