MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f9c455e87449a312752b0081f0d37ce4e6564e6c38478cc8469370eb89064d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f9c455e87449a312752b0081f0d37ce4e6564e6c38478cc8469370eb89064d7
SHA3-384 hash: d14890d00ba414d607159b6c8bbe2f04bf2d6bc095bf5d13f76d534f7a409384e41368a2abab0605caa91771b2f86060
SHA1 hash: 761dfb8a9ba28d4cb08ee325bb005f35b50d25ba
MD5 hash: b2d55bdff14cf2ea2d6b64663fdcded0
humanhash: virginia-chicken-harry-freddie
File name:b2d55bdff14cf2ea2d6b64663fdcded0.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'675'776 bytes
First seen:2022-04-09 09:55:43 UTC
Last seen:2022-04-09 10:56:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:JZ4NXq+IjIEKnIldlukDLli9ltZnFL52iYwvrTvx04yC29KEXYBILzy:JitqtjI7IldGztZnZEjAvxplEIBI
Threatray 382 similar samples on MalwareBazaar
TLSH T13F75231232EE4A10C27DDA3020A2655CA777EF273015EB2D55CC78DC467BAC5A6E23E7
File icon (PE):PE icon
dhash icon ceccc4c6cef0f2d4 (9 x AsyncRAT, 1 x NanoCore, 1 x BitRAT)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
92.118.36.201:6606

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.118.36.201:6606 https://threatfox.abuse.ch/ioc/518093/

