MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf
SHA3-384 hash: 0c03f67fb8d5c4be120da3a712d2f8d2c728f48b1303e836c0d7e714de60ba543847bb8dc09e3ec9f32ff360f9f2a90c
SHA1 hash: 8184b97a828b2abf7e89ac7174162449b5da83c9
MD5 hash: da9c79f7e1fb381ce030fbfc31d3af6a
humanhash: beryllium-monkey-robert-carbon
File name:da9c79f7e1fb381ce030fbfc31d3af6a
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:998'079 bytes
First seen:2023-05-26 20:24:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:vTbBv5rU9fm/CZ+FHy+oa5P7Vfzad699BGa6mtWODp8QJFJ:ZBOe/CZ1+FP7VbezOF8QvJ
Threatray 124 similar samples on MalwareBazaar
TLSH T1E8250201FAD2C472C4621D329675AB20767EBD201F758EDF63D06A6EDD322C1E235B62
TrID 53.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
39.8% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
2.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b470d4d4dcdcdcf0 (2 x Formbook, 2 x AgentTesla, 1 x AsyncRAT)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
da9c79f7e1fb381ce030fbfc31d3af6a
Verdict:
Malicious activity
Analysis date:
2023-05-26 20:26:06 UTC
Tags:
asyncrat stealer
Link:
https://app.any.run/tasks/ba313c2c-2e6f-4017-bc83-0ec75fedf1b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/392251/
Detection(s):
Win.Dropper.Formbook-9980566-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88056/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm autoit cmd.exe evasive greyware keylogger lolbin overlay packed setupapi.dll shdocvw.dll shell32.dll wscript wscript.exe
Link:
https://www.filescan.io/uploads/647115a06bfe125c4dad7762/reports/c2dc77ee-d653-4e38-af7f-52e523f20346/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/32c7b816-d691-4b9e-ac62-a675d0a83f81
Result
Threat name:
AsyncRAT, DcRat, StormKitty
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243487
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses dynamic DNS services
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected DcRat
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876496 Sample: ap6B2upFrF.exe Startdate: 26/05/2023 Architecture: WINDOWS Score: 100 115 searchap.ddns.net 2->115 117 pastebin.com 2->117 127 Snort IDS alert for network traffic 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 Sigma detected: Capture Wi-Fi password 2->131 133 15 other signatures 2->133 12 ap6B2upFrF.exe 89 2->12         started        16 wscript.exe 2->16         started        18 wscript.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 file5 107 C:\Users\user\AppData\Local\...\lbvcefvmm.pif, PE32 12->107 dropped 157 Drops PE files with a suspicious file extension 12->157 159 Starts an encoded Visual Basic Script (VBE) 12->159 22 wscript.exe 1 12->22         started        24 cmd.exe 16->24         started        26 cmd.exe 18->26         started        161 Multi AV Scanner detection for dropped file 20->161 163 Creates multiple autostart registry keys 20->163 28 cmd.exe 20->28         started        30 RegSvcs.exe 20->30         started        32 RegSvcs.exe 20->32         started        34 RegSvcs.exe 20->34         started        signatures6 process7 process8 36 cmd.exe 1 22->36         started        38 cmd.exe 1 22->38         started        41 cmd.exe 1 22->41         started        43 lbvcefvmm.pif.exe.exe 24->43         started        45 conhost.exe 24->45         started        47 lbvcefvmm.pif.exe.exe 26->47         started        49 conhost.exe 26->49         started        51 lbvcefvmm.pif.exe.exe 28->51         started        53 conhost.exe 28->53         started        signatures9 55 lbvcefvmm.pif 2 173 36->55         started        59 conhost.exe 36->59         started        135 Uses netsh to modify the Windows network and firewall settings 38->135 137 Uses ipconfig to lookup or modify the Windows network settings 38->137 139 Tries to harvest and steal WLAN passwords 38->139 61 conhost.exe 38->61         