MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13f53967b03017371c9385a4266b5f3169afe48e933a5cbbf95f24843c05f376. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 26 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13f53967b03017371c9385a4266b5f3169afe48e933a5cbbf95f24843c05f376
SHA3-384 hash: d289789731dd68ed1247623b3f95d21027d23ddb6a80263259a024e56de9770eb1e847ef235df028836161623dead142
SHA1 hash: 786532bf63d4b9f3354c8e41a31af90634472fb1
MD5 hash: 3ba788943ce69ebe9bbd218606fd8547
humanhash: blue-mississippi-twelve-robert
File name:3ba788943ce69ebe9bbd218606fd8547
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:291'840 bytes
First seen:2023-12-07 01:44:31 UTC
Last seen:2023-12-07 03:16:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b6dba263daca1c4e70a9fb4873536e29 (1 x AsyncRAT)
ssdeep 6144:xOsvv2XehpGU3HufTii8q0xH9h6edHyQYQFRkVli17iJiy8BNg2AOxT4hR:9BHL6edHytQEiy8BNg2khR
Threatray 3'036 similar samples on MalwareBazaar
TLSH T1B1545C11B291C032CDA114325A3CEBB6956DA8304FA495EBB3D44E7AEE342D1E731F67
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
342
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463064/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.20084.9984.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process
Setting a single autorun event
Enabling autorun by creating a file
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin shell32
Link:
https://www.filescan.io/uploads/6571239feba108031486645b/reports/4ba6f403-35f4-493c-a3ed-5ba2e320c7de/overview
Verdict:
Malicious
Labled as:
Trojan.RP.Generic
Link:
https://www.hybrid-analysis.com/sample/13f53967b03017371c9385a4266b5f3169afe48e933a5cbbf95f24843c05f376
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d99fe9aa-dc3c-4c0f-953f-e7e68f46fbc1
Result
Threat name:
AsyncRAT, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1355092
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1355092 Sample: ybRCKYQDlh.exe Startdate: 07/12/2023 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 13 other signatures 2->86 11 ybRCKYQDlh.exe 4 2->11         started        15 FRaqbC8wSA1XvpFVjCRGryWt.exe 3 2->15         started        17 FRaqbC8wSA1XvpFVjCRGryWt.exe 2->17         started        process3 file4 72 C:\ProgramData\31393a30383a3535\gfsvc.exe, PE32 11->72 dropped 112 Creates an undocumented autostart registry key 11->112 114 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->114 116 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->116 19 gfsvc.exe 18 11->19         started        118 Writes to foreign memory regions 15->118 120 Allocates memory in foreign processes 15->120 122 Injects a PE file into a foreign processes 15->122 24 cmd.exe 15->24         started        26 AppLaunch.exe 15->26         started        28 AppLaunch.exe 15->28         started        30 cmd.exe 17->30         started        32 AppLaunch.exe 17->32         started        signatures5 process6 dnsIp7 74 91.92.247.161, 49729, 49731, 49732 THEZONEBG Bulgaria 19->74 76 91.92.247.96, 49730, 80 THEZONEBG Bulgaria 19->76 64 C:\Users\user\AppData\Local\...\async[1].exe, PE32 19->64 dropped 66 C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe, PE32 19->66 dropped 100 Antivirus detection for dropped file 19->100 102 Multi AV Scanner detection for dropped file 19->102 104 Machine Learning detection for dropped file 19->104 106 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->106 34 FRaqbC8wSA1XvpFVjCRGryWt.exe 1 3 19->34         started        37 conhost.exe 24->37         started        39 conhost.exe 30->39         started        file8 signatures9 process10 signatures11 88 Antivirus detection for dropped file 34->88 90 Multi AV Scanner detection for dropped file 34->90 92 Machine Learning detection for dropped file 34->92 94 5 other signatures 34->94 41 AppLaunch.exe 2 4 34->41         started        46 cmd.exe 2 34->46         started        48 AppLaunch.exe 34->48         started        process12 dnsIp13 78 91.92.247.123, 49739, 49760, 49771 THEZONEBG Bulgaria 41->78 68 C:\Users\user\AppData\Local\Temp\unxprh.exe, PE32 41->68 dropped 108 Tries to harvest and steal browser information (history, passwords, etc) 41->108 50 cmd.exe 41->50         started        70 C:\ProgramData\svcSched.exe, PE32 46->70 dropped 110 Uses ping.exe to check the status of other devices and networks 46->110 53 conhost.exe 46->53         started        55 PING.EXE 1 46->55         started        file14 signatures15 process16 signatures17 96 Suspicious powershell command line found 50->96 98 Bypasses PowerShell execution policy 50->98 57 powershell.exe 50->57         started        59 conhost.exe 50->59         started        process18 process19 61 unxprh.exe 57->61         started        signatures20 124 Antivirus detection for dropped file 61->124 126 Multi AV Scanner detection for dropped file 61->126 128 Machine Learning detection for dropped file 61->128 130 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->130
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/13f53967b03017371c9385a4266b5f3169afe48e933a5cbbf95f24843c05f376
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13f53967b03017371c9385a4266b5f3169afe48e933a5cbbf95f24843c05f376/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 19:53:21 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cp2tsz5qgaltohetqwscm227gfu27zeosm5fzo7zl4siipaf6n3a._file
Verdict:
malicious
Similar samples:
20d829712638e1cf6dac27bdcc57f247a24a7de8fba941568dd41e869d84f75c
AsyncRAT
4a72f887ce916e9eaef552c54fdcdc51dd610b3b5c92528956341281bdcbed82
AsyncRAT
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5
AsyncRAT
85b4167417d416880d3e9f1ff438e1e5b125ceb28de4e3ebd9b5725717815157
AsyncRAT
a16f217f8f881202ee1e2ce7dc8d5cc0b8f0b48efdfa520ae9832fbf7a9a46a7
AsyncRAT
c8f3375851e936855757e0829be393ccbcd6324072bc63496817b66fdf0dd971
AsyncRAT
f372cfc59d3e2235cc22911f71ca105b1d602fb419c9af2d9d03e7d91ee2eea6
AsyncRAT
fab82d6792447251c04bf40462245a5aa873e0d3574fdd71a183c5ae4687c975
AsyncRAT
+ 3'026 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231207-b6d4sagfbq/
Behaviour
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
13f53967b03017371c9385a4266b5f3169afe48e933a5cbbf95f24843c05f376
MD5 hash:
3ba788943ce69ebe9bbd218606fd8547
SHA1 hash:
786532bf63d4b9f3354c8e41a31af90634472fb1
Link:
https://www.unpac.me/results/dc382254-b678-4bc6-bace-c4218cc5a899/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13f53967b030/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13f53967b03017371c9385a4266b5f3169afe48e933a5cbbf95f24843c05f376

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Check_Debugger
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_asyncrat
Create hunting rule
Description:detect AsyncRat in memory
Reference:https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:Windows_Trojan_Asyncrat_11a11ba1
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_bytecodes
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 13f53967b03017371c9385a4266b5f3169afe48e933a5cbbf95f24843c05f376

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/463064/
  
URLhaus
https://urlhaus.abuse.ch/url/2738244/

Comments


Avatar
zbet commented on 2023-12-07 01:44:32 UTC

url : hxxp://91.92.247.123/Application.exe