MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398
SHA3-384 hash: 995a53ededdbd305c5f20a24df4895145a9121069ec7306a721d32ec9f0c3467d53d0e210723710afada53c6e7b1bade
SHA1 hash: e1d256a961662b1b45c23a2bfc4e4edf2d30b177
MD5 hash: d224b20b8c858da3bac1c5fb9cd1c33b
humanhash: chicken-aspen-stream-pluto
File name:d224b20b8c858da3bac1c5fb9cd1c33b.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:317'440 bytes
First seen:2024-01-26 14:15:19 UTC
Last seen:2024-01-26 16:30:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:BbiQqdJ052x8C2adFIYI906jqGFPkoh7Y0gJamWKw7eMT129ZW5sNdaYmOdhzStP:BbiQz52aC1sP906mG53h7c/RQ1p5C4LP
TLSH T1F664F10A57F907B8E8F1533978F5022D6FB7EE9BA813D71F6004143C262771A46367A6
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 4c3cf2ca84a4c4e0 (7 x AgentTesla, 2 x Loki, 1 x NanoCore)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
146.70.161.85:4217

Intelligence

File Origin
# of uploads :
2
# of downloads :
466
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398.exe
Verdict:
Malicious activity
Analysis date:
2024-01-26 14:43:39 UTC
Tags:
asyncrat rat remote
Link:
https://app.any.run/tasks/77eb4cfa-2a0d-4212-902a-539257c06059

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/473072/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.26781.31625.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin msbuild packed
Link:
https://www.filescan.io/uploads/65b3bea487258803c24062d1/reports/3f4ec7d3-b13e-4799-adb2-60b2d2f21fc3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a49ad579-47c4-4ed3-84a6-04e02e088b2e
Result
Threat name:
AsyncRAT, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1381714
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1381714 Sample: A3kCyCeoFp.exe Startdate: 26/01/2024 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 9 other signatures 2->49 9 Colours.exe 3 2->9         started        12 A3kCyCeoFp.exe 3 2->12         started        process3 signatures4 53 Antivirus detection for dropped file 9->53 55 Multi AV Scanner detection for dropped file 9->55 57 Machine Learning detection for dropped file 9->57 14 Colours.exe 1 2 9->14         started        59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->59 61 Injects a PE file into a foreign processes 12->61 18 A3kCyCeoFp.exe 6 12->18         started        process5 dnsIp6 41 146.70.161.85, 4217, 49705, 49712 TENET-1ZA United Kingdom 14->41 65 Tries to harvest and steal browser information (history, passwords, etc) 14->65 39 C:\Users\user\AppData\Roaming\Colours.exe, PE32 18->39 dropped 21 cmd.exe 1 18->21         started        23 cmd.exe 1 18->23         started        file7 signatures8 process9 signatures10 26 Colours.exe 2 21->26         started        29 conhost.exe 21->29         started        31 timeout.exe 1 21->31         started        51 Uses schtasks.exe or at.exe to add and modify task schedules 23->51 33 conhost.exe 23->33         started        35 schtasks.exe 1 23->35         started        process11 signatures12 63 Injects a PE file into a foreign processes 26->63 37 Colours.exe 2 26->37         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-01-26 14:16:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eaozhpymxjl5npzceajrd4ecyeo54if7cju5kj2vhhprj7kqeoma._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:zgrat botnet:default rat spyware stealer
Link:
https://tria.ge/reports/240126-rk5mlsfed4/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Async RAT payload
AsyncRat
Detect ZGRat V1
ZGRat
Malware Config
C2 Extraction:
127.0.0.1:4217
146.70.161.85:4217
Unpacked files
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/41f7583c-1827-436a-8193-dc1dd304b313/
SH256 hash:
bdf5d9c2419b70d8dd03eef41f930cd68da626451ec13f2c57448b1c7d10bf15
MD5 hash:
c78f47701436f23aea75f514a6a43075
SHA1 hash:
63c8c1b96b8880daf36b4edc4cfeb76c43f607a2
Link:
https://www.unpac.me/results/41f7583c-1827-436a-8193-dc1dd304b313/
SH256 hash:
d1c94e3463bc97366d68e1b2c5024bc989a07e844b3572baf93a0578a9025d4b
MD5 hash:
7f577193e1b7247d859b3a16287d9926
SHA1 hash:
56d18a7ffd359cc977d292ab80107a99952d3e18
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
asyncrat
Create hunting rule
Link:
https://www.unpac.me/results/41f7583c-1827-436a-8193-dc1dd304b313/
SH256 hash:
201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398
MD5 hash:
d224b20b8c858da3bac1c5fb9cd1c33b
SHA1 hash:
e1d256a961662b1b45c23a2bfc4e4edf2d30b177
Link:
https://www.unpac.me/results/41f7583c-1827-436a-8193-dc1dd304b313/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/201d93bf0cba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:malware_asyncrat
Create hunting rule
Description:detect AsyncRat in memory
Reference:https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Asyncrat_11a11ba1
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_bytecodes
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2751963/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473072/

Comments