MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38670f0f3b254aa49f585837d675a2bd22873f7c418629c6f41170eb01529ff3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38670f0f3b254aa49f585837d675a2bd22873f7c418629c6f41170eb01529ff3
SHA3-384 hash: a348093c2e0a5e136ac3f037c34c5925f54b5f9c0e1601c72ff87e0b6ac82e424532e48dd03d9ce3850f1df764a3fbc7
SHA1 hash: 586e092ba7030920f033d9e21b1c2b0804e7e6ef
MD5 hash: f14b1ff9a9ebe48f275dfcdf52e3cb6e
humanhash: pip-berlin-solar-failed
File name:csgo aimlock v2.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:4'229'120 bytes
First seen:2022-05-23 16:15:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:9Gw1j0xbWdjO7OXku5EdNJDUzEZYoL1j3jkJ3:MegxKdjzku5cMG1j3ji
Threatray 2'684 similar samples on MalwareBazaar
TLSH T10716331BB2019ABBEB4AABB10E09CD40D6046FAD04D9FE5FF44DB975E0713729A6310D
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 818da080a0a0a0a2 (137 x Heodo, 46 x Urelas, 12 x Rhadamanthys)
Reporter ShinigamiOwl
Tags:AsyncRAT exe


Avatar
ShinigamiOwl
https://mega.nz/file/ltt0jIqa#0XV2vRKLmUi-t5OyjjRq-WpnW5eDPBDl9FCO4Z6YZOw

pass: 123

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
csgo aimlock v2.exe
Verdict:
No threats detected
Analysis date:
2022-05-23 21:05:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2934c0c3-1ba5-4828-826b-4e55df074a2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273793/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook obfuscated packed
Link:
https://www.filescan.io/uploads/628bb3183223462f89dda7c4/reports/190f7a8b-c451-4653-a124-c428ed4d0871/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aed4912e-f519-4a96-af31-305a808b80a3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1000036
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38670f0f3b254aa49f585837d675a2bd22873f7c418629c6f41170eb01529ff3/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-06 21:52:32 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
21
AV detection:
17 of 41 (41.46%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
19a74b73bfbb078a9a9fe5c0789d7d011ea547dc2f6a8e17f44efe7c5dffcf57
AsyncRAT
49272c2faf2a46c091c8b266c5bcca756ff471878e544cd6a4c5fa3273842a97
AsyncRAT
526ccdf3725d73edaaf7115dab56fe804c409ae9ec955c9012f16cd63bdd1843
AsyncRAT
6e5a705271b3d5f53476410d8667d8a8b254595ea387737125f0af049596a2b8
AsyncRAT
791b2bf682699cf97e3925dee40ddd5c2cb728e80f798225a7fb0b713c1b1544
AsyncRAT
b5cf6e34c00c5f0909467f20d071c313c26d8e8849dc920908d3df27d7256506
AsyncRAT
d952e6902baf966ee83e4036999827263a7132ca1dde7f4eab1797f9fbb75051
AsyncRAT
+ 2'674 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat spyware stealer suricata upx
Link:
https://tria.ge/reports/220523-tqslcaefd3/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
AsyncRat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
Unpacked files
SH256 hash:
38670f0f3b254aa49f585837d675a2bd22873f7c418629c6f41170eb01529ff3
MD5 hash:
f14b1ff9a9ebe48f275dfcdf52e3cb6e
SHA1 hash:
586e092ba7030920f033d9e21b1c2b0804e7e6ef
Link:
https://www.unpac.me/results/f26044fa-9b72-42dc-bae5-cd85926f9ac6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38670f0f3b254aa49f585837d675a2bd22873f7c418629c6f41170eb01529ff3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 38670f0f3b254aa49f585837d675a2bd22873f7c418629c6f41170eb01529ff3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/273793/

Comments