MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26a8b57607f6d28a0b3df01b474a8ff516077e40af6db5466965335eb06913e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26a8b57607f6d28a0b3df01b474a8ff516077e40af6db5466965335eb06913e9
SHA3-384 hash: cf808a81dec24c3526947ff7637c119c4766ebaf547172e8509b10a8c7a9f87601a1d67de24dd06cc16c7ce070c11049
SHA1 hash: 5099ea68df4e09cf469afddfc4e828f9ba7b0989
MD5 hash: 13536e8bdc836cc2d16bbb7ee7d67e7c
humanhash: two-oxygen-california-fanta
File name:file
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:487'936 bytes
First seen:2022-11-21 18:37:58 UTC
Last seen:2022-11-21 20:41:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:tCM33iPzRrt4kiTItqVW4cyUAZscBCLD0KDiY16:tC4iPzIdV7UAGcgc1
Threatray 2'283 similar samples on MalwareBazaar
TLSH T117A42367999785ABCE3033341674169E9FECC6B15130F481AC81F6464FDBBEA1F90AC8
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 93cc66454e266637 (1 x AsyncRAT)
Reporter jstrosch
Tags:.NET AsyncRAT exe MSIL X64

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-21 18:41:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/db728fe3-4df3-4d7f-809b-53150ec055da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336908/
Detection(s):
SecuriteInfo.com.Win64.CrypterX-gen.30628.1390.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637bc58fe64742f53c107875/reports/8672b0c2-7f57-4507-bace-67a25a1b46ea/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f855238-e0f5-4a82-8636-6e50a24210f0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1118405
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Deletes itself after installation
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26a8b57607f6d28a0b3df01b474a8ff516077e40af6db5466965335eb06913e9/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-11-21 18:38:20 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
6
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2ulk5qh63jiucz56anuosup6ulao7sav5w3krtjmuzv5mdjcpuq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
03a522f4d308162517decacc543958539b54de3da45876f824d857221a95ccf6
AsyncRAT
0b9c9b54d5549d7336f31646826215d69c4252486aefde1846bcbe369629844f
AsyncRAT
0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595
AsyncRAT
7e7ec7610373a200dcf87da34869f28d29ec2947fb5defd0dfa5886e12b6b1cd
AsyncRAT
b2e31ed9833299ec3c166877db92ff5d477858f5867ca5494b26a82558e4616e
AsyncRAT
bec2c4c72b0297624093232878a45e9f5e467a9f838268a4403bc9416bde8189
AsyncRAT
de41596200eab56b30eddafa626ae24de9cf7ee54e0c2c35be0554af08207a63
AsyncRAT
fa8d8657315c0ff3057652f4b34194de08fa9d2ff3028ad2043b53c551851358
AsyncRAT
+ 2'273 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221121-w92dpscf23/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
26a8b57607f6d28a0b3df01b474a8ff516077e40af6db5466965335eb06913e9
MD5 hash:
13536e8bdc836cc2d16bbb7ee7d67e7c
SHA1 hash:
5099ea68df4e09cf469afddfc4e828f9ba7b0989
Link:
https://www.unpac.me/results/f93ea36e-9f52-4505-9c1d-483f5aa729e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/26a8b57607f6d28a0b3df01b474a8ff516077e40af6db5466965335eb06913e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 26a8b57607f6d28a0b3df01b474a8ff516077e40af6db5466965335eb06913e9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2409444/
Cape
Cape
https://www.capesandbox.com/analysis/336908/

Comments