MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 153a321e178bc28e0f2c6432763bb44fc47b573596387ec241ca45d8775e12af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AsyncRAT
Vendor detections: 17
| SHA256 hash: | 153a321e178bc28e0f2c6432763bb44fc47b573596387ec241ca45d8775e12af |
|---|---|
| SHA3-384 hash: | b3cd50fda2e6ad81130d4ed2fd89a37b440eab6edcfba579b3edd7274e42245b6ff32712e55ba652e24fe36ba7259c67 |
| SHA1 hash: | 4c8f3cf14130e6519339a370bba4527ecb012cde |
| MD5 hash: | f69889d705f5d72d65661b48535ae1b3 |
| humanhash: | stairway-seventeen-south-mango |
| File name: | 153a321e178bc28e0f2c6432763bb44fc47b573596387ec241ca45d8775e12af |
| Download: | download sample |
| Signature | AsyncRAT |
| File size: | 179'200 bytes |
| First seen: | 2025-01-10 14:37:08 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 3072:Ke8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gT8wARE+WpCc:66ewwIwQJ6vKX0c5MlYZ0b2R |
| Threatray | 131 similar samples on MalwareBazaar |
| TLSH | T13F045B5837D80A15F3BE5FB8F4B012118B75B477AA1AE75F08E920EE0D62351E911FA3 |
| TrID | 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| Reporter |  adrian__luca |
| Tags: | AsyncRAT exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
215
Origin country :
HUVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
153a321e178bc28e0f2c6432763bb44fc47b573596387ec241ca45d8775e12af
Verdict:
Malicious activity
Analysis date:
2025-01-10 21:20:35 UTC
Tags:
stealer evasion telegram stormkitty xor-url generic ims-api
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
infosteal asyncrat autorun
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file
Reading critical registry keys
Creating a file in the %temp% directory
Creating a window
Running batch commands
Launching a process
Launching the process to change network settings
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Stealing user critical data
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
anti-vm asyncrat cmd crypto evasive findstr fingerprint hacktool keylogger lolbin net netsh njrat rat reg schtasks stealer vbnet
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealerium Stealer
Verdict:
Malicious
Result
Threat name:
AsyncRAT, StormKitty, WorldWind Stealer
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
ByteCode-MSIL.Backdoor.AsyncRat
Status:
Malicious
First seen:
2025-01-10 14:38:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
stormkitty
asyncrat
Similar samples:
+ 121 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Score:
10/10
Tags:
family:asyncrat family:stormkitty botnet:default discovery persistence privilege_escalation rat spyware stealer
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops desktop.ini file(s)
Looks up external IP address via web service
Looks up geolocation information via web service
Reads user/profile data of web browsers
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069
Verdict:
Malicious
Tags:
trojan rat asyncrat stealer worldwind stormkitty stormkitty Win.Packed.AsyncRAT-9856570-1
YARA:
Windows_Generic_Threat_62e1f5fc malware_asyncrat asyncrat win_asyncrat_unobfuscated JPCERTCC_Asyncrat MALWARE_Win_Multi_Family_Infostealer MALWARE_Win_WorldWind
Unpacked files
SH256 hash:
153a321e178bc28e0f2c6432763bb44fc47b573596387ec241ca45d8775e12af
MD5 hash:
f69889d705f5d72d65661b48535ae1b3
SHA1 hash:
4c8f3cf14130e6519339a370bba4527ecb012cde
Detections:
WorldWindStealer
win_asyncrat_w0
cn_utf8_windows_terminal
SUSP_NET_Msil_Suspicious_Use_StrReverse
asyncrat
win_asyncrat_bytecodes
win_asyncrat_unobfuscated
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
INDICATOR_SUSPICIOUS_EXE_CC_Regex
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
INDICATOR_SUSPICIOUS_EXE_References_VPN
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
MALWARE_Win_StormKitty
MALWARE_Win_Multi_Family_InfoStealer
MALWARE_Win_WorldWind
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | asyncrat |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect AsyncRat in memory |
| Reference: | internal research |
| Rule name: | asyncrat_kingrat |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | DebuggerCheck__RemoteAPI |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse |
|---|---|
| Author: | ditekSHen |
| Description: | Detects file containing reversed ASEP Autorun registry keys |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_CC_Regex |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing credit card regular expressions |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Discord_Regex |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing Discord tokens regular expressions |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_RawPaste_URL |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables (downlaoders) containing URLs to raw contents of a paste |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_VPN |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many VPN software clients. Observed in infosteslers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_TelegramChatBot |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables using Telegram Chat Bot |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing Windows vault credential objects. Observed in infostealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables with interest in wireless interface using netsh |
| Rule name: | malware_asyncrat |
|---|---|
| Description: | detect AsyncRat in memory |
| Reference: | https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp |
| Rule name: | malware_asyncrat |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect AsyncRat in memory |
| Reference: | internal research |
| Rule name: | MALWARE_Win_Multi_Family_InfoStealer |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Prynt, WorldWind, DarkEye, Stealerium and ToxicEye / TelegramRAT infostealers |
| Rule name: | MALWARE_Win_StormKitty |
|---|---|
| Author: | ditekSHen |
| Description: | Detects StormKitty infostealer |
| Rule name: | MALWARE_Win_WorldWind |
|---|---|
| Author: | ditekSHen |
| Description: | Detects WorldWind infostealer |
| Rule name: | MAL_AsnycRAT |
|---|---|
| Author: | SECUINFRA Falcon Team |
| Description: | Detects AsnycRAT based on it's config decryption routine |
| Rule name: | MAL_AsyncRAT_Config_Decryption |
|---|---|
| Author: | SECUINFRA Falcon Team |
| Description: | Detects AsnycRAT based on it's config decryption routine |
| Rule name: | msil_suspicious_use_of_strreverse |
|---|---|
| Author: | dr4k0nia |
| Description: | Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse |
| Rule name: | Multifamily_RAT_Detection |
|---|---|
| Author: | Lucas Acha (http://www.lukeacha.com) |
| Description: | Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | Njrat |
|---|---|
| Author: | botherder https://github.com/botherder |
| Description: | Njrat |
| Rule name: | pe_imphash |
|---|
| Rule name: | prynt_stealer |
|---|---|
| Author: | Nikos 'n0t' Totosis |
| Description: | Prynt Stealer Payload |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | SUSP_DOTNET_PE_List_AV |
|---|---|
| Author: | SECUINFRA Falcon Team |
| Description: | Detecs .NET Binary that lists installed AVs |
| Rule name: | SUSP_NET_Msil_Suspicious_Use_StrReverse |
|---|---|
| Author: | dr4k0nia, modified by Florian Roth |
| Description: | Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse |
| Reference: | https://github.com/dr4k0nia/yara-rules |
| Rule name: | telegram_bot_api |
|---|---|
| Author: | rectifyq |
| Description: | Detects file containing Telegram Bot API |
| Rule name: | Windows_Generic_Threat_2bb6f41d |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Generic_Threat_62e1f5fc |
|---|---|
| Author: | Elastic Security |
| Rule name: | win_asyncrat_bytecodes |
|---|---|
| Author: | Matthew @ Embee_Research |
| Description: | Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc) |
| Rule name: | win_asyncrat_j1 |
|---|---|
| Author: | Johannes Bader @viql |
| Description: | detects AsyncRAT |
| Rule name: | win_asyncrat_unobfuscated |
|---|---|
| Author: | Matthew @ Embee_Research |
| Description: | Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc) |
| Rule name: | win_asyncrat_w0 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect AsyncRat in memory |
| Reference: | internal research |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (GUARD_CF) | high |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.RAT King Parser (https://github.com/jeFF0Falltrades/rat_king_parser) Output:
{
"sha256": "153a321e178bc28e0f2c6432763bb44fc47b573596387ec241ca45d8775e12af",
"yara_possible_family": "asyncrat",
"key": "e5e3972eba013063607e705973dfdf80a8555bcfd8fe09651da2ab43b5773d9b",
"salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941",
"config": {
"TelegramToken": "6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8",
"TelegramChatID": "5287158069",
"Ports": [
"6606",
"7707",
"8808"
],
"Hosts": [
"127.0.0.1"
],
"Version": "",
"Install": "false",
"InstallFolder": "%AppData%",
"InstallFile": "",
"Key": "VklmeGZxcnlVVHlaVUJHRENCQXZiWVZZSXNleElNN1o=",
"Mutex": "AsyncMutex_6SI8OkPnk",
"Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=",
"Serversignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=",
"Anti": "false",
"Pastebin": "null",
"BDOS": "false",
"Hwid": "null",
"Delay": "3",
"Group": "Default"
}
}