MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c51113f85313a5ae90aaccae9c7172a96160c5915159fcc7ed390ae3ea416385. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments 1

SHA256 hash:	c51113f85313a5ae90aaccae9c7172a96160c5915159fcc7ed390ae3ea416385
SHA3-384 hash:	a808190c53e0ca86aa972c7f8bbfbfe12a70ff526ad97bde9efe99f04c1d488215fe5e60a484304c3e7384710849ab2b
SHA1 hash:	f07bc15abf8502f02e195e99640615694c51f3f2
MD5 hash:	fc6fd81a678a04c038025517612e228a
humanhash:	lactose-jupiter-iowa-kentucky
File name:	fc6fd81a678a04c038025517612e228a
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	75'776 bytes
First seen:	2023-12-03 13:44:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	1536:kUEkcx4VHsC0SPMV7e9VdQuDI6H1bf/FyaQzcw6VclN:kUxcx4GfSPMV7e9VdQsH1bf9pQZIY
Threatray	313 similar samples on MalwareBazaar
TLSH	T1F4734B013BE8CD2AF2AE47B9ACB256070EF4D1576512CE5E3CC440DD5A67BC686037EA
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/462087/

Detection(s):

Win.Packed.Razy-9807129-0

Win.Malware.Generickdz-9865912-0

Win.Trojan.AsyncRAT-9914220-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Setting a global event handler for the keyboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm asyncrat configsecuritypolicy evasive hacktool hook keylogger lolbin mpcmdrun msconfig msiexec njrat packed rat razy regedit replace schtasks

Link:

https://www.filescan.io/uploads/656c865fbcca970107d7e058/reports/913f1546-9257-4f47-a997-d43b5646415d/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c51113f85313a5ae90aaccae9c7172a96160c5915159fcc7ed390ae3ea416385

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

ModernLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/13e987a3-a37d-4941-b823-f1ed406a6673

Result

Threat name:

AsyncRAT, VenomRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1352540

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Yara detected VenomRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c51113f85313a5ae90aaccae9c7172a96160c5915159fcc7ed390ae3ea416385

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c51113f85313a5ae90aaccae9c7172a96160c5915159fcc7ed390ae3ea416385/

Threat name:

ByteCode-MSIL.Backdoor.AsyncRAT

Status:

Malicious

First seen:

2023-12-01 01:40:00 UTC

AV detection:

21 of 23 (91.30%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yuirh6ctcos25efkzsxjy4lsvfqwbrmrkfm7zr7nhefoh2sbmocq._file

Verdict:

malicious

AsyncRAT

52f039142bb84b5268a2c83138818d3e89c3000f48efd4405bfb22f1e3f9ea87

AsyncRAT

5675b6a982a8224078a4c5338480f37f536a29ade205f85a39d2cbe6cc28815d

AsyncRAT

951dbdb3c729d3ea42bb5aa2d2ce9f265d7acb67b170e890365a783a99e24164

AsyncRAT

b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537

AsyncRAT

bba9f40b22002ac5336810d1044d24ed0294038899eb86b10caa180fbd76855e

AsyncRAT

c51113f85313a5ae90aaccae9c7172a96160c5915159fcc7ed390ae3ea416385

AsyncRAT

e481c7f16652a25b6a13c8d1e1975a06d8029b9a49238fa4833bd4fb25bec738

AsyncRAT

+ 303 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default rat

Link:

https://tria.ge/reports/231203-q2dd1scb47/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

127.0.0.1:4449

Unpacked files

SH256 hash:

c51113f85313a5ae90aaccae9c7172a96160c5915159fcc7ed390ae3ea416385

MD5 hash:

fc6fd81a678a04c038025517612e228a

SHA1 hash:

f07bc15abf8502f02e195e99640615694c51f3f2

Detections:

VenomRat

INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

win_asyncrat_unobfuscated

Link:

https://www.unpac.me/results/ac591e08-d995-4e60-b065-d4ed3a324bf3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c51113f85313a5ae90aaccae9c7172a96160c5915159fcc7ed390ae3ea416385

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice Create hunting rule
Author:	ditekSHen
Description:	Detects executables attemping to enumerate video devices using WMI

Rule name:	MAL_AsnycRAT Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects AsnycRAT based on it's config decryption routine

Rule name:	MAL_AsyncRAT_Config_Decryption Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects AsnycRAT based on it's config decryption routine

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	win_asyncrat_unobfuscated Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)