popup

Report - Bypass.exe

Antivirus AsyncRAT backdoor
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.03.22 10:25 Machine s1_win7_x6402
Filename Bypass.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score Not founds Behavior Score
11.4
ZERO API file : clean
VT API (file) 28 detected (GenericKD, Artemis, Unsafe, ATRAPS, ZelphiF, @Z0@aGIITDli, Malicious, CLOUD, DownLoader38, Static AI, Suspicious PE, Wacatac, score, ai score=84, HwUBDDcA)
md5 897aabd3ac16050d62b8aacf85541454
sha256 1d2ca907c73941dfcd91aa2ef0b96ecc137146be0dfd654e52f9408100f8fbbb
ssdeep 98304:tNe4YEmqvxHf+c1JgNuasG5Oi/d+nPJWvioOkSgxgpDhsoCIP6WRalZLCwpokCFH:QJCmuasG5Oi1+hWviPDthPV
imphash f3824cacc86c0ab5105b48ce4be7925d
impfuzzy 192:1cdq2UuXdVYTexCS6TOwI7uaQdO7u9OsETF1TuQy6:1cEoP6TOGaQdOAOsEpY6
  Network IP location

Signature (26cnts)

Level Description
danger The processes wscript.exe
danger Disables Windows Security features
warning File has been identified by 28 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Creates and runs a batch file to remove the original binary
watch One or more non-whitelisted processes were created
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info Uses Windows APIs to generate a cryptographic key

Rules (32cnts)

Level Name Description Collection
watch Antivirus Contains references to security software binaries (download)
notice Str_Win32_Internet_API Match Windows Inet API call binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check Signature Zero binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (download)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info borland_delphi Borland Delphi 2.0 - 7.0 / 2005 - 2007 binaries (upload)
info HasDebugData DebugData Check binaries (download)
info HasDebugData DebugData Check binaries (upload)
info IsNET_EXE (no description) binaries (download)
info IsWindowsGUI (no description) binaries (download)
info IsWindowsGUI (no description) binaries (upload)
info keylogger Run a keylogger binaries (upload)
info network_dropper File downloader/dropper binaries (upload)
info network_tor Communications over TOR network binaries (upload)
info screenshot Take screenshot binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)
info win_files_operation Affect private profile binaries (upload)
info win_files_operation Affect private profile memory
info win_private_profile Affect private profile memory
info win_registry Affect system registries binaries (upload)
info win_registry Affect system registries memory
info win_token Affect system token memory

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://cdn.discordapp.com/attachments/790590543397781576/820879760904683561/System.exe
whois
Unknown 162.159.129.233 clean
https://cdn.discordapp.com/attachments/790590543397781576/816661031254229033/Disable.vbs
whois
Unknown 162.159.129.233 clean
https://cdn.discordapp.com/attachments/790590543397781576/821076672370573422/Machos1.exe
whois
Unknown 162.159.129.233 clean
https://cdn.discordapp.com/attachments/790590543397781576/821075940146282537/Token_Stealer.bat
whois
Unknown 162.159.129.233 clean
raw.githubusercontent.com
whois
US FASTLY 185.199.108.133 malware
cdn.discordapp.com
whois
Unknown 162.159.130.233 malware
162.159.129.233
whois
Unknown 162.159.129.233 malware
185.199.111.133
whois
US FASTLY 185.199.111.133 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure