MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1da07ff2b1056ddc31c2fa6bb522b5dba68b41d6a9cbd637d0b08edbeee57804. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1da07ff2b1056ddc31c2fa6bb522b5dba68b41d6a9cbd637d0b08edbeee57804
SHA3-384 hash: 407658b2646f589180ca088deef2d5cb95aa905dccea70562f5315cae0a40de6592372cc49805a816fbd2091b7fc72b9
SHA1 hash: a9fe6d9f24526cdc27a052e521bd80c28e8b7e5a
MD5 hash: db60d78516e1f61b534abc0218c29efe
humanhash: double-nine-echo-fanta
File name:db60d78516e1f61b534abc0218c29efe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'046'112 bytes
First seen:2023-02-05 21:19:14 UTC
Last seen:2023-02-06 00:45:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b2ab5d36f7dd4a87126c1487665c85da (2 x RedLineStealer, 1 x AsyncRAT)
ssdeep 24576:H+MC3/eMDtcOQDY8r7dvW2CIF+MEk2waIamKDKaT5ioAl8cSIjflzK4gWNz6yhV/:H+xe+VAP9o1Yy0hl8cSsflvZJj0K
Threatray 19'050 similar samples on MalwareBazaar
TLSH T11995BD0D96F8601DDC930A71C5F15312BF3E3410CBED86E6E9631DE5171A7BAEE2A10A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0cc8e96b296ccf0 (1 x Formbook, 1 x AsyncRAT)
Reporter zbetcheckin
Tags:32 AsyncRAT exe signed

Code Signing Certificate

Organisation:podari24.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-06T20:00:27Z
Valid to:2023-04-06T20:00:26Z
Serial number: 03587ea5d0a4cef29b4a1f1cdd643c32bac3
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 722386bc45fdef19db247c078624e3def17c237abb3e296ccfeb476004bb1915
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-05 21:16:33 UTC
Tags:
loader
Link:
https://app.any.run/tasks/e1974f9d-dd79-4965-96eb-d897f52ee867

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360471/
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.22408.29993.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65479/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63e01d85528134caf043a155/reports/0ef956ab-e93d-411d-882b-43208a83d482/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/1da07ff2b1056ddc31c2fa6bb522b5dba68b41d6a9cbd637d0b08edbeee57804
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a997bf4-d3c7-485d-8898-466792d09ed0
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166120
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected Costura Assembly Loader
Yara detected zgRAT
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 798891 Sample: IkklP6KLEX.exe Startdate: 05/02/2023 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 6 other signatures 2->54 7 ojxoh.exe 1 9 2->7         started        11 IkklP6KLEX.exe 13 2->11         started        process3 dnsIp4 40 zsqu2fsv3fe.bnsqiygukpnjlrlydb0wvj 7->40 42 185.17.0.22, 49686, 49688, 58001 SUPERSERVERSDATACENTERRU Russian Federation 7->42 62 Multi AV Scanner detection for dropped file 7->62 64 Machine Learning detection for dropped file 7->64 66 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->66 14 powershell.exe 15 14 7->14         started        18 powershell.exe 13 7->18         started        44 zsqu2fsv3fe.bnsqiygukpnjlrlydb0wvj 11->44 32 C:\Users\user\AppData\Local\...\ojxoh.exe, PE32 11->32 dropped 34 C:\Users\user\...\ojxoh.exe:Zone.Identifier, ASCII 11->34 dropped 36 C:\Users\user\AppData\...\IkklP6KLEX.exe.log, ASCII 11->36 dropped 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->68 70 Encrypted powershell cmdline option found 11->70 20 powershell.exe 16 11->20         started        file5 signatures6 process7 dnsIp8 46 185.17.0.54, 49687, 80 SUPERSERVERSDATACENTERRU Russian Federation 14->46 38 C:\Users\user\AppData\Local\...\bomuurl.exe, PE32+ 14->38 dropped 23 bomuurl.exe 2 14->23         started        26 conhost.exe 14->26         started        28 conhost.exe 18->28         started        56 Powershell drops PE file 20->56 30 conhost.exe 20->30         started        file9 signatures10 process11 signatures12 58 Multi AV Scanner detection for dropped file 23->58 60 Machine Learning detection for dropped file 23->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1da07ff2b1056ddc31c2fa6bb522b5dba68b41d6a9cbd637d0b08edbeee57804/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-05 21:20:26 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwqh74vravw5ymoc7jv3kivv3otiwqowvhf5mn6qwchnx3xfpaca._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7
AsyncRAT
261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0
AsyncRAT
3d538725fd27edb771e7e5c07a11508d7363dc6f0bdb438240bd34eae746aeed
AsyncRAT
599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
AsyncRAT
5d8e70acefcbcc2eff05078efbea2c82d7a051edaabfa4caaf6d48fc9d6644e3
AsyncRAT
8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc
AsyncRAT
abf32362b9d9351332107be717d6673ff298e6f66e536838f59dc0ca0e22942a
AsyncRAT
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
AsyncRAT
d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8
AsyncRAT
f99cf4e79efb37bea41405c5701f8ce7f86dea17a05b0c89f8f775c28458b214
AsyncRAT
+ 19'040 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230205-z6s5psec6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
4d0276fc9279a499e8750fe2efa40eb7017e924471ff94f6ffc63eebcdbd0ff8
MD5 hash:
38441bf57f48c5dda052c4e0f420feb1
SHA1 hash:
40baab616e36621218ce1e3e5ec08a8504ac501b
Link:
https://www.unpac.me/results/cf61b376-0d39-43ef-a583-f1955549bf47/
SH256 hash:
1da07ff2b1056ddc31c2fa6bb522b5dba68b41d6a9cbd637d0b08edbeee57804
MD5 hash:
db60d78516e1f61b534abc0218c29efe
SHA1 hash:
a9fe6d9f24526cdc27a052e521bd80c28e8b7e5a
Link:
https://www.unpac.me/results/cf61b376-0d39-43ef-a583-f1955549bf47/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1da07ff2b105/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1da07ff2b1056ddc31c2fa6bb522b5dba68b41d6a9cbd637d0b08edbeee57804

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 1da07ff2b1056ddc31c2fa6bb522b5dba68b41d6a9cbd637d0b08edbeee57804

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/360471/
  
URLhaus
https://urlhaus.abuse.ch/url/2531329/

Comments


Avatar
zbet commented on 2023-02-05 21:19:22 UTC

url : hxxp://109.172.45.94/qyBZEkiQGTjr.exe