MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6b1b7d8e053732c2666794d0cde08b09a30470e004a5de78f4ee70d471fbde1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6b1b7d8e053732c2666794d0cde08b09a30470e004a5de78f4ee70d471fbde1
SHA3-384 hash: 59c53ddc0f55d2de991bf997e0a343c03ace3ed55dcbeea309b8e28137f400ec48dd399e42b0e71c238950c46a710a2b
SHA1 hash: b11bd8e15ba5c4c80f3ab9320a0bafe4a1ade685
MD5 hash: c161eac186f0923095e250aa7b0896f1
humanhash: mountain-california-beer-dakota
File name:c161eac186f0923095e250aa7b0896f1.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'736'192 bytes
First seen:2023-12-18 09:45:49 UTC
Last seen:2023-12-18 11:29:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f2f006e2ecf7172ad368f8289dc96c1 (40 x LummaStealer, 18 x SalatStealer, 17 x CobaltStrike)
ssdeep 24576:poipzrNGtW2m1d7tkZjOvzARoUS8JGG42K:ZfNGQ2akZj2Ehn
Threatray 11 similar samples on MalwareBazaar
TLSH T104854B8BBC9515B6C0AA92378966A1917B31BC481F3123C73E90B7BC2F76BD09E35744
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
424
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
c161eac186f0923095e250aa7b0896f1.exe
Verdict:
Malicious activity
Analysis date:
2023-12-18 09:48:22 UTC
Tags:
rat asyncrat remote
Link:
https://app.any.run/tasks/bb5475a6-ca09-4c25-97c4-d0bd108a807f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468281/
Detection(s):
SecuriteInfo.com.Trojan.Win64.Agent.23421.21255.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
golang monero
Link:
https://www.filescan.io/uploads/658014ddf4b6e5e1634eb924/reports/ca18cf08-8860-4651-8c9d-96f5e3382a71/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a6b1b7d8e053732c2666794d0cde08b09a30470e004a5de78f4ee70d471fbde1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/043308e8-7f45-4bdd-8a23-ff3cd6123fbe
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363876
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Protects its processes via BreakOnTermination flag
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1363876 Sample: nlUynYLVxE.exe Startdate: 18/12/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 4 other signatures 2->55 8 nlUynYLVxE.exe 8 2->8         started        12 SrongWorn&9.exe 1 3 2->12         started        process3 dnsIp4 43 C:\Users\user\AppData\...\SrongWorn&9.exe, PE32+ 8->43 dropped 57 Protects its processes via BreakOnTermination flag 8->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->59 61 Writes to foreign memory regions 8->61 15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        20 conhost.exe 8->20         started        22 notepad.exe 8->22         started        45 5.75.147.113, 3000, 49704 HETZNER-ASDE Germany 12->45 63 Multi AV Scanner detection for dropped file 12->63 65 Machine Learning detection for dropped file 12->65 67 Potentially malicious time measurement code found 12->67 24 conhost.exe 12->24         started        26 notepad.exe 12->26         started        file5 signatures6 process7 signatures8 28 SrongWorn&9.exe 4 15->28         started        31 conhost.exe 15->31         started        33 timeout.exe 1 15->33         started        47 Uses schtasks.exe or at.exe to add and modify task schedules 17->47 35 conhost.exe 17->35         started        37 schtasks.exe 1 17->37         started        process9 signatures10 69 Writes to foreign memory regions 28->69 39 conhost.exe 28->39         started        41 notepad.exe 28->41         started        process11
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a6b1b7d8e053732c2666794d0cde08b09a30470e004a5de78f4ee70d471fbde1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6b1b7d8e053732c2666794d0cde08b09a30470e004a5de78f4ee70d471fbde1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-18 09:46:06 UTC
File Type:
PE+ (Exe)
AV detection:
12 of 23 (52.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2y3pwhaknzsyjtgpfgqzxqiwcndaryoabff3z4pj3tq2ry7xxqq._file
Verdict:
malicious
Similar samples:
3a7ac66fcf7fee4625ed4d90a107782e80226ff28a4763743fe4c8559b4c80fd
AsyncRAT
5c32062a372ad19dafb9464f68c4861989d2b784fb2e52183fcb6d9e789b210e
AsyncRAT
64ac6e203cc0ad51cf3f1fa12f8097c44baf63d542c32576c0d9630d696231da
AsyncRAT
826c93b5f8974e81c812e7f11c63d33b8cfdc84f45c402ae22e7794dc81e5893
AsyncRAT
c1354dcaa9389550c2013e23418bb5c71474b6c368f8e68e51e31faa64ba4ea1
AsyncRAT
+ 1 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/231218-lrl6ysbdc2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
127.0.0.1:3000
5.75.147.113:3000
Unpacked files
SH256 hash:
a6b1b7d8e053732c2666794d0cde08b09a30470e004a5de78f4ee70d471fbde1
MD5 hash:
c161eac186f0923095e250aa7b0896f1
SHA1 hash:
b11bd8e15ba5c4c80f3ab9320a0bafe4a1ade685
Link:
https://www.unpac.me/results/17eb33d8-9e0d-4f27-8413-0e14914e9fa0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a6b1b7d8e053/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6b1b7d8e053732c2666794d0cde08b09a30470e004a5de78f4ee70d471fbde1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/468281/

Comments