MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 19


Intelligence 19 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db
SHA3-384 hash: f244c8f66e7ff3b8b89d5783f2a4bd5850c13e96a5a492bed6cf0e0a8f113e5da16badf03e6b30798bad3f871c92da0c
SHA1 hash: 37120e1b71956b5f3852605db0f33f4565a3952d
MD5 hash: 59d3bc9ca446bf4fcce3a93cdbce134a
humanhash: autumn-princess-fourteen-magazine
File name:59d3bc9ca446bf4fcce3a93cdbce134a
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:329'728 bytes
First seen:2024-08-05 15:51:04 UTC
Last seen:2024-08-05 16:23:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep 6144:3RptkRZIFoIkY/7J81GyQUMTa5+suXqWxHNDf1CPyysAosQSPJHdlLTpn:jHoIfjJ80Rl86xHTCPvsASQJHd
Threatray 2'942 similar samples on MalwareBazaar
TLSH T1146423D9E5F4C23BE7B6807E55A3875C9ADADDCD582431A3A9CFD20972C506C0B313A8
TrID 32.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.8% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
374
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
59d3bc9ca446bf4fcce3a93cdbce134a
Verdict:
Malicious activity
Analysis date:
2024-08-05 15:54:36 UTC
Tags:
amsi-bypass rat asyncrat remote netreactor redline
Link:
https://app.any.run/tasks/5a571fc5-6f54-45fb-9572-06997184036b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b0f4f0037b02d0daedc1cc
Tags:
Encryption Execution Network Static Stealth Trojan Zpack
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file
Launching a process
Creating a file in the system32 subdirectories
DNS request
Connection attempt
Sending a custom TCP request
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Setting browser functions hooks
Unauthorized injection to a recently created process
Forced shutdown of a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fasm packed peunion
Link:
https://www.filescan.io/uploads/66b0f524e7dbbbdfcd09600f/reports/5300f858-2320-421f-ae4d-c89d5d28e365/overview
Verdict:
Malicious
Labled as:
ExNuma.Generic
Link:
https://www.hybrid-analysis.com/sample/1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c75f52c-63e3-4fbd-9385-f7b8b55d436b
Result
Threat name:
AsyncRAT, PureLog Stealer, RedLine, zgRA
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1488178
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious Malware Callback Communication
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected PersistenceViaHiddenTask
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488178 Sample: ZAOnnwhdhI.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 100 65 blue.o7lab.me 2->65 67 server.underground-cheat.xyz 2->67 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for dropped file 2->93 95 28 other signatures 2->95 9 powershell.exe 2 15 2->9         started        12 ZAOnnwhdhI.exe 3 2->12         started        15 WinUpdate.exe 3 2->15         started        signatures3 process4 file5 97 Found many strings related to Crypto-Wallets (likely being stolen) 9->97 99 Writes to foreign memory regions 9->99 101 Modifies the context of a thread in another process (thread injection) 9->101 109 2 other signatures 9->109 17 dllhost.exe 1 9->17         started        20 conhost.exe 9->20         started        61 C:\Users\user\AppData\Local\...\Install.exe, PE32 12->61 dropped 63 C:\Users\user\AppData\...\$77svchost.exe, PE32 12->63 dropped 22 $77svchost.exe 7 12->22         started        25 Install.exe 1 12->25         started        103 Antivirus detection for dropped file 15->103 105 Multi AV Scanner detection for dropped file 15->105 107 Machine Learning detection for dropped file 15->107 signatures6 process7 file8 75 Injects code into the Windows Explorer (explorer.exe) 17->75 77 Contains functionality to inject code into remote processes 17->77 79 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->79 87 4 other signatures 17->87 27 lsass.exe 17->27 injected 30 svchost.exe 17->30 injected 32 svchost.exe 17->32 injected 38 30 other processes 17->38 53 C:\Users\user\AppData\Roaming\WinUpdate.exe, PE32 22->53 dropped 81 Antivirus detection for dropped file 22->81 83 Multi AV Scanner detection for dropped file 22->83 85 Machine