MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0634a275039efe82f66f56518c8414e42535b3d7756227e6b01422e24de57b52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0634a275039efe82f66f56518c8414e42535b3d7756227e6b01422e24de57b52
SHA3-384 hash: 48f0ba8c253bb117e6ab5d47c1e4cd3e5c2e1303e39c5c1bff705bf3e599d00ed2e770a1f06acc8bba5cc53cdaf7d635
SHA1 hash: b8780569ded3042f19f8dcd25e05501e65b53d12
MD5 hash: 64e78fa4a053f1b0b71081a5fbc64179
humanhash: alpha-iowa-ohio-uncle
File name:PO301.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:473'600 bytes
First seen:2023-12-12 11:42:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Izh+4WpAEVy7+XjwBovqdbjVTZ24UPcT9A04JbgmzDFMa+:VpAEN6uyDmzDFM
TLSH T16EA4120473692E0FF7BB27F38061660513B9BD19A5A2F7CC9DE131DE14B1F6116A02AB
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0c896b2b296e8f0 (19 x AgentTesla, 5 x Formbook, 2 x AsyncRAT)
Reporter lowmal3
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
PO301.exe
Verdict:
Malicious activity
Analysis date:
2023-12-12 11:43:51 UTC
Tags:
rat asyncrat remote
Link:
https://app.any.run/tasks/fb544230-1bd7-4898-87cd-c53ef7a4a865

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/466374/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15924.24005.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hook keylogger packed
Link:
https://www.filescan.io/uploads/6578474a81a3a8ec606ebf21/reports/5b5278dc-5835-4398-bd17-2156f1c0b064/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0634a275039efe82f66f56518c8414e42535b3d7756227e6b01422e24de57b52
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d33cac2-f900-46b1-a536-ecf55b849d84
Result
Threat name:
AsyncRAT, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1360073
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1360073 Sample: PO301.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 35 abuhjil.com 2->35 39 Snort IDS alert for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 11 other signatures 2->45 8 PO301.exe 7 2->8         started        12 VNuPigBRgg.exe 5 2->12         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\VNuPigBRgg.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\Local\...\tmpD821.tmp, XML 8->33 dropped 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->47 49 Uses schtasks.exe or at.exe to add and modify task schedules 8->49 51 Adds a directory exclusion to Windows Defender 8->51 53 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->53 14 PO301.exe 2 8->14         started        17 powershell.exe 20 8->17         started        19 schtasks.exe 1 8->19         started        55 Machine Learning detection for dropped file 12->55 57 Injects a PE file into a foreign processes 12->57 21 schtasks.exe 1 12->21         started        23 VNuPigBRgg.exe 2 12->23         started        signatures6 process7 dnsIp8 37 abuhjil.com 139.84.229.159, 1988, 49734 LASALLEUS United States 14->37 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0634a275039efe82f66f56518c8414e42535b3d7756227e6b01422e24de57b52
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0634a275039efe82f66f56518c8414e42535b3d7756227e6b01422e24de57b52/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-12 09:35:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ay2ke5idt37if5tpkziyzbau4qstlm6xovrcpzvqcqroetpfpnja._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:zgrat botnet:default rat
Link:
https://tria.ge/reports/231212-nvkteaccel/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Async RAT payload
AsyncRat
Detect ZGRat V1
ZGRat
Malware Config
C2 Extraction:
abuhjil.com:1988
Unpacked files
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/8894073c-ef11-4593-8a42-e224dbf4cb31/
SH256 hash:
6ff92e0470b67f0948668ff1e3801543b91f97399ddd7156d4d7f2c75e50e7a7
MD5 hash:
8be635ee5bc7d362d2a7c76f27357bc3
SHA1 hash:
2dcfdcc45efc62880c38324d21f1870959649d61
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
win_asyncrat_bytecodes
Create hunting rule
win_asyncrat_unobfuscated
Create hunting rule
asyncrat
Create hunting rule
Link:
https://www.unpac.me/results/8894073c-ef11-4593-8a42-e224dbf4cb31/
Parent samples :
0634a275039efe82f66f56518c8414e42535b3d7756227e6b01422e24de57b52
8737b9c5969931c61500427c301c40e635acec433bd4450e1dca9f202e97fb6f
SH256 hash:
fc443dc49b0aa569b489e585aa111866e0bbc29c25a501f8a55370f091ec8f46
MD5 hash:
1fdf1e89e36e3816f0f10356d4372daa
SHA1 hash:
1fdb564257ef366cf048e3dba72e2741b62e2eaf
Link:
https://www.unpac.me/results/8894073c-ef11-4593-8a42-e224dbf4cb31/
SH256 hash:
7d968ee2ec1bf4c1bf9228f8f2794675de987ac83bac5f8c608963526a435ed3
MD5 hash:
1845455753429aeee7c7762ef407d8ea
SHA1 hash:
050f55f9458f419c8fec7b31cf80542849d33a76
Link:
https://www.unpac.me/results/8894073c-ef11-4593-8a42-e224dbf4cb31/
SH256 hash:
0634a275039efe82f66f56518c8414e42535b3d7756227e6b01422e24de57b52
MD5 hash:
64e78fa4a053f1b0b71081a5fbc64179
SHA1 hash:
b8780569ded3042f19f8dcd25e05501e65b53d12
Link:
https://www.unpac.me/results/8894073c-ef11-4593-8a42-e224dbf4cb31/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0634a275039e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe 0634a275039efe82f66f56518c8414e42535b3d7756227e6b01422e24de57b52

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/466374/

Comments