MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52f039142bb84b5268a2c83138818d3e89c3000f48efd4405bfb22f1e3f9ea87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52f039142bb84b5268a2c83138818d3e89c3000f48efd4405bfb22f1e3f9ea87
SHA3-384 hash: 76b7188eaedcb1c7827f4cdc6349dc2d4b55cb518a34468466faeb7ac17001630d0ba9ab77a30bf47fcfebb13823b566
SHA1 hash: cc4fd4ce2a491334122e00ae211f4f764cedf20c
MD5 hash: 05bc64e823174c1bdf0b80db4ca19037
humanhash: angel-echo-lamp-alpha
File name:05bc64e823174c1bdf0b80db4ca19037.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'384'144 bytes
First seen:2023-12-02 16:32:45 UTC
Last seen:2023-12-02 18:27:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56c345b720bb7633763f74a221e11e1f (1 x AsyncRAT)
ssdeep 24576:7pvhzbT51f6B5XErG3xEEsjjCNeDmfXLVhWAejC19Eh05MYaU6IRmzRCwHVsc6I:7ZdPiB5CFi2ae1VZ6I
Threatray 57 similar samples on MalwareBazaar
TLSH T14155E172B2E04537C0373B789D5B97A9A835BE113D2898477BE45D8C6F3B781382A193
TrID 28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
25.9% (.SCR) Windows screen saver (13097/50/3)
20.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 884dd6d9d2b60b96 (1 x AsyncRAT)
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461900/
Detection(s):
SecuriteInfo.com.Win32.Trojan.Agent.UBJSYB.3364.8121.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process from a recently created file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
control hook keylogger lolbin overlay packed
Link:
https://www.filescan.io/uploads/656b627f2efa450749b46195/reports/96a06a15-78d2-48e4-9866-9c7c59602455/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/52f039142bb84b5268a2c83138818d3e89c3000f48efd4405bfb22f1e3f9ea87
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/53a59daf-1077-44f3-bada-6549046a68c3
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352104
Signature
Contains functionality to modify clipboard data
Deletes itself after installation
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1352104 Sample: kj4nOeDPjl.exe Startdate: 02/12/2023 Architecture: WINDOWS Score: 100 71 JiOWngCJdXjgubID.JiOWngCJdXjgubID 2->71 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 3 other signatures 2->87 11 kj4nOeDPjl.exe 9 2->11         started        14 wscript.exe 1 1 2->14         started        17 wscript.exe 1 2->17         started        signatures3 process4 file5 67 C:\Users\user\AppData\Local\Temp\...\Infected, PE32+ 11->67 dropped 19 cmd.exe 1 11->19         started        22 conhost.exe 11->22         started        99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->99 24 MindWave.pif 14->24         started        26 MindWave.pif 17->26         started        signatures6 process7 signatures8 89 Uses ping.exe to sleep 19->89 91 Drops PE files with a suspicious file extension 19->91 93 Uses ping.exe to check the status of other devices and networks 19->93 28 cmd.exe 1 19->28         started        31 conhost.exe 19->31         started        process9 signatures10 95 Uses ping.exe to sleep 28->95 33 Perceived.pif 5 28->33         started        37 cmd.exe 2 28->37         started        39 cmd.exe 2 28->39         started        41 6 other processes 28->41 process11 file12 59 C:\Users\user\AppData\Local\...\MindWave.pif, PE32+ 33->59 dropped 61 C:\Users\user\AppData\Local\...\MindWave.js, ASCII 33->61 dropped 63 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32+ 33->63 dropped 73 Drops PE files with a suspicious file extension 33->73 75 Deletes itself after installation 33->75 77 Writes to foreign memory regions 33->77 79 2 other signatures 33->79 43 cmd.exe 2 33->43         started        47 cmd.exe 1 33->47         started        49 RegAsm.exe 4 33->49         started        65 C:\Users\user\AppData\Local\...\Perceived.pif, PE32+ 37->65 dropped signatures13 process14 file15 69 C:\Users\user\AppData\...\MindWave.url, MS 43->69 dropped 97 Uses schtasks.exe or at.exe to add and modify task schedules 43->97 51 conhost.exe 43->51         started        53 conhost.exe 47->53         started        55 schtasks.exe 1 47->55         started        57 WerFault.exe 4 49->57         started        signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/52f039142bb84b5268a2c83138818d3e89c3000f48efd4405bfb22f1e3f9ea87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52f039142bb84b5268a2c83138818d3e89c3000f48efd4405bfb22f1e3f9ea87/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-01 22:47:59 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=klydsfblxbfve2fczaytramnh2e4gaapjdx5iqc37mrpdy7z5kdq._file
Verdict:
malicious
Similar samples:
0796818dc3510e88a966f0aaacd201ba162c46e0bc0f7c670ffbd43df485f5a7
AsyncRAT
57bd1d7a3ce9a10797575f75af56a675b3739ab5901e383a7870b17fa328ecb4
AsyncRAT
5f82de6e269c0ae7f1f3b445bc9911ec8cd3d26d61eca2ba0202fa799ff5023e
AsyncRAT
9f7b7f84298ff1ca0a0bdd87fc2d6ea25b89cea705ea37c61c95df03b7791348
AsyncRAT
a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638
AsyncRAT
ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2
AsyncRAT
ade3cb4d8d6dc56650eb1b32afb7cf7797c52d262a686db30aca473754b7029d
AsyncRAT
c6ecdbe4c6170d3ec9b20e20717ba27169b9e409c9b49690f0e09986651c744f
AsyncRAT
+ 47 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:asguard-protector rat
Link:
https://tria.ge/reports/231202-t2hwaaea79/
Behaviour
Creates scheduled task(s)
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.196.8.10:4449
Unpacked files
SH256 hash:
52f039142bb84b5268a2c83138818d3e89c3000f48efd4405bfb22f1e3f9ea87
MD5 hash:
05bc64e823174c1bdf0b80db4ca19037
SHA1 hash:
cc4fd4ce2a491334122e00ae211f4f764cedf20c
Link:
https://www.unpac.me/results/63c2f833-ef25-4b7c-bfe0-49e753592915/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52f039142bb84b5268a2c83138818d3e89c3000f48efd4405bfb22f1e3f9ea87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/461900/

Comments