Learning detection for dropped file 22->85 34 cmd.exe 1 22->34         started        36 cmd.exe 1 22->36         started        signatures9 process10 dnsIp11 111 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->111 113 Writes to foreign memory regions 27->113 115 System process connects to network (likely due to code injection or exploit) 30->115 41 WinUpdate.exe 34->41         started        45 conhost.exe 34->45         started        47 timeout.exe 1 34->47         started        117 Uses schtasks.exe or at.exe to add and modify task schedules 36->117 49 conhost.exe 36->49         started        51 schtasks.exe 1 36->51         started        69 206.23.85.13.in-addr.arpa 38->69 71 server.underground-cheat.xyz 38->71 signatures12 process13 dnsIp14 73 blue.o7lab.me 45.66.231.202, 49712, 49719, 49721 CMCSUS Germany 41->73 55 C:\Users\user\AppData\Local\Temp\ywgdgq.exe, PE32 41->55 dropped 57 C:\Users\user\AppData\Local\Temp\cdkllg.exe, PE32+ 41->57 dropped 59 C:\Users\user\AppData\Local\Temp\bukenw.exe, PE32 41->59 dropped file15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db/
Threat name:
Win32.Backdoor.Asyncrat
Create hunting rule
Status:
Malicious
First seen:
2024-08-03 21:22:58 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djc4m5gjzago4n4keegihqsjfovos5tsprrlxlzgf3qg424iyhnq._file
Verdict:
malicious
Similar samples:
06964dd3189bad530f3e1f1b866ccd300672eac8d3889ff327724927770b0389
AsyncRAT
1e7053eb1a26b5577732ebf58a09b9a249ffabd7bb997b33d5b5bfcbae18ba77
AsyncRAT
51f3f7d8ac847527e0652b7841b3f37844b24f1e5b206af23debd479b8aa6a86
AsyncRAT
85b4167417d416880d3e9f1ff438e1e5b125ceb28de4e3ebd9b5725717815157
AsyncRAT
9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
AsyncRAT
a2b83ca2802947ffbb1b191ee1b8326d4dcbac5f4d99bbb25ba816717b50fa3c
AsyncRAT
f5efd1b435706c4eb87582528b1f34825765cc5324f768a93d763b31642f8263
AsyncRAT
+ 2'932 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline family:sectoprat botnet:server.underground-cheat.xyz defense_evasion discovery evasion execution infostealer rat trojan
Link:
https://tria.ge/reports/240805-ta2t3s1bmn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Async RAT payload
AsyncRat
Modifies security service
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
blue.o7lab.me:7777
server.underground-cheat.xyz:7777
server.underground-cheat.xyz:1337
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/165fcc4f-2bb0-4f9c-88a9-e1d397e8f023
Unpacked files
SH256 hash:
26eaa5bce06cadc54cb4990fabb1b9150966ef720b07a836ef2bd456360246b2
MD5 hash:
a44a767dba207c04c74afae17144f787
SHA1 hash:
fa14f38216e259be5b181c825719f1c864691a5f
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
asyncrat
Create hunting rule
Link:
https://www.unpac.me/results/f1bd0833-d7c8-4cd7-b929-a9b7d4a707f9/
SH256 hash:
1b707a991a74025f244318e660d77aea86a1398b079471c023087be13206fa72
MD5 hash:
ec88823f338762f1b46f19846d9461de
SHA1 hash:
805e444f0e0ed095a095fae9a62d117fa88cc3d8
Link:
https://www.unpac.me/results/f1bd0833-d7c8-4cd7-b929-a9b7d4a707f9/
SH256 hash:
0486cda11fbc2057bb702cd7390cd87d00fe9bf5cd6ae65127c8c1922e00829b
MD5 hash:
e7472a99aa97fedc4122362afc4bb0d8
SHA1 hash:
9213a446bafcc0e1c572dd9766a344fc8016a9f0
Detections:
win_asyncrat_w0
Create hunting rule
SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
asyncrat
Create hunting rule
Link:
https://www.unpac.me/results/f1bd0833-d7c8-4cd7-b929-a9b7d4a707f9/
SH256 hash:
1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db
MD5 hash:
59d3bc9ca446bf4fcce3a93cdbce134a
SHA1 hash:
37120e1b71956b5f3852605db0f33f4565a3952d
Link:
https://www.unpac.me/results/f1bd0833-d7c8-4cd7-b929-a9b7d4a707f9/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a45c674c9c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3090680/
  
URLhaus
https://urlhaus.abuse.ch/url/3090681/
  
URLhaus
https://urlhaus.abuse.ch/url/3092495/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::VirtualAllocExNuma
kernel32.dll::CreateThread
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA

Comments


Avatar
zbet commented on 2024-08-05 15:51:05 UTC

url : hxxp://45.66.231.202/raw/Install.exe