MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9
SHA3-384 hash:	baf28aa3ac851ec04bc1cc7da87c4b5173407c5126298e99a2daedab417bc0f337d7086f4d7513d82877133a9a5bb222
SHA1 hash:	dcab4fafa0387c0b4f5b700763cea78afb092024
MD5 hash:	cbbad2e2170ee73c2bfdacdade718d29
humanhash:	low-don-dakota-eight
File name:	SecuriteInfo.com.Trojan.GenericKD.69224191.30044.24123
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	3'630'735 bytes
First seen:	2023-09-22 05:30:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a66290ff0511a09df9cdce9b6ea86e77 (2 x XWorm, 1 x AsyncRAT, 1 x VenomRAT)
ssdeep	98304:R/YJIkkCBJroBdDv6Lj9uGQdT7Nx2Yn686n:R/0
Threatray	67 similar samples on MalwareBazaar
TLSH	T1B2F52B436ACB0DA6CED66BB461D31335A778FD61CB295F3FAA08C63419536C4AD1AF00
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.GenericKD.69224191.30044.24123

Verdict:

Suspicious activity

Analysis date:

2023-09-22 09:00:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d7ff3f9f-004c-457a-814b-3619f5be1e31

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450545/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.69224191.30044.24123.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Running batch commands

Launching a process

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a window

Setting a global event handler for the keyboard

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug explorer lolbin overlay powershell

Link:

https://www.filescan.io/uploads/650d269833582f234eff34b8/reports/c33b2409-8f49-461a-8498-b90866240720/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dropper

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/da7e94f4-a030-4323-94ad-05d6a470f1bb

Result

Threat name:

AsyncRAT, VenomRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1312743

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Encrypted powershell cmdline option found

Found API chain indicative of debugger detection

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suspicious powershell command line found

Yara detected AsyncRAT

Yara detected VenomRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9/

Threat name:

Win64.Trojan.PShell

Status:

Malicious

First seen:

2023-08-30 08:23:32 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

14 of 36 (38.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hjtzzomprdl5npme3t7jofzdrqemawkcavn5w6mbamre47zpfsuq._file

Verdict:

malicious

AsyncRAT

60416198c9b2105c9204638fd00e154e2f5c32ba45f5a8ae2671bae565c062e9

AsyncRAT

6cf0ea817a842b6b6149d1c613cf22a1dfbb729c3b8ab2f1a34e372ab66f5c65

AsyncRAT

abf4d22525f5eda1938e398e4fd1c266a350d8d5b7c19f9a72e2291b1966d946

AsyncRAT

af1de5075995378f6bd804aa5871458afe48ac1aef0a66c55bc5b7764e2b2443

AsyncRAT

b5df131373e2480d28873f9a2df7d4eadf0020267d3300ef0d2e7f6e282226ed

AsyncRAT

d0fef87fd7e5a7214773deef4c445970147c88d5335867b552f9d4d22ef0231b

AsyncRAT

d35d61849f839f688f10bcffc545e7a008fa248b71bdc8af3b0fdd2023670690

AsyncRAT

+ 57 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default rat

Link:

https://tria.ge/reports/230922-f7pzwsfd78/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

193.161.193.99:31507

Unpacked files

SH256 hash:

3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9

MD5 hash:

cbbad2e2170ee73c2bfdacdade718d29

SHA1 hash:

dcab4fafa0387c0b4f5b700763cea78afb092024

Link:

https://www.unpac.me/results/5abd84a7-bc02-4e7a-a639-b9796b6e57ac/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3a679cb98f88/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.13

Link:

https://yomi.yoroi.company/submissions/3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/450545/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample