MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0
SHA3-384 hash: 1f99b5aee3a1ab2878b13d7d559555b6edbd9a8fb7582248d82ae30186161b0d1f1b2ecd084e57f735df4512c6cb8162
SHA1 hash: 31a01f5ff0b1199efa88fa894d8bd5d47dfec37d
MD5 hash: b611642fa2f3f4816236de11c43b23fc
humanhash: thirteen-undress-wisconsin-lamp
File name:b611642fa2f3f4816236de11c43b23fc
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'200'208 bytes
First seen:2022-12-04 05:16:49 UTC
Last seen:2022-12-04 06:27:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ce034b939c6145516baadcd9b5d3871 (2 x RedLineStealer, 1 x SystemBC, 1 x ArkeiStealer)
ssdeep 49152:oe1oCdfU5tJpNzQmrY45yoR/zwaCeyoiNfCVDHGI1QfcO03HPv1AbBVl+y:oe1dMFzyRULXNJi58Dh1mW3HPv1WBL5
Threatray 17'972 similar samples on MalwareBazaar
TLSH T1CEA52330FBAA9C27E4920234342AB77757357AB4A148D6473B842B5EED713D1C6B5383
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 71e0dcba9ecce871 (1 x AsyncRAT, 1 x LaplasClipper)
Reporter zbetcheckin
Tags:32 AsyncRAT exe signed

Code Signing Certificate

Organisation:*.sartle.com
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-21T05:30:29Z
Valid to:2023-03-25T05:30:29Z
Serial number: 4c49eeed4561ba2b
Intelligence: 12 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f8f3da1c33ff5f289a26ffd7939218bc2eb872c5fe45cddf540217683c56f9d4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b611642fa2f3f4816236de11c43b23fc
Verdict:
Malicious activity
Analysis date:
2022-12-04 05:18:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2b42a78-6f22-4f1b-b61b-f6634a1d1ade

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342444/
Detection(s):
SecuriteInfo.com.W32.Kryptik_AGen.AQI.tr.21816.24270.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638c2d9504e0e79bdf40b927/reports/377b6254-a249-448c-9962-60c712ac7b26/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59f05d53-cb40-47f4-bef3-930e115a3d57
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1127322
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-12-04 01:59:04 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
21 of 40 (52.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eylrdxrh2x7s3stkxcrj23dr3qxys64pt7utxz7xusm7i3s4vlia._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7
AsyncRAT
2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3
AsyncRAT
2fd76f5bd73eeec44ca3ef9a2783e496f66b07f0b6b814f0046ec3aaeac6f911
AsyncRAT
3d538725fd27edb771e7e5c07a11508d7363dc6f0bdb438240bd34eae746aeed
AsyncRAT
599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
AsyncRAT
8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc
AsyncRAT
abf32362b9d9351332107be717d6673ff298e6f66e536838f59dc0ca0e22942a
AsyncRAT
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
AsyncRAT
d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8
AsyncRAT
f99cf4e79efb37bea41405c5701f8ce7f86dea17a05b0c89f8f775c28458b214
AsyncRAT
+ 17'962 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221204-fzb33aab95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d0b74536-f471-4148-82e4-9ce620ae3954
Unpacked files
SH256 hash:
0022c38d813c72e6f9c4a82c4a5587061f10e559664331358128685350b14b71
MD5 hash:
7460376ebfc305be1140277ac2ca6d4d
SHA1 hash:
33cb4eca0fd6d5b62d40721fe69d62f6a9d00dbc
Link:
https://www.unpac.me/results/9e87970b-665b-4b88-9d4c-28dd16726fce/
SH256 hash:
261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0
MD5 hash:
b611642fa2f3f4816236de11c43b23fc
SHA1 hash:
31a01f5ff0b1199efa88fa894d8bd5d47dfec37d
Link:
https://www.unpac.me/results/9e87970b-665b-4b88-9d4c-28dd16726fce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2441295/
  
URLhaus
https://urlhaus.abuse.ch/url/2443530/
Cape
Cape
https://www.capesandbox.com/analysis/342444/

Comments


Avatar
zbet commented on 2022-12-04 05:16:55 UTC

url : hxxp://mrfreeman.xyz/nppshell32.exe