MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3967608368d8e5ff9ce5a8fed7baedfa7e4331a8bfd4a7c3337c825e4b22e972. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3967608368d8e5ff9ce5a8fed7baedfa7e4331a8bfd4a7c3337c825e4b22e972
SHA3-384 hash: 850b459b333e1ccbed30831f4379549eda07a6478b8a33fd7cbe5ecee88741a06178ff5babdae65b59968acf25e28fbe
SHA1 hash: 5386d37fe0f25e1751ac500ceea4d25ec368c557
MD5 hash: 59072d9cedb999a81634e7263885ced5
humanhash: blossom-golf-papa-idaho
File name:59072d9cedb999a81634e7263885ced5
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:131'072 bytes
First seen:2023-09-18 15:47:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:oUocxG1FSmPMVwOgEH1baiXNCQttnRPF9EVnb43jaI5gr2DY:oZSmPMVrfVbYItnRPF9cCGr4
Threatray 341 similar samples on MalwareBazaar
TLSH T185D39D027BE4C91AF2AD4B787CF312438AB5D897A112DE1A3CD424D95B77BC05503AEB
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon e8b249cd4dc982e0 (7 x CoinMiner, 3 x DCRat, 3 x AsyncRAT)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
avemaria
Create hunting rule
ID:
1
File name:
Readme.lnk
Verdict:
Malicious activity
Analysis date:
2023-09-18 15:16:17 UTC
Tags:
warzone rat remote avemaria asyncrat zgrat backdoor
Link:
https://app.any.run/tasks/5b53d10c-b12a-4b3f-b524-149dd004a8cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449406/
Detection(s):
Win.Packed.Razy-9807129-0
Create hunting rule

Win.Malware.Generickdz-9865912-0
Create hunting rule

Win.Trojan.AsyncRAT-9914220-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm configsecuritypolicy evasive hacktool keylogger lolbin lolbin mpcmdrun msconfig msiexec njrat packed rat regedit replace schtasks
Link:
https://www.filescan.io/uploads/650871350870810f01816bbe/reports/efc68fb1-dafd-4804-8066-bdde24e18415/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3967608368d8e5ff9ce5a8fed7baedfa7e4331a8bfd4a7c3337c825e4b22e972
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eea08c5b-9d52-4abf-a817-353e81ab6888
Result
Threat name:
AsyncRAT, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310182
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1310182 Sample: RV5Fsl40wI.exe Startdate: 18/09/2023 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 9 other signatures 2->41 7 ChromeUpdater.exe 14 2 2->7         started        11 RV5Fsl40wI.exe 9 2->11         started        process3 dnsIp4 31 remotes1338.hopto.org 172.105.234.48, 7070 LINODE-APLinodeLLCUS United States 7->31 33 pastebin.com 172.67.34.170, 443, 49772 CLOUDFLARENETUS United States 7->33 43 Antivirus detection for dropped file 7->43 45 Multi AV Scanner detection for dropped file 7->45 47 Protects its processes via BreakOnTermination flag 7->47 49 Machine Learning detection for dropped file 7->49 29 C:\Users\user\AppData\...\ChromeUpdater.exe, PE32 11->29 dropped 14 cmd.exe 1 11->14         started        17 cmd.exe 1 11->17         started        file5 signatures6 process7 signatures8 51 Uses schtasks.exe or at.exe to add and modify task schedules 14->51 19 conhost.exe 14->19         started        21 schtasks.exe 1 14->21         started        23 ChromeUpdater.exe 3 17->23         started        25 conhost.exe 17->25         started        27 timeout.exe 1 17->27         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3967608368d8e5ff9ce5a8fed7baedfa7e4331a8bfd4a7c3337c825e4b22e972/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-09-18 11:42:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hftwba3i3ds77hhfvd7npoxn7j7egmnix7kkpqztpsbf4szc5fza._file
Verdict:
malicious
Similar samples:
0c7de462833b7b4703c368f1a30b2cb20010211f91928e1f15dbac3e357210bc
AsyncRAT
188eced85124122e1465031e6536377b4283f00d24fa28626f71138a4dc06cfc
AsyncRAT
19554d3c701bb2d8c3d86adaabc4843b400278cb5d0a013c18ebeb5e20a2e8a0
AsyncRAT
800d7d569bde7e5f450e1848e54aa47df0811d7dcb5c338c0cc311b8f55cb9c5
AsyncRAT
b62fc62a03e4d6c0eac25a8b104d8064288fdc5665ddc19ba55ed520ab9f2827
AsyncRAT
b79718f59f3d7d72a416fe00c3ab3477b43282981e69f9cf5426b2c8012423c1
AsyncRAT
bafb79c0260edbcb4a9d78aa5d0a2e0198c4d86b097c1118c732add640d237c0
AsyncRAT
c2cda600256314b688cf195f809356e2592ba8df9de9c2b1a117a0ee26ccfa28
AsyncRAT
+ 331 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/230918-s8rw4aad3t/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Async RAT payload
AsyncRat
Unpacked files
SH256 hash:
3967608368d8e5ff9ce5a8fed7baedfa7e4331a8bfd4a7c3337c825e4b22e972
MD5 hash:
59072d9cedb999a81634e7263885ced5
SHA1 hash:
5386d37fe0f25e1751ac500ceea4d25ec368c557
Detections:
VenomRat
Create hunting rule
Link:
https://www.unpac.me/results/062ecaff-5683-4ab1-844b-7d2858ddf746/
Parent samples :
3967608368d8e5ff9ce5a8fed7baedfa7e4331a8bfd4a7c3337c825e4b22e972
e15157101bd327603b208ceed5daf8b58b8feb2913569dfe35b444b1a48167e5
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3967608368d8e5ff9ce5a8fed7baedfa7e4331a8bfd4a7c3337c825e4b22e972

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:win_asyncrat_unobfuscated
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 3967608368d8e5ff9ce5a8fed7baedfa7e4331a8bfd4a7c3337c825e4b22e972

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2712345/
Cape
Cape
https://www.capesandbox.com/analysis/449406/

Comments


Avatar
zbet commented on 2023-09-18 15:47:28 UTC

url : hxxps://filebin.net/qksc7kcncap9iv46/Google_Chrome.exe