MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25419a12766ebfd2eda94dd191ae105974c1e48347c2d96e2097e579e7af286b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	25419a12766ebfd2eda94dd191ae105974c1e48347c2d96e2097e579e7af286b
SHA3-384 hash:	3dcdfb14eeb6141702f3f2426d598f8d2814a3007ace8647634e9a5be00df7b055239eee5088d3f5e6c6732de2958382
SHA1 hash:	5b901f0d34364835d6ea4c473c313fad8854f448
MD5 hash:	12acf1859f6fc1c824484be4b632dbee
humanhash:	network-pennsylvania-timing-cardinal
File name:	wmplayer.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	4'612'608 bytes
First seen:	2024-09-18 12:34:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:U3nD/rDzU2IGiJSVZQ7sXRB7mtYlZ678bKI3h8hulx/SRK4k7C7Scx5+K9Aryyj2:IhYF
Threatray	3'161 similar samples on MalwareBazaar
TLSH	T151261AF8A19B85E1F8079DE565A8BE96063330B3CDD50C24532D7A040FBAD5A3A4DE4F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	00f0e4c8d8c8e4e0 (2 x CobaltStrike, 1 x AgentTesla, 1 x SnakeKeylogger)
Reporter	JAMESWT_WT
Tags:	AsyncRAT exe imperiodosabor-shop

Intelligence

File Origin

# of uploads :

# of downloads :

393

Origin country :

Vendor Threat Intelligence

Malware family:

asyncrat

ID:

File name:

wmplayer.exe

Verdict:

Malicious activity

Analysis date:

2024-09-18 12:42:36 UTC

Tags:

asyncrat

Link:

https://app.any.run/tasks/dadda17d-bf38-43ee-b185-3e0aae9c7e88

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66eac8bd5d6a2b58599aa7ea

Tags:

Stealth Nekark

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm net_reactor packed

Link:

https://www.filescan.io/uploads/66eac8bfd2758b8668ba8adc/reports/ab91d700-4b73-492d-90fd-11ea2cc54666/overview

Verdict:

Malicious

Labled as:

MSIL.Androm.Generic

Link:

https://www.hybrid-analysis.com/sample/25419a12766ebfd2eda94dd191ae105974c1e48347c2d96e2097e579e7af286b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/45670f22-3846-411f-a138-d2a99fe43b9b

Result

Threat name:

AsyncRAT, DcRat, PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1513134

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Costura Assembly Loader

Yara detected DcRat

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/25419a12766ebfd2eda94dd191ae105974c1e48347c2d96e2097e579e7af286b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/25419a12766ebfd2eda94dd191ae105974c1e48347c2d96e2097e579e7af286b/

Threat name:

ByteCode-MSIL.Backdoor.Asyncrat

Status:

Malicious

First seen:

2024-06-14 15:05:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=evazuetwn275f3njjxizdlqqlf2mdzedi7bns3ras7sxtz5pfbvq._file

Verdict:

malicious

Label(s):

asyncrat

sorano

AsyncRAT

26a5b9490900de42640459783686e8a85138f37c015c0099b296f8cd396c1953

AsyncRAT

4e7715a80f631187621f1840f2c44f26aea8570fb7dd24e87273873b126a3b7d

AsyncRAT

5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f

AsyncRAT

7c190a66de1e69720ea226dab36f86d3d26d15e60fe20a6b20cfbd20e548bc02

AsyncRAT

a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff

AsyncRAT

b7c0f7b80c62db35dd345117351e8d872d698b13bb6f72a300a917d3e5680e6f

AsyncRAT

+ 3'151 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default discovery persistence rat

Link:

https://tria.ge/reports/240918-prryzssbpm/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

AsyncRat

Malware Config

C2 Extraction:

imperiodosabor.shop:8821

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9a8d1f41-6e2a-41d3-88fc-6cb2dd6bfbed

Unpacked files

SH256 hash:

d9c4f67bf36a484904d39c1493c06641089305ff65d9cf7f20cc1d78e9216710

MD5 hash:

95b59581974c20de8b7cd1082d8c84be

SHA1 hash:

4ae1878f4bf09bc82a8e2895c722a820a7e46a9d

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a524eeb4-64b5-4fbb-bcea-53d1170aa5b7/

SH256 hash:

25419a12766ebfd2eda94dd191ae105974c1e48347c2d96e2097e579e7af286b

MD5 hash:

12acf1859f6fc1c824484be4b632dbee

SHA1 hash:

5b901f0d34364835d6ea4c473c313fad8854f448

Link:

https://www.unpac.me/results/a524eeb4-64b5-4fbb-bcea-53d1170aa5b7/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample