MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50
SHA3-384 hash: a5bb2f7238222af0531f95f683a64957675633cfc3f3db797d474f72386577e1592fb1c652b69d3558431aaa56fa4f74
SHA1 hash: a4f090fd514cc9e59c62b8956eb95dab6106d760
MD5 hash: 4a500e5d391f84b7c4e93b767964c0d8
humanhash: lion-double-december-tango
File name:dotNetLoader.bin
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:140'288 bytes
First seen:2023-02-10 22:41:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:sOkOF8tLK2I3ORbspUy3r5c61aW4zOEbwG/EiLQPsIZlglo7Y91:sOkOF8Ne3xSy3r5VoW32EP7klt9
Threatray 3'113 similar samples on MalwareBazaar
TLSH T123D301023A8544DBF08C8774EF7B73432970F28747D9B9832490896FFA95B96944376B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter 0xToxin
Tags:.NET 207-244-236-205 AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dotNetLoader.bin
Verdict:
No threats detected
Analysis date:
2023-02-10 22:44:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ef67ac1-b905-4d4e-85f4-6b4ad38a4cf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/363601/
Detection(s):
Win.Trojan.MSILAgent-9986004-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
Enabling the 'hidden' option for analyzed file
Using the Windows Management Instrumentation requests
Creating a file
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd.exe evasive packed
Link:
https://www.filescan.io/uploads/63e6c83e459bcf4604009eca/reports/aca5f644-406d-40a0-af3b-af368f8c67d6/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.3
Link:
https://www.hybrid-analysis.com/sample/3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d8fa6083-ffd1-497a-9082-55e3eca5347e
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1171592
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 804382 Sample: dotNetLoader.bin.exe Startdate: 10/02/2023 Architecture: WINDOWS Score: 96 23 Snort IDS alert for network traffic 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus / Scanner detection for submitted sample 2->27 29 6 other signatures 2->29 7 dotNetLoader.bin.exe 3 5 2->7         started        process3 dnsIp4 17 207.244.236.205, 49714, 6606 CONTABOUS United States 7->17 10 AcroRd32.exe 15 37 7->10         started        12 conhost.exe 7->12         started        process5 process6 14 RdrCEF.exe 52 10->14         started        dnsIp7 19 192.168.2.1 unknown unknown 14->19 21 192.168.2.5 unknown unknown 14->21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50/
Threat name:
Win32.Backdoor.Aicat
Create hunting rule
Status:
Malicious
First seen:
2023-02-10 22:42:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hq35oni4benjyl6oolwn4s6ncjs7csg4hn3qc7kgryehieerxria._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
00f832dff9d82b0bc27bec58514839917cd175a11759488be8479e7e690311d3
AsyncRAT
2c8f198acf863de41f5d048234825676801e03532d0d1c07fcd3c1ded96ea13b
AsyncRAT
42e51b14c83bcd9f16c52efd320be899fbda13aade2f40f4d8f99db7e8b205ce
AsyncRAT
9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8
AsyncRAT
a44e7420e441548adddf0d79cc51e46211ebfa7dde08e5c95211eb3f95d0e570
AsyncRAT
b3d1d312b9fb579640acad50a9591b7876c75e9dbf9df4d9f9a33575ed659173
AsyncRAT
+ 3'103 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/230210-2mnrzsgf3x/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
AsyncRat
Unpacked files
SH256 hash:
3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50
MD5 hash:
4a500e5d391f84b7c4e93b767964c0d8
SHA1 hash:
a4f090fd514cc9e59c62b8956eb95dab6106d760
Link:
https://www.unpac.me/results/7ffddc1f-32ee-490c-b697-a9b9b1b18457/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c37d7351c09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/363601/

Comments