MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28b981849caeac372392e0f2f9c16831142504afd8f9f7a2f24a299a37d0a1c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 26 File information Comments

SHA256 hash:	28b981849caeac372392e0f2f9c16831142504afd8f9f7a2f24a299a37d0a1c1
SHA3-384 hash:	b16afa456334281ec6cda6e187898b42ec1472a2b15a00f35dbdc0c8fcfed54f5d6cdca7e8f54c43fa4266d8c4e92876
SHA1 hash:	2e2a600c79da9680abd39550405ef262c35b506b
MD5 hash:	a9603fc56b10d09f3940349b665cdbbc
humanhash:	eleven-seven-video-mirror
File name:	1712325245cf26975c853294d18539147159b303dbdff25678469a6186ada08a8ef5378408168.dat-decoded
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	249'856 bytes
First seen:	2024-04-05 13:54:06 UTC
Last seen:	2024-09-12 15:39:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:ll3RR2fzjGrMbyddEP1cnyZGbnZxhBI+o5+:NRxn7Eyyk35
Threatray	77 similar samples on MalwareBazaar
TLSH	T129343A143BE94894F37F8B30ABF0706E46B1F463A919E27E198658C80F72784DC51FA6
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	AsyncRAT base64-decoded exe

abuse_ch

Malware dropped as base64 encoded payload

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

28b981849caeac372392e0f2f9c16831142504afd8f9f7a2f24a299a37d0a1c1.exe

Verdict:

Malicious activity

Analysis date:

2024-04-05 14:03:14 UTC

Tags:

stormkitty

Link:

https://app.any.run/tasks/f084f6ce-d809-4ccf-abd0-7b04f93e62e8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Sending an HTTP GET request

Forced system process termination

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm cmd configsecuritypolicy crypto evasive findstr hacktool hook keylogger lolbin mpcmdrun msconfig net netsh njrat packed rat razy redcap regedit schtasks stealer stormkitty

Link:

https://www.filescan.io/uploads/661002bc391c61c4791641e0/reports/6aa9453a-6e89-464d-abe3-8e8f2e6f9921/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/28b981849caeac372392e0f2f9c16831142504afd8f9f7a2f24a299a37d0a1c1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AsyncRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a6f84ac9-7411-4e53-89a4-e586dd38c67f

Result

Threat name:

AsyncRAT, DcRat, StormKitty

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1420922

Signature

.NET source code contains potential unpacker

.NET source code contains suspicious base64 encoded strings

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to capture screen (.Net source)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected AsyncRAT

Yara detected DcRat

Yara detected Generic Downloader

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/28b981849caeac372392e0f2f9c16831142504afd8f9f7a2f24a299a37d0a1c1

Detection:

shortloader

Link:

https://mwdb.cert.pl/sample/28b981849caeac372392e0f2f9c16831142504afd8f9f7a2f24a299a37d0a1c1/

Threat name:

Win32.Infostealer.StormKitty

Status:

Malicious

First seen:

2024-03-05 15:16:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fc4ydbe4v2wdoi4s4dzptqligekckbfp3d47pixsjiuzun6quhaq._file

Verdict:

malicious

AsyncRAT

28b981849caeac372392e0f2f9c16831142504afd8f9f7a2f24a299a37d0a1c1

AsyncRAT

36567ff084c6b61f3c428300ff760b89bc7b54cca449b5d182bede9f6733590a

AsyncRAT

568aa14465f34c744a4e312cc06c096f859ca96f0daa3ac4513587b8f96508a8

AsyncRAT

578ff3f18bf8736cdf1617a63202d777c4f10e770406659a84ca85ac8174300e

AsyncRAT

64760ee87baa3f0c568365a0a3ab40e17e5bbca35f6287e18b27fcbcc617fee7

AsyncRAT

86cbf592506673e51dc698eeae701d4bb6c303179d198e3e9566bbc007ef5108

AsyncRAT

a3228a072409a8a3e96d305b669630bb03e0507bfe5472b7538237432ec8cfb8

AsyncRAT

b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

AsyncRAT

+ 67 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:stormkitty stealer

Link:

https://tria.ge/reports/240405-q74s6aec53/

Behaviour

Suspicious use of AdjustPrivilegeToken

StormKitty

StormKitty payload

Unpacked files

SH256 hash:

28b981849caeac372392e0f2f9c16831142504afd8f9f7a2f24a299a37d0a1c1

MD5 hash:

a9603fc56b10d09f3940349b665cdbbc

SHA1 hash:

2e2a600c79da9680abd39550405ef262c35b506b

Detections:

StormKitty

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

Gen_Base64_EXE

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

MALWARE_Win_DarkEye

SUSP_NET_Msil_Suspicious_Use_StrReverse

INDICATOR_SUSPICIOUS_EXE_Discord_Regex

cn_utf8_windows_terminal

INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

INDICATOR_SUSPICIOUS_EXE_References_VPN

INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

MALWARE_Win_Multi_Family_InfoStealer

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

INDICATOR_SUSPICIOUS_EXE_DcRatBy

INDICATOR_SUSPICIOUS_EXE_CC_Regex

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/ace64a6c-e29c-48eb-90c3-367306235af2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/28b981849caeac372392e0f2f9c16831142504afd8f9f7a2f24a299a37d0a1c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_CC_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing credit card regular expressions

Rule name:	INDICATOR_SUSPICIOUS_EXE_Crypto_Wallet_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing cryptocurrency wallet regular expressions

Rule name:	INDICATOR_SUSPICIOUS_EXE_DcRatBy Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing the string DcRatBy

Rule name:	INDICATOR_SUSPICIOUS_EXE_Discord_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Discord tokens regular expressions

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing URLs to raw contents of a Github gist

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_VPN Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many VPN software clients. Observed in infosteslers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon Create hunting rule
Author:	ditekSHen
Description:	Detects executables with interest in wireless interface using netsh

Rule name:	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice Create hunting rule
Author:	ditekSHen
Description:	Detects executables attemping to enumerate video devices using WMI

Rule name:	MALWARE_Win_DarkEye Create hunting rule
Author:	ditekSHen
Description:	Detects DarkEye infostealer

Rule name:	MALWARE_Win_Multi_Family_InfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects Prynt, WorldWind, DarkEye, Stealerium and ToxicEye / TelegramRAT infostealers

Rule name:	msil_suspicious_use_of_strreverse Create hunting rule
Author:	dr4k0nia
Description:	Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	prynt_stealer Create hunting rule
Author:	Nikos 'n0t' Totosis
Description:	Prynt Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_NET_Msil_Suspicious_Use_StrReverse Create hunting rule
Author:	dr4k0nia, modified by Florian Roth
Description:	Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:	https://github.com/dr4k0nia/yara-rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

unknown cf26975c853294d18539147159b303dbdff25678469a6186ada08a8ef5378408

AsyncRAT

exe 28b981849caeac372392e0f2f9c16831142504afd8f9f7a2f24a299a37d0a1c1

(this sample)

Dropped by

SHA256 cf26975c853294d18539147159b303dbdff25678469a6186ada08a8ef5378408

Dropped by

MD5 04fbd87846c302989c6c8057136e0577

URLhaus

https://urlhaus.abuse.ch/url/2802063/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample