MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e59d8a36fc73b40178732c2e9dec9143ceb3dfd590547221dbce65983042141. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 20 File information Comments

SHA256 hash:	0e59d8a36fc73b40178732c2e9dec9143ceb3dfd590547221dbce65983042141
SHA3-384 hash:	c4304a43b09a262c0af4c453894695ac56fb7cc82ba2050459aa814831f65b5ea0ee471b2f19d4c367209285ebf5a373
SHA1 hash:	c8fb91953976291310ddc645e2b9275277c57ec2
MD5 hash:	83626a159e3399dc2bec680220ba8969
humanhash:	zulu-mike-cup-wolfram
File name:	VenomRemote_Cracked.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	40'408'576 bytes
First seen:	2022-09-06 07:11:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	393216:OFdlmXJTD1jJTDQMvfOjmM27kv1Bx0bQox/UlGkNCoIZZJTD2Mm1Zg6YH3mH1gfB:GLxMvDUjCbQa/O11t1Zg6kmH1gEEE
Threatray	16 similar samples on MalwareBazaar
TLSH	T17697F1273960F6C4F6BB19FC0370D62A83241E7A1A245931648876FD6DD1E96F18C3FA
TrID	73.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.6% (.EXE) Win64 Executable (generic) (10523/12/4) 5.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.5% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon	f0d109a696c4ec30 (1 x AsyncRAT)
Reporter	JAMESWT_WT
Tags:	AsyncRAT exe VenomRAT

Intelligence

File Origin

# of uploads :

# of downloads :

316

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

VenomRemote_Cracked.exe

Verdict:

Suspicious activity

Analysis date:

2022-09-06 07:25:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a6ae4ab4-63e1-4f2c-9e3f-aef85e0019e2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Сreating synchronization primitives

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm confuserex evasive explorer.exe fingerprint keylogger packed stealer

Link:

https://www.filescan.io/uploads/6316f3072916aa429413d19d/reports/6c373348-44a9-483b-a9fd-9b09663871c9/overview

Result

Verdict:

MALICIOUS

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.evad.mine

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1065441

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Found strings related to Crypto-Mining

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Trojan.ClipBanker

Status:

Malicious

First seen:

2021-04-16 19:05:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

922

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bzm5ri3py45uaf4hglbotxwjcq6owpp5lecuoiq5xttftayeefaq._file

Verdict:

malicious

AsyncRAT

34780db137a84afc3d8957def954127c724fba4187055e49b875481203b68163

AsyncRAT

523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10

AsyncRAT

a9d6aa7ef3fde33eb2df6b9c3ec92965f066049cacba533ffc09a877133b809e

AsyncRAT

ac1976494d19c9e673c6ae69a2e88b5901ad494d57d5d942cef0121232772132

AsyncRAT

cc8238f4425e62f6c878a84ac794db812c619508dc916e2bde50f7a5f6152ba5

AsyncRAT

cf84be2a0d26ffd76a445e6a288e1dc9d61ff01bd00e9c4dac583e86215c207f

AsyncRAT

faba5925ee5e0f769b8b412870d7ccc4dce9288fc42141bcdfd07b2716596380

AsyncRAT

+ 6 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

agilenet

Link:

https://tria.ge/reports/220906-h1hncaghb8/

Behaviour

Obfuscated with Agile.Net obfuscator

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/0e59d8a36fc73b40178732c2e9dec9143ceb3dfd590547221dbce65983042141

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Choice_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	INDICATOR_EXE_Packed_AgileDotNet Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Agile.NET / CliSecure

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing URLs to raw contents of a paste

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	malware_asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	RSharedStrings Create hunting rule
Author:	Katie Kleemola
Description:	identifiers for remote and gmremote

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	silentbuilder_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Stealer_word_in_memory Create hunting rule
Author:	James_inthe_box
Description:	The actual word stealer in memory

Rule name:	win_asyncrat_w0 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample