popup

Report - payload2.dll

PWS .NET framework RAT UPX Malicious Library Malicious Packer OS Processor Check .NET EXE PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.14 13:40 Machine s1_win7_x6402
Filename payload2.dll
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
6
 Behavior Score
1.6
ZERO API file : clean
VT API (file) 53 detected (AIDetectNet, Windows, Asyncrat, Marte, Razy, IgenericFC, S14890850, Fareit, Save, malicious, confidence, 100%, ZemsilF, cm0@a4te13j, Genus, Samas, Eldorado, Attribute, HighConfidence, score, Crysan, DropperX, Siggen9, SMXSR, Static AI, Malicious PE, cxnh, ai score=89, Kryptik, DCRat, Detected, OScope, unsafe, AntiVM, CLASSIC, xaLpst2UPE0, CoinMiner)
md5 f249ab6266b09f71f05c85a966f8f3d7
sha256 e22683de5510cbc523e79448c8695ae6c07e03b6548acbd8960ce243282594c0
ssdeep 768:wuwCfTg46YbWUn8jjmo2qrl8khEamPIvFjbegX3ipgb089eHVTsOazHOuBDZmx:wuwCfTgp/28EaPvNbhXSpgbcVwjLOgdE
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (2cnts)

Level Description
danger File has been identified by 53 AntiVirus engines on VirusTotal as malicious
notice Connects to a Dynamic DNS Domain

Rules (9cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (upload)
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
wbem.ddns.net
whois
Unknown 147.189.170.192 mailcious
147.189.170.192
whois
Unknown 147.189.170.192 mailcious

Suricata ids

ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x402000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure