MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7
SHA3-384 hash: 9835d892e3ef3d88386de7dfe2f0728266074cb26d31b34ecc6bbf71bc7696fa48310131f356ae47437286a8324f2f89
SHA1 hash: dc1d5db7871976e0adadff3141775f67c4c22cea
MD5 hash: 045c879c731f4dbb7e793332759378f7
humanhash: potato-pluto-nitrogen-pip
File name:045c879c731f4dbb7e793332759378f7
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'127'776 bytes
First seen:2022-12-02 00:11:55 UTC
Last seen:2022-12-02 01:28:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4385a52c4954ea622602f131b43369ce (2 x AsyncRAT, 1 x RedLineStealer, 1 x RemcosRAT)
ssdeep 49152:JVivXj9M8hT5nYVtemZsgrG81LAACOD2nnoF:qXj9MkFYVtyGRLAmMo
Threatray 17'949 similar samples on MalwareBazaar
TLSH T19DA523119395EFF5D44207398D0A93326AF7FC3486A80ED32694679B78791C36AB3347
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon bc3befadbc6cecda (1 x AsyncRAT)
Reporter zbetcheckin
Tags:32 AsyncRAT exe signed

Code Signing Certificate

Organisation:copylink.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-17T17:57:59Z
Valid to:2023-02-15T17:57:58Z
Serial number: 04dfae3525fc81202de434a3c89d5879b6e1
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: e974745b1234969a2631036b6ade75801b95cbad44710f0edbb454bffb2962ae
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
045c879c731f4dbb7e793332759378f7
Verdict:
Malicious activity
Analysis date:
2022-12-02 00:14:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e12b57b9-a2f5-4883-8821-a7d3c50f9172

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341668/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63983891.27262.9730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638942d553133aaaf83c23d5/reports/e57c1ae7-0ad0-43e8-8744-b11817299ca9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6db8755c-1a13-43c8-965f-994bf6808d94
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1126125
Signature
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected Costura Assembly Loader
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-12-01 16:40:10 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dtmqumdmwbg5yzsulzd5pssv2k54dxaio7lz6dg7vow63rb7q7tq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3
AsyncRAT
2fd76f5bd73eeec44ca3ef9a2783e496f66b07f0b6b814f0046ec3aaeac6f911
AsyncRAT
3d538725fd27edb771e7e5c07a11508d7363dc6f0bdb438240bd34eae746aeed
AsyncRAT
599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
AsyncRAT
8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc
AsyncRAT
abf32362b9d9351332107be717d6673ff298e6f66e536838f59dc0ca0e22942a
AsyncRAT
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
AsyncRAT
d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8
AsyncRAT
f99cf4e79efb37bea41405c5701f8ce7f86dea17a05b0c89f8f775c28458b214
AsyncRAT
+ 17'939 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221202-ag8fnahf8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cf4d4669-125c-458d-89b2-17d687d54e19
Unpacked files
SH256 hash:
8f18a7282dc91f86eb70d0a39d239e8ebe90abcaa50a2fece09cadb023cae88c
MD5 hash:
eaaa502c0aa791443f0f47c35ee17805
SHA1 hash:
feaf65e8dd21434bbfa32a8f1bde14a49e6c4849
Link:
https://www.unpac.me/results/fff0cd02-92da-4803-85d5-4a716630506f/
SH256 hash:
1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7
MD5 hash:
045c879c731f4dbb7e793332759378f7
SHA1 hash:
dc1d5db7871976e0adadff3141775f67c4c22cea
Link:
https://www.unpac.me/results/fff0cd02-92da-4803-85d5-4a716630506f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2440631/
Cape
Cape
https://www.capesandbox.com/analysis/341668/
  
URLhaus
https://urlhaus.abuse.ch/url/2441295/

Comments


Avatar
zbet commented on 2022-12-02 00:11:57 UTC

url : hxxp://jonnyomar.xyz/nppshell32.exe