MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03ab9f2da7e9be788255f4e03bc8750b65d43023d7115ed79162df64c826eff4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03ab9f2da7e9be788255f4e03bc8750b65d43023d7115ed79162df64c826eff4
SHA3-384 hash: d2ba1400c7dc0b85cff79abdeafbf02177c378efcdd583ebe6aea820d930ea936424a53c13a2afff6d4fb93a6d9473eb
SHA1 hash: a43a776c8534d4cb916794a1f2e295eb37fa1308
MD5 hash: 4838b64867a734df2eb8c769a2dddd53
humanhash: montana-foxtrot-victor-rugby
File name:Fatura_Odeme.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'029'120 bytes
First seen:2023-08-14 09:26:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:WNA3R5drXPbrwquAcpBb681cCMPI5YswVJKYEpOF:35jc8U1681cCMvXJKYiOF
Threatray 1'355 similar samples on MalwareBazaar
TLSH T11A259B81A6D14761D16E083225AD7AF0A5EDFD2C0A20CEDF66F0EB59C93334FE613652
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70d4aacccc8ac460 (8 x AsyncRAT, 2 x QuasarRAT, 1 x njrat)
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fatura_Odeme.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-14 09:31:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7920dff-d6ee-414b-9704-13c73b2bcd1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442633/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process from a recently created file
Creating a file
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102834/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/03ab9f2da7e9be788255f4e03bc8750b65d43023d7115ed79162df64c826eff4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/68c969de-7c0f-401f-8bcc-48a9944f58ee
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290891
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290891 Sample: Fatura_Odeme.exe Startdate: 14/08/2023 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 5 other signatures 2->55 13 Fatura_Odeme.exe 9 2->13         started        process3 file4 45 C:\Users\user\AppData\...\szfdlder.sfx.exe, PE32 13->45 dropped 16 cmd.exe 1 13->16         started        process5 process6 18 szfdlder.sfx.exe 8 16->18         started        22 conhost.exe 16->22         started        file7 41 C:\Users\user\AppData\Local\...\szfdlder.exe, PE32 18->41 dropped 61 Multi AV Scanner detection for dropped file 18->61 24 szfdlder.exe 9 18->24         started        signatures8 process9 file10 43 C:\Users\user\AppData\...\afgdsfd.sfx.exe, PE32 24->43 dropped 27 cmd.exe 1 24->27         started        process11 process12 29 afgdsfd.sfx.exe 8 27->29         started        32 conhost.exe 27->32         started        file13 47 C:\Users\user\AppData\Local\...\afgdsfd.exe, PE32 29->47 dropped 34 afgdsfd.exe 3 29->34         started        process14 signatures15 57 Machine Learning detection for dropped file 34->57 59 Injects a PE file into a foreign processes 34->59 37 afgdsfd.exe 2 34->37         started        process16 process17 39 dw20.exe 22 6 37->39         started       
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/03ab9f2da7e9be788255f4e03bc8750b65d43023d7115ed79162df64c826eff4/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-08-14 07:52:27 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aovz6lnh5g7hrasv6tqdxsdvbns5imbd24iv5v4rmlpwjsbg572a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
28ed3e9666fb281333a9f29b5667c69406ec2985fbaa888ed3bd72b8775d6772
AsyncRAT
38cf9a76e1bc9d19c99938b06174cb920e495dad632e0942b1b3bb8b50eec737
AsyncRAT
7570583507a88122beae60126d30e6ef9a0ecdf6d6e5cbfa5eadfbf2beea1f6f
AsyncRAT
77e2467db5a0e05a373577bd5a04c1f5ecd4282ded59a0d235f61fd915f2e58d
AsyncRAT
7c38066be3852f96710448493f7a68ad4124dc58c6e96a984f44610252d7e2d8
AsyncRAT
82c85f030f61b2ec5d5b7197020dc37c18ed6b0c0e1b88037d6433d8a168f7c9
AsyncRAT
909f4d32633d14714d8cf06fd47a9744e9b9d29889ba8a1c22dfc20227061e35
AsyncRAT
ea8592b2064d57ebf7f33bfa6b7fb915862795b2cbe637754bdb3f21b557c937
AsyncRAT
+ 1'345 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230814-leq95sbb23/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
d9121365ed1b51304c3fd3f662c687ba1239848a1fb39cad291094ef4bfdb05c
MD5 hash:
9c707d6850d90b77abebf96bf8769965
SHA1 hash:
f425bdd8b6826d2c79d8213a2ccae98e0dfa54d1
Link:
https://www.unpac.me/results/0c7046c2-5dc2-407b-8c2b-addbfad62a23/
SH256 hash:
7dbba34e425de91c0629b1837442f2ef5bc2baba2c2732e16a9e1a74ff493152
MD5 hash:
c261e6cf3761c3996d3cb11cef4fd350
SHA1 hash:
3b1e1be16cfd691fd3376f48f6e457fe65c6ace3
Link:
https://www.unpac.me/results/0c7046c2-5dc2-407b-8c2b-addbfad62a23/
SH256 hash:
013716c3dde3904445ee4e118ac59195ca1a4c37941a379ab745395a3873c9a8
MD5 hash:
1c0c3676b3719fe347c6c248f89bd791
SHA1 hash:
0cc2626874512a461785e146e55a05b2af2740fa
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/0c7046c2-5dc2-407b-8c2b-addbfad62a23/
SH256 hash:
03ab9f2da7e9be788255f4e03bc8750b65d43023d7115ed79162df64c826eff4
MD5 hash:
4838b64867a734df2eb8c769a2dddd53
SHA1 hash:
a43a776c8534d4cb916794a1f2e295eb37fa1308
Link:
https://www.unpac.me/results/0c7046c2-5dc2-407b-8c2b-addbfad62a23/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/03ab9f2da7e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe 03ab9f2da7e9be788255f4e03bc8750b65d43023d7115ed79162df64c826eff4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442633/

Comments