started        63 ipconfig.exe 1 38->63         started        65 conhost.exe 41->65         started        67 ipconfig.exe 1 41->67         started        141 Multi AV Scanner detection for dropped file 43->141 143 Writes to foreign memory regions 43->143 145 Allocates memory in foreign processes 43->145 69 RegSvcs.exe 43->69         started        147 Injects a PE file into a foreign processes 47->147 71 RegSvcs.exe 47->71         started        73 RegSvcs.exe 51->73         started        process10 file11 99 C:\Users\user\pges\lbvcefvmm.pif.exe.exe, PE32 55->99 dropped 101 C:\Users\user\pges\lbvcefvmm.pif.exe, PE32 55->101 dropped 103 C:\Users\user\pges\lbvcefvmm.pif, PE32 55->103 dropped 105 3 other malicious files 55->105 dropped 149 Multi AV Scanner detection for dropped file 55->149 151 Creates autostart registry keys with suspicious values (likely registry only malware) 55->151 153 Creates multiple autostart registry keys 55->153 155 4 other signatures 55->155 75 RegSvcs.exe 55->75         started        signatures12 process13 dnsIp14 119 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 75->119 121 searchap.ddns.net 185.204.1.182, 49710, 49712, 49713 CREANOVA-ASOyCreanovaHostingSolutionsLtdFI Russian Federation 75->121 123 6 other IPs or domains 75->123 109 C:\Users\user\AppData\...\ZIPXYXWIOY.jpg, ASCII 75->109 dropped 111 C:\Users\user\AppData\...111YMMPCEIMA.docx, ASCII 75->111 dropped 113 C:\Users\user\AppData\...\CZQKSDDMWR.pdf, ASCII 75->113 dropped 165 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 75->165 167 May check the online IP address of the machine 75->167 169 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 75->169 171 3 other signatures 75->171 80 cmd.exe 75->80         started        83 cmd.exe 75->83         started        file15 signatures16 process17 signatures18 125 Tries to harvest and steal WLAN passwords 80->125 85 conhost.exe 80->85         started        87 chcp.com 80->87         started        89 netsh.exe 80->89         started        91 findstr.exe 80->91         started        93 conhost.exe 83->93         started        95 chcp.com 83->95         started        97 netsh.exe 83->97         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-26 20:25:06 UTC
File Type:
PE (Exe)
Extracted files:
119
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekl6ox7iqe6e27clgukoa5r5ftoarmnyumewfl5mjxdpadhg7xpq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0349fcd562c68adc726cea4e84cf6dab9c572a6cbb97c2018a9092126524d719
AsyncRAT
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
AsyncRAT
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
AsyncRAT
715aa59e7d1e568ad1e76c6ede8c762ec5d671723439d131f6b638c025fd7cb6
AsyncRAT
7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c
AsyncRAT
bf1bd7d13b353fcfcfac7fb3735575afb0a20eb6a5a3fd3b25ee95e91bcedd3d
AsyncRAT
c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
AsyncRAT
d6cb7358c0741c5f1e50c5d8fef2423d960345a59e722a88d852049a9226811e
AsyncRAT
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
AsyncRAT
dcef53803395ab07ecfa4230ae586003b507e875cd93bae17648c47b536a7622
AsyncRAT
+ 114 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:newday2 persistence rat
Link:
https://tria.ge/reports/230526-y69xsaha58/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Async RAT payload
AsyncRat
Unpacked files
SH256 hash:
2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf
MD5 hash:
da9c79f7e1fb381ce030fbfc31d3af6a
SHA1 hash:
8184b97a828b2abf7e89ac7174162449b5da83c9
Link:
https://www.unpac.me/results/dedeb4dd-0982-47de-a20a-a32d8c5bf33f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2297e75fe881/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/392251/
  
URLhaus
https://urlhaus.abuse.ch/url/2641793/

Comments


Avatar
zbet commented on 2023-05-26 20:24:17 UTC

url : hxxp://95.214.27.98/lend/updater.exe