MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31325ab8e1ff304852042e03613425c9bac4f03a8aa70745bb8613ad865d59f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31325ab8e1ff304852042e03613425c9bac4f03a8aa70745bb8613ad865d59f9
SHA3-384 hash: 649ce3c64de44a8bede0ee5459590031f853a1a5fe80401e404f265b04019794ea402d44bdd539c3b5976a77dbc50e3a
SHA1 hash: 18f7cd9a10c98507ccab0afc108510c3ae427621
MD5 hash: 8b259b27ec3032be9da39ac9993cfe69
humanhash: may-seven-tennessee-wisconsin
File name:8b259b27ec3032be9da39ac9993cfe69.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:417'090 bytes
First seen:2022-04-12 12:44:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:QNeZKwzd7MlyWOk0zzKjEoBvMrvasVjnAcvKrlWElVV6mVD0kHoA9Vhn4N:QN/wx7MvI/KGvadm0sErjHxVG
Threatray 10'693 similar samples on MalwareBazaar
TLSH T13C94EF0334EC81DBE9ED1EB05C28F72D266A6E2121109D4A7F84FE4E757994240FBA7D
File icon (PE):PE icon
dhash icon e4ccccccd4c4cccc (10 x Formbook, 10 x AgentTesla, 5 x Loki)
Reporter abuse_ch
Tags:AsyncRAT exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
387
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
8b259b27ec3032be9da39ac9993cfe69.exe
Verdict:
Malicious activity
Analysis date:
2022-04-13 03:20:09 UTC
Tags:
asyncrat trojan rat
Link:
https://app.any.run/tasks/6f0de6f8-3123-4ea4-823f-eac1413ac23d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263080/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13607/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62557432ffe27d5119b58b51/reports/32224242-9830-4acb-9079-93553dc4e922/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87277ca2-f2c3-4df2-a2e5-3b811874821b
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975520
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 608003 Sample: iXQth4acZ7.exe Startdate: 12/04/2022 Architecture: WINDOWS Score: 100 49 www.dupa88bet.com 2->49 51 www.desel.info 2->51 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 5 other signatures 2->65 11 iXQth4acZ7.exe 18 2->11         started        14 whrvabrasbttk.exe 2->14         started        17 whrvabrasbttk.exe 2->17         started        signatures3 process4 file5 45 C:\Users\user\AppData\Local\Temp\jwnjj.exe, PE32 11->45 dropped 19 jwnjj.exe 1 2 11->19         started        77 Antivirus detection for dropped file 14->77 79 Multi AV Scanner detection for dropped file 14->79 23 WerFault.exe 3 10 14->23         started        25 WerFault.exe 14->25         started        27 WerFault.exe 10 17->27         started        signatures6 process7 file8 43 C:\Users\user\AppData\...\whrvabrasbttk.exe, PE32 19->43 dropped 67 Antivirus detection for dropped file 19->67 69 Multi AV Scanner detection for dropped file 19->69 71 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 19->71 73 Injects a PE file into a foreign processes 19->73 29 jwnjj.exe 2 4 19->29         started        signatures9 process10 dnsIp11 53 79.134.225.97, 4449, 49718, 49811 FINK-TELECOM-SERVICESCH Switzerland 29->53 47 C:\Users\user\AppData\Local\...\fmaxldr2.exe, PE32 29->47 dropped 33 cmd.exe 1 29->33         started        file12 process13 signatures14 55 Suspicious powershell command line found 33->55 57 Bypasses PowerShell execution policy 33->57 36 powershell.exe 12 33->36         started        38 conhost.exe 33->38         started        process15 process16 40 fmaxldr2.exe 36->40         started        signatures17 75 Multi AV Scanner detection for dropped file 40->75
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31325ab8e1ff304852042e03613425c9bac4f03a8aa70745bb8613ad865d59f9/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 04:53:37 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
29 of 41 (70.73%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
144d8b9e77f9c36dbd271d84635cda3eb22b470dbb64e63b1e898041743918fa
AsyncRAT
1c783c06aa669b0133618672069fba39409a6eda891e48e172d679ed0c1e8fef
AsyncRAT
2c9eea8d5b6618d104ec61f30308a1e872139ff87a6a9f18bf3d7dd442f9fcf0
AsyncRAT
5d0a8a5478876026ee661b50518e44f95308bf20e1e512c3608f97f97aed3384
AsyncRAT
6c827d61cbe6d4b9c2851c1c234353265188e805cc27ebe195b9133e1f8fcc80
AsyncRAT
9b9b8fda0efdc14380cc3da53380812bfe152a4a05de99aa9159f167066f9ff0
AsyncRAT
bbc5503e9511c3d9a4116c7c0189bcf33a0189cf61e02bc9f605b9beab320e91
AsyncRAT
de12f96f01168f625165bda83f4d556d00d6c473e61aa5c6f424aed07ae9cc04
AsyncRAT
eaa2ffea97ff065ac6270e67d8d96664360ea8cde77b78a4cc19949a63ed3563
AsyncRAT
fff77f3852a66a56bad4ec5bc1c1bc2afb0b08b8ea65393384a1ee6917dcb355
AsyncRAT
+ 10'683 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:second fruits persistence rat
Link:
https://tria.ge/reports/220412-pyhnwsefb2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
79.134.225.97:4449
Unpacked files
SH256 hash:
7523cfc1ad982fa165179747f579524955638b9bf9641c953b94207e95e19140
MD5 hash:
5f20a362374e81cd4bc42c3edeb157d5
SHA1 hash:
d97e385e1e7db2ec55b9925cc268bd8e0e7f4d23
Link:
https://www.unpac.me/results/b70231be-668f-4e1f-b2db-500beeed4196/
SH256 hash:
3f0a4b53a7d87fc73370d8584e59e876ddbcb6a7c1f910738684d569a1845f6f
MD5 hash:
b4013865369ece448631ee3540d450b0
SHA1 hash:
733491750055d6b4ebf55840fc8a1d5f09a3be67
Link:
https://www.unpac.me/results/b70231be-668f-4e1f-b2db-500beeed4196/
SH256 hash:
93d31755937c1b757bc93da602bda6f5ee46e0ab85f558842702df056188be05
MD5 hash:
2fcb534f82fabd74a631adf350fa865e
SHA1 hash:
afc64c5372383f04c16ed4d602304835f0d68015
Link:
https://www.unpac.me/results/b70231be-668f-4e1f-b2db-500beeed4196/
SH256 hash:
31325ab8e1ff304852042e03613425c9bac4f03a8aa70745bb8613ad865d59f9
MD5 hash:
8b259b27ec3032be9da39ac9993cfe69
SHA1 hash:
18f7cd9a10c98507ccab0afc108510c3ae427621
Link:
https://www.unpac.me/results/b70231be-668f-4e1f-b2db-500beeed4196/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31325ab8e1ff304852042e03613425c9bac4f03a8aa70745bb8613ad865d59f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 31325ab8e1ff304852042e03613425c9bac4f03a8aa70745bb8613ad865d59f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2141597/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/263080/

Comments