Intelligence

File Origin
# of uploads :
2
# of downloads :
402
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b2d55bdff14cf2ea2d6b64663fdcded0.exe
Verdict:
Malicious activity
Analysis date:
2022-04-09 09:57:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4693d513-ccac-47f1-bc84-db27f480361d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262301/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.32690.2003.23641.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6251583304b81dabe2654851/reports/340d5ec1-04ec-49d6-b6af-bbb70bc81a53/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20743f5e-a709-4cac-82de-adb57c0c46ac
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973732
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates autostart registry keys with suspicious names
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: File Created with System Process Name
Sigma detected: Suspcious CLR Logs Creation
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 606219 Sample: syW8ThZeLI.exe Startdate: 09/04/2022 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 14 other signatures 2->84 8 syW8ThZeLI.exe 7 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 11 other processes 2->16 process3 dnsIp4 62 C:\Users\user\AppData\...\xrPeqrBGrqcND.exe, PE32 8->62 dropped 64 C:\...\xrPeqrBGrqcND.exe:Zone.Identifier, ASCII 8->64 dropped 66 C:\Users\user\AppData\Local\...\tmp71D5.tmp, XML 8->66 dropped 68 C:\Users\user\AppData\...\syW8ThZeLI.exe.log, ASCII 8->68 dropped 92 Uses schtasks.exe or at.exe to add and modify task schedules 8->92 94 Writes to foreign memory regions 8->94 96 Allocates memory in foreign processes 8->96 100 2 other signatures 8->100 19 RegSvcs.exe 4 6 8->19         started        23 powershell.exe 25 8->23         started        25 schtasks.exe 1 8->25         started        27 backgroundTaskHost.exe 8->27         started        98 Changes security center settings (notifications, updates, antivirus, firewall) 12->98 29 MpCmdRun.exe 12->29         started        70 C:\Users\user\AppData\...\svchost.exe.log, ASCII 14->70 dropped 31 conhost.exe 14->31         started        72 127.0.0.1 unknown unknown 16->72 74 192.168.2.1 unknown unknown 16->74 33 conhost.exe 16->33         started        35 conhost.exe 16->35         started        37 conhost.exe 16->37         started        file5 signatures6 process7 file8 60 C:\Users\Public\Documents\...\svchost.exe, PE32 19->60 dropped 86 Creates autostart registry keys with suspicious names 19->86 88 Adds a directory exclusion to Windows Defender 19->88 90 Drops PE files with benign system names 19->90 39 RegSvcs.exe 19->39         started        42 powershell.exe 19->42         started        44 powershell.exe 19->44         started        46 powershell.exe 19->46         started        48 conhost.exe 23->48         started        50 conhost.exe 25->50         started        52 conhost.exe 29->52         started        signatures9 process10 dnsIp11 76 92.118.36.201, 49725, 6606 AS209132NL Romania 39->76 54 conhost.exe 42->54         started        56 conhost.exe 44->56         started        58 conhost.exe 46->58         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f9c455e87449a312752b0081f0d37ce4e6564e6c38478cc8469370eb89064d7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-31 20:18:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
25 of 42 (59.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6oekxuhisndcj2swaeb6djxzzhgkzhgyochrteene3q5oeqmtlq._file
Verdict:
malicious
Similar samples:
0432de0ca2a033d243ff9e4f2589955678620ac4be75b25f3f632d43bad3fa2a
AsyncRAT
3b35160a0221a2abd530bf26c039844ed986971c906fcb6e6feedb8978d076b8
AsyncRAT
8f3deece688aa33294622610ff9e48cedc8aa6ac0ea2446808e932b626fd011c
AsyncRAT
a3a9320405303d369e0f915541fd2dffa46c96772840069b6c55b2c4051cf342
AsyncRAT
b6c5381ca4842df5f36898a58053bcce17919f059a84432dbeb60bdef9968a2e
AsyncRAT
ee03a7e0fb12790de85977a9c4bec4d1d0a58e694c292c2b8f67b891770cedc4
AsyncRAT
f6d0dff73d9ce1016095bd9f8ab244b8a651e96ef43dfc4581d0e9c7b442ed56
AsyncRAT
+ 372 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default evasion persistence rat trojan
Link:
https://tria.ge/reports/220409-lycabsgfc4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Async RAT payload
AsyncRat
Windows security bypass
Malware Config
C2 Extraction:
92.118.36.201:6606
92.118.36.201:7707
92.118.36.201:8808
92.118.36.201:3001
Unpacked files
SH256 hash:
f3d6c25356b6de3c9f18c56f0dbb77c5c0d18366ecc5ee06a5919b5f31e57285
MD5 hash:
835007ba43e6413703df91e4fa221323
SHA1 hash:
98316a233377565e2a9fd7b6a832624eb93438a3
Link:
https://www.unpac.me/results/8bcbb963-e048-4783-887a-c3c83c054be9/
SH256 hash:
613b2819d35360cbfe6c94b2b998d1a4998c89f5bdef505e0e158e1288ab684c
MD5 hash:
3096cbaf4b5d40f9c61bf7ce13fde62f
SHA1 hash:
6b3c580e51fd306bfdc2e727ca3bc7805aba4b53
Link:
https://www.unpac.me/results/8bcbb963-e048-4783-887a-c3c83c054be9/
SH256 hash:
b68c2c11aac776ba920e6271bfd562d3c30c1d0b02bc545360a76a48d71bcc7e
MD5 hash:
772e007bef77416fcd4a1f39de1cbf4e
SHA1 hash:
697cc092f94aa3fe2a2570d339d7cde14f05521a
Link:
https://www.unpac.me/results/8bcbb963-e048-4783-887a-c3c83c054be9/
SH256 hash:
1e3cc5cbb1b368b531642032773b20efa3e5c0adc55dd24d6909dd532b875b9c
MD5 hash:
3678f2eb7e12691f0987b2b347833cf4
SHA1 hash:
30bd95b7bb103e8cb0a252b4bc254727e095014d
Link:
https://www.unpac.me/results/8bcbb963-e048-4783-887a-c3c83c054be9/
SH256 hash:
1f9c455e87449a312752b0081f0d37ce4e6564e6c38478cc8469370eb89064d7
MD5 hash:
b2d55bdff14cf2ea2d6b64663fdcded0
SHA1 hash:
761dfb8a9ba28d4cb08ee325bb005f35b50d25ba
Link:
https://www.unpac.me/results/8bcbb963-e048-4783-887a-c3c83c054be9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1f9c455e8744/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f9c455e87449a312752b0081f0d37ce4e6564e6c38478cc8469370eb89064d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262301/

Comments