MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f3ba386f072b9d8b30ce22d9a5d6b3a6f3a96753db08e855c34787a9682eac3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f3ba386f072b9d8b30ce22d9a5d6b3a6f3a96753db08e855c34787a9682eac3
SHA3-384 hash: 4307812afc39680f5a87fbcda0e604e37ae83cb7a23e9f20b2966ccccbdb66660a740757a49e12792b422dd918ee06e2
SHA1 hash: cfc402514e0722638b21dfef369f617ea7d4b556
MD5 hash: 0ef4ec326bc8a66d0edcb94df2767f4b
humanhash: spring-undress-december-grey
File name:0ef4ec326bc8a66d0edcb94df2767f4b.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'473'024 bytes
First seen:2024-03-14 05:15:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep 24576:oIJvKzcVkyEq9DRho1jFP8ltPP01Ws7+wFPEl9ix4fpUzoQDt+egElxdqFWVCGC:o4KzcCyEq9DRho/ctH01Ws74rA4RUBDI
Threatray 63 similar samples on MalwareBazaar
TLSH T10F65128236D58131F0B3E93808ECBDA3696AF9264BB41F4BF358875D2F744B58668707
TrID 44.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
24.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.1% (.EXE) Win64 Executable (generic) (10523/12/4)
5.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.FON) Windows Font (5545/9/1)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
51.195.231.121:8808

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2f3ba386f072b9d8b30ce22d9a5d6b3a6f3a96753db08e855c34787a9682eac3.exe
Verdict:
Malicious activity
Analysis date:
2024-03-14 05:17:35 UTC
Tags:
payload loader
Link:
https://app.any.run/tasks/16a6f90e-d583-492d-9dd3-7faf672a5014

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478988/
Detection(s):
Sanesecurity.Malware.28946.BadP.UNOFFICIAL
Create hunting rule

Win.Trojan.Binder-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Creating a window
Connection attempt
Sending an HTTP GET request
Searching for the window
Launching a process
Creating a process with a hidden window
Creating a service
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Creating a file
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/65f288135cd908a33db1d061/reports/7f3f3857-7f6c-4626-bb88-c24c24711043/overview
Verdict:
Malicious
Labled as:
HackTool/Vbinder
Link:
https://www.hybrid-analysis.com/sample/2f3ba386f072b9d8b30ce22d9a5d6b3a6f3a96753db08e855c34787a9682eac3
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f37cf76-aedd-4aa3-9c1a-7efaad6efe23
Result
Threat name:
AsyncRAT, Binder HackTool, PureLog Steal
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1408775
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain checking for user administrative privileges
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powershell Download and Execute IEX
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Binder HackTool
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1408775 Sample: oujFMn0mdW.exe Startdate: 14/03/2024 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 23 other signatures 2->71 8 oujFMn0mdW.exe 3 3 2->8         started        11 wscript.exe 1 2->11         started        process3 file4 51 C:\Users\user\AppData\...\CHROMESETUP.EXE, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\Temp\STAUP.WSF, Unicode 8->53 dropped 14 CHROMESETUP.EXE 73 8->14         started        18 wscript.exe 14 8->18         started        81 Wscript starts Powershell (via cmd or directly) 11->81 83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->83 85 Suspicious execution chain found 11->85 21 cmd.exe 1 11->21         started        signatures5 process6 dnsIp7 55 C:\Windows\SystemTemp\...behaviorgraphoogleUpdate.exe, PE32 14->55 dropped 57 C:\Windows\SystemTemp\...\psuser_64.dll, PE32+ 14->57 dropped 59 C:\Windows\SystemTemp\...\psuser.dll, PE32 14->59 dropped 61 65 other files (none is malicious) 14->61 dropped 87 Drops executables to the windows directory (C:\Windows) and starts them 14->87 89 Found evasive API chain checking for user administrative privileges 14->89 23 GoogleUpdate.exe 7 72 14->23         started        63 51.195.231.121, 222, 49729, 49730 OVHFR France 18->63 91 System process connects to network (likely due to code injection or exploit) 18->91 93 Suspicious powershell command line found 18->93 95 Wscript starts Powershell (via cmd or directly) 18->95 97 Suspicious execution chain found 18->97 27 powershell.exe 15 18 18->27         started        99 Bypasses PowerShell execution policy 21->99 29 powershell.exe 21->29         started        31 conhost.exe 21->31         started        file8 signatures9 process10 file11 37 C:\Program Files (x86)\...behaviorgraphoogleUpdate.exe, PE32 23->37 dropped 39 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 23->39 dropped 41 C:\Program Files (x86)behaviorgraphoogle\...\psuser.dll, PE32 23->41 dropped 49 65 other files (none is malicious) 23->49 dropped 73 Found evasive API chain checking for user administrative privileges 23->73 43 C:\Users\Public\Conted.vbs, ASCII 27->43 dropped 45 C:\Users\Public\Conted.ps1, ASCII 27->45 dropped 47 C:\Users\Public\Conted.bat, ASCII 27->47 dropped 33 conhost.exe 27->33         started        75 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->75 77 Writes to foreign memory regions 29->77 79 Injects a PE file into a foreign processes 29->79 35 RegSvcs.exe 29->35         started        signatures12 process13
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2f3ba386f072b9d8b30ce22d9a5d6b3a6f3a96753db08e855c34787a9682eac3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f3ba386f072b9d8b30ce22d9a5d6b3a6f3a96753db08e855c34787a9682eac3/
Threat name:
Win32.Ransomware.DarkyLock
Create hunting rule
Status:
Malicious
First seen:
2024-03-11 17:38:06 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f452hbxqok45rmym4iwzuxllhjxtvftvhwyi5bk4gr4hvfuc5lbq._file
Verdict:
malicious
Similar samples:
049e3f2984b1ae312dfd5d845e933f841cebd00141710d3e883bcac0c079917a
AsyncRAT
3489e98fe4da2b3e14d88e196ffcc1955c1fbe5361ed7fbb96605207898a9d25
AsyncRAT
6230bb2ed830c020906569829cfdc10084390648db2523d17404ccf9a488f324
AsyncRAT
66572f91a658ebc6b3c87144f633278123cab7d4a69bffa14f1b49d527cb4ac1
AsyncRAT
6be199b8f7fc51cd947831147afa22f3080fbac4e244be06f7276bde4aa388e3
AsyncRAT
9b21eedc109219e0115811d491dc0c9c5f35a3c5130e631bb40dc901d48d8864
AsyncRAT
b8d07af39d72c2f6a65bac410580a5128b0f038928f93d74a8cba5addb5a0985
AsyncRAT
c0c48afa5c73e1f1c9226433669ccfcfa66322594f9f01bf35cbe5cf3afd9514
AsyncRAT
c42aa3048aeb7415fa3fbc93700fef04354aca6f5fe907dd7b86f7858e2a28d3
AsyncRAT
ec6032cb680aeaf9bd2a73b57a868fc40d5309fc4c4529ab2277df7bff40bd73
AsyncRAT
+ 53 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:zgrat botnet:crypter discovery persistence rat spyware stealer
Link:
https://tria.ge/reports/240314-fx5btsbd9t/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
Blocklisted process makes network request
Modifies Installed Components in the registry
Sets file execution options in registry
AsyncRat
Detect ZGRat V1
ZGRat
Malware Config
C2 Extraction:
51.195.231.121:6606
51.195.231.121:7707
51.195.231.121:8808
Unpacked files
SH256 hash:
7d4479a7ecb562824b89726c791f72ea24bc8a5b249424ec5b5079ba487d6291
MD5 hash:
a10dd79fce9c68812ed0d10f3287d854
SHA1 hash:
90b75545f708e677f8acf74666beb15ba122118e
Link:
https://www.unpac.me/results/52e4ce15-8b36-4b04-8b63-f1be6562a859/
SH256 hash:
4fe18d8a3ad03a4ad0b82ceaf269a613a9a88b6d0aa84c5bbfbb8003a7df14b0
MD5 hash:
a0cb1d742dea1b5120f41eb0b52cd208
SHA1 hash:
f9fa29c7cafbdbe77499008361bcb4ce8a31c3d3
Detections:
SUSP_Unsigned_GoogleUpdate
Create hunting rule
Link:
https://www.unpac.me/results/52e4ce15-8b36-4b04-8b63-f1be6562a859/
SH256 hash:
cea19d80f6597b9b88e26d446da26c878aa01b08f7f8b572ece18e34f9b0c16c
MD5 hash:
c299213c65bfadc8b041127f12e91ac2
SHA1 hash:
b869453e2bc9c8f4a9102f1f11d198acfdd024ff
Link:
https://www.unpac.me/results/52e4ce15-8b36-4b04-8b63-f1be6562a859/
SH256 hash:
8a9f5cf5249b629908b7e8fd2b242023abe245b9afa34cb0a81cdf4408cafd28
MD5 hash:
3d083a84eade67e72d9d8a09bc8bddd2
SHA1 hash:
43fef305da03e225d2e178d89e7b3c68e4b28b38
Link:
https://www.unpac.me/results/52e4ce15-8b36-4b04-8b63-f1be6562a859/
SH256 hash:
0f9e150798854a20e5a28b880ba20fdd9ba0ac830b9275f647271c8cf2932388
MD5 hash:
0e8a19c1188f7e962c78ab45fa7b263d
SHA1 hash:
c5d1efb63085ff8b23ad89214032b2fd0158a645
Detections:
SUSP_Unsigned_GoogleUpdate
Create hunting rule
Link:
https://www.unpac.me/results/52e4ce15-8b36-4b04-8b63-f1be6562a859/
SH256 hash:
2f3ba386f072b9d8b30ce22d9a5d6b3a6f3a96753db08e855c34787a9682eac3
MD5 hash:
0ef4ec326bc8a66d0edcb94df2767f4b
SHA1 hash:
cfc402514e0722638b21dfef369f617ea7d4b556
Detections:
Malware_QA_update
Create hunting rule
MALWARE_Win_CelestyBinderLoader
Create hunting rule
Link:
https://www.unpac.me/results/52e4ce15-8b36-4b04-8b63-f1be6562a859/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_CelestyBinderLoader
Create hunting rule
Author:ditekSHen
Description:Detects Celesty Binder loader
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/478988/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetTempPathA

Comments