MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39a4a3be1713f0b478d730f0faa7dbb2c7cc936f7e74f47b0c5649809d4e0cb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	39a4a3be1713f0b478d730f0faa7dbb2c7cc936f7e74f47b0c5649809d4e0cb4
SHA3-384 hash:	f66dd72dd1e40406588e7d80cf5960b055a83a3ba80a7719eed0e4f0f6406c945e15e601e196bdf074ffd261ee57b6b8
SHA1 hash:	fd27fb12e4b6e1af127170891001c3134e51f892
MD5 hash:	1e1961c1b3fab9d3213365d7b2a6d4ac
humanhash:	saturn-hawaii-king-wisconsin
File name:	1e1961c1b3fab9d3213365d7b2a6d4ac.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	1'472'000 bytes
First seen:	2023-12-01 06:25:21 UTC
Last seen:	2023-12-01 08:37:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:yDqw4fKBK9KzKdyfKV6Kta3y8dvPIk7H5jlmCHMuB46sNJFyh0AFOzIkY:yXBK9KzKdyfKV6KtIRPdHZQCvZAJFyhx
Threatray	19 similar samples on MalwareBazaar
TLSH	T120658D8843987D0AC65D0639B015334D17F0ECE16EB6BFDDB90878BA2FB2BD245B9152
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	aee1cccccccce1a6 (1 x AsyncRAT)
Reporter	abuse_ch
Tags:	AsyncRAT exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

Vendor Threat Intelligence

Malware family:

asyncrat

ID:

File name:

1e1961c1b3fab9d3213365d7b2a6d4ac.exe

Verdict:

Malicious activity

Analysis date:

2023-12-01 06:25:36 UTC

Tags:

rat asyncrat remote purecrypter

Link:

https://app.any.run/tasks/bf296c9a-9dd2-45a8-bba1-e9d3e7e274f3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461578/

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Creating a file

Launching a process

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Verdict:

Malicious

Labled as:

Marsilia.Generic

Link:

https://www.hybrid-analysis.com/sample/39a4a3be1713f0b478d730f0faa7dbb2c7cc936f7e74f47b0c5649809d4e0cb4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c9155b08-6cf6-442b-ab1a-5bd764baabf9

Result

Threat name:

zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1351119

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/39a4a3be1713f0b478d730f0faa7dbb2c7cc936f7e74f47b0c5649809d4e0cb4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/39a4a3be1713f0b478d730f0faa7dbb2c7cc936f7e74f47b0c5649809d4e0cb4/

Threat name:

ByteCode-MSIL.Trojan.Marsilia

Status:

Malicious

First seen:

2023-11-28 14:40:59 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 37 (59.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hgskhpqxcpyli6gxgdypvj63wld4ze3ppz2pi6ymkzeybhkobs2a._file

Verdict:

malicious

AsyncRAT

8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251

AsyncRAT

abd71e133db7c7fda0247aee5c69edd897e2968077243d5606b46ad770163f4a

AsyncRAT

c6278fa04be065c8a37b80f35ebbafef00de918be694488ac9fc429016486cc1

AsyncRAT

f7f5e52a83cf839d901b6579c9df98755953dae650a43ed9aff8a57cf3b41382

AsyncRAT

+ 9 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:zgrat persistence rat

Link:

https://tria.ge/reports/231201-g6wxgsfd98/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Detect ZGRat V1

ZGRat

Unpacked files

SH256 hash:

0cecf599f8b68e10daa31479f3b91efee42477d69b9844955415963fe41aba99

MD5 hash:

420f2a81a07d1cd9398f85d6246f1d8b

SHA1 hash:

dfd77c7be74822ab8b47cf7689f38eb5519a2d35

Link:

https://www.unpac.me/results/80fc05bf-827a-4ecb-bfb0-5b3e7970616b/

SH256 hash:

824070bc87d001d5ffbb8305f4280ec27fef0b4e965471ade0672978469cbfd1

MD5 hash:

d9ab853940e0b2a2f3ed2d9ebb24d698

SHA1 hash:

cc7b00fa6536004cbf69d6b3ede15a08bc160e59

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/80fc05bf-827a-4ecb-bfb0-5b3e7970616b/

SH256 hash:

cc5f82b8bf83f71557812b0e8cbb9d6c269770d335fe510cb660feee40d9843e

MD5 hash:

715fa03ad5fa610b843b56b6844a87e6

SHA1 hash:

c3475cfdf225699e332fa2b1df0cb24e1cdd65ac

Link:

https://www.unpac.me/results/80fc05bf-827a-4ecb-bfb0-5b3e7970616b/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/80fc05bf-827a-4ecb-bfb0-5b3e7970616b/

SH256 hash:

f70393a36651c714811b4b251de5ff3b6d9f55af3c01123acab0c9265a229d48

MD5 hash:

0aa2712d982625d74e4f0772236e090f

SHA1 hash:

0e96079c6da24f37c4e6dfbcc2a4cb22ed4037af

Link:

https://www.unpac.me/results/80fc05bf-827a-4ecb-bfb0-5b3e7970616b/

SH256 hash:

3c521ee7d5cfaba3c706b7e643a592cd8b1d5ac899589d271e3fe1b0a2dad104

MD5 hash:

7f871d487200c08e23b5be969de5f849

SHA1 hash:

0273b2d5ff6cb3b7173f23bf9875acf70be3cb61

Link:

https://www.unpac.me/results/80fc05bf-827a-4ecb-bfb0-5b3e7970616b/

SH256 hash:

39a4a3be1713f0b478d730f0faa7dbb2c7cc936f7e74f47b0c5649809d4e0cb4

MD5 hash:

1e1961c1b3fab9d3213365d7b2a6d4ac

SHA1 hash:

fd27fb12e4b6e1af127170891001c3134e51f892

Link:

https://www.unpac.me/results/80fc05bf-827a-4ecb-bfb0-5b3e7970616b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/39a4a3be1713/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/39a4a3be1713f0b478d730f0faa7dbb2c7cc936f7e74f47b0c5649809d4e0cb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/461578/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample