popup

Report - Software.3.2.exe

PWS .NET framework RAT .NET EXE PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.16 08:56 Machine s1_win7_x6403
Filename Software.3.2.exe
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
AI Score
7
 Behavior Score
3.8
ZERO API file : clean
VT API (file) 46 detected (AIDetectNet, Seraph, Cerbu, YakbeexMSIL, FormBook, Save, Kryptik, Eldorado, Attribute, HighConfidence, malicious, high confidence, score, SpywareX, Mqil, AGEN, CINOSHI, SMTH, ai score=86, CinoshiStealer, FHZXD9, Detected, R561300, Artemis, HeapOverride, unsafe, MSIL@AI, MSIL2, oYMgC6D2XfGtcGTJN2c0fA, Static AI, Malicious PE, susgen, ZemsilF, Lu0@a87Mt8k)
md5 6bd02e751b2b2033e163645d2d818ea0
sha256 4d35f6ecb36219505e4635b8265e5a3586e32b5915f32f96e2bf98eab20d7e04
ssdeep 12288:esFMNuE/meY9OuzQ3dSHwPsaRCQqmuEt5p+Rm3m8Kv2DDFkyCv1WXlvy3u4S1/QG:ehNrOLMuzKU
imphash f34d5f2d4577ed6d9ceec516c1f5a744
impfuzzy 3:rGsLdAIEK:tf
  Network IP location

Signature (10cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Resolves a suspicious Top Level Domain (TLD)
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path

Rules (5cnts)

Level Name Description Collection
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (upload)
info Is_DotNET_EXE (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
tryno.ru
whois
NL LeaseWeb Netherlands B.V. 95.211.16.66 clean
95.211.16.66
whois
NL LeaseWeb Netherlands B.V. 95.211.16.66 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

mscoree.dll
 0x49a000 _CorExeMain

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure