MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 284354c31831c62ac87fba4a0a042fe94daf4c853827bd0009666f50238db23c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 284354c31831c62ac87fba4a0a042fe94daf4c853827bd0009666f50238db23c
SHA3-384 hash: d8325dcaa3d7a630ee1eeb717cda934558fbed95e7fa122cad5115f0f6cc33436e88a97efcd03320588b37612f666fb7
SHA1 hash: 72d1cc12d7684dac79d1983e1be7a9efde09c3a5
MD5 hash: 60dc47e69afcdadc8f4e744f7a40a87b
humanhash: echo-mobile-michigan-kentucky
File name:60dc47e69afcdadc8f4e744f7a40a87b
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'532'416 bytes
First seen:2023-04-23 14:13:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:Sw998FHHVXtnM83EF3HcQ090WdnPf1jkcKdWKThZfbFD:S5V9nM/y19P1yh
Threatray 144 similar samples on MalwareBazaar
TLSH T1E565D0316BC1BDDDFBE90EB4E87501543CB0B86BA169E248B980289BCD60394DD71FB5
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
60dc47e69afcdadc8f4e744f7a40a87b
Verdict:
Malicious activity
Analysis date:
2023-04-23 14:14:30 UTC
Tags:
asyncrat
Link:
https://app.any.run/tasks/2d7b1e9f-065f-4ff3-a548-f261f7038fad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Lazy.333009.29007.17615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64453d2d37cce82f3a54873e/reports/a002fe74-9a50-41f9-bae2-de045b052a1d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/284354c31831c62ac87fba4a0a042fe94daf4c853827bd0009666f50238db23c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
PureCrypter
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd7acab8-2a8d-4162-b687-75789c5333d8
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1219535
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 852477 Sample: LF6o0xfG25.exe Startdate: 23/04/2023 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 7 other signatures 2->49 7 LF6o0xfG25.exe 1 6 2->7         started        11 Microsoft Edge.exe 3 2->11         started        13 Microsoft Edge.exe 2 2->13         started        process3 file4 35 C:\Users\user\AppData\...\Microsoft Edge.exe, PE32 7->35 dropped 37 C:\...\Microsoft Edge.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\...\LF6o0xfG25.exe.log, ASCII 7->39 dropped 51 Writes to foreign memory regions 7->51 53 Injects a PE file into a foreign processes 7->53 15 cmd.exe 1 7->15         started        18 aspnet_compiler.exe 2 7->18         started        21 aspnet_compiler.exe 7->21         started        23 aspnet_compiler.exe 3 11->23         started        25 aspnet_compiler.exe 11->25         started        27 aspnet_compiler.exe 11->27         started        29 aspnet_compiler.exe 13->29         started        signatures5 process6 dnsIp7 55 Encrypted powershell cmdline option found 15->55 31 powershell.exe 21 15->31         started        33 conhost.exe 15->33         started        41 isabelaflores.fun 15.228.89.234, 49699, 7000 AMAZON-02US United States 18->41 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/284354c31831c62ac87fba4a0a042fe94daf4c853827bd0009666f50238db23c/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-04-23 14:14:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbbvjqyyghdcvsd7xjfaubbp5fg26tefhat32aajmzxvai4nwi6a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
26f274b2521ca2f2c7e27ee2b4cfd14423ba43dbadfd97a25352f3eaf4a0e524
AsyncRAT
45215b8cc47cfa93874fbf5252888163c4ea43c4aeb8ac63960e43406f9f7b40
AsyncRAT
68fa24f693d9b5955eb2a34a6fbbd3ac7b9e4e8efa53b17b6a94ddd01baab2fe
AsyncRAT
7715c84b2504a1cb0a5cb7f3ac93f838ee1b30acd915d45f4b16549b0c55dad2
AsyncRAT
8d07d16f63cb3b3a11c929cc58d0bad2428b4364b3ac76f09bc3e0f1df8f0483
AsyncRAT
99735bf17537e921b53f4b4f2aada8fecbf1d0627ce3139b878151d9fe3f4b9f
AsyncRAT
9cb053ae7f2c117e74fbc6dc775675c73d5d3f3b41d09175036f88b1c0db7374
AsyncRAT
+ 134 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default persistence rat
Link:
https://tria.ge/reports/230423-rjzpzafe2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
isabelaflores.fun:7000
Unpacked files
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/441878d2-309a-4357-a887-8e9dd6149bed/
SH256 hash:
34a8d816ee0075724835e6e4735b6a93f624f95862bf402779e38de94b0a3939
MD5 hash:
d55410efe5b86dbf3d0d0427c00109a5
SHA1 hash:
ba30c34b8d34908734489b1ac4297847bed4f30e
Link:
https://www.unpac.me/results/441878d2-309a-4357-a887-8e9dd6149bed/
SH256 hash:
713180dc45056007ac48dce5c0700379d38a4acd7ef58eb5a4bad6d3d22a6d2b
MD5 hash:
3774600b1d7c6a990129a39ce71bd715
SHA1 hash:
129646d077a799670aa55132a8dcf89dc8d7bd9c
Detections:
DCRat
Create hunting rule
Link:
https://www.unpac.me/results/441878d2-309a-4357-a887-8e9dd6149bed/
SH256 hash:
284354c31831c62ac87fba4a0a042fe94daf4c853827bd0009666f50238db23c
MD5 hash:
60dc47e69afcdadc8f4e744f7a40a87b
SHA1 hash:
72d1cc12d7684dac79d1983e1be7a9efde09c3a5
Link:
https://www.unpac.me/results/441878d2-309a-4357-a887-8e9dd6149bed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/284354c31831/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/284354c31831c62ac87fba4a0a042fe94daf4c853827bd0009666f50238db23c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 284354c31831c62ac87fba4a0a042fe94daf4c853827bd0009666f50238db23c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2616351/

Comments


Avatar
zbet commented on 2023-04-23 14:13:16 UTC

url : hxxps://beautifulqueen.com.br/Documentos.jpg