MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d234bd4ef217ffa9ef446eda0229535561fe05b9858f01b0e2c5980f52e2df9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d234bd4ef217ffa9ef446eda0229535561fe05b9858f01b0e2c5980f52e2df9
SHA3-384 hash: 94829c419c1fb54b9f3cab05eec38cfa5e934c3db76fb6cd2916b6bda52503b3b844122e11037f4d569a2f94fe44ea30
SHA1 hash: a7876a7048bedf3f47053a291138f3c1ce7ea507
MD5 hash: a7bb6208831e685e039d0c4bce6661e9
humanhash: skylark-twenty-tango-white
File name:41570002689_20220905_05423615_HesapOzeti.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:235'008 bytes
First seen:2022-09-05 12:07:41 UTC
Last seen:2022-09-12 08:54:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:aioF/T7gqPHIvuvHQFpaIYkKEPIFJzE17vt9:4B5VHsaIYkb
Threatray 140 similar samples on MalwareBazaar
TLSH T1FB34FEC05148B8EAD1572B706C3BEEB1052FBFF9232095083A0777679973E56266BC4E
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 95951126d64e0719 (8 x AgentTesla, 6 x StormKitty, 4 x Formbook)
Reporter abuse_ch
Tags:AsyncRAT exe geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
41570002689_20220905_05423615_HesapOzeti.exe
Verdict:
Suspicious activity
Analysis date:
2022-09-05 12:09:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77ef8fe7-45a9-414c-8a4d-48ba6c387545

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/307871/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6315e6b331a6d28c0ce26592/reports/64aaa2a7-5cd5-4749-b42c-d95aa1d06466/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37711329-823b-4488-821f-6c8a94a8b20a
Result
Threat name:
AsyncRAT, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065087
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected FormBook
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d234bd4ef217ffa9ef446eda0229535561fe05b9858f01b0e2c5980f52e2df9/
Threat name:
Win32.Downloader.PsDownload
Create hunting rule
Status:
Malicious
First seen:
2022-09-05 07:34:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 26 (84.62%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=huruxvhpef77vhxui3w2aiuvgvlb7yc3tbmpagyofrmyb5jofx4q._file
Verdict:
malicious
Similar samples:
2149cec22f889cc1eed0485be3a4670b2f5b20a2f40eaa24633ed54b3b795da2
AsyncRAT
29824b969da3b9237bf59813a07dea7c3294e2506be355a26e19932a9d8f82d3
AsyncRAT
4db351188a3fd12e54ef4791c92d1128e3b006feed216ef24e2f6e91de208e95
AsyncRAT
51a7e43b8f07d021703306cf0a8be77fe1ef9e60c5f5bde1d822a7510bfe5acc
AsyncRAT
5d250fb6ec33e62f76d34c351e8c60a965d395964f969c5e0df2975f640daab0
AsyncRAT
82ceaad56c8928f9d0bd09357499847ef059640db0689760b5bbab95f3068287
AsyncRAT
8b5715e6425f57cd90a2327c1f902e5cafcd2d86269e03bf94080540c61c6e7c
AsyncRAT
b1181376125a5a10e0643ac86b6f84dcbd805fb8c34220a8223cc1cc8d25c570
AsyncRAT
f6e24be9e0ca768072111142940fd7246e19b86459039ad68868600ca6b6901e
AsyncRAT
ff64e80dba8ead90416aa270eb6d65c1cf74e0341704897d3a34c54d8d2cedc9
AsyncRAT
+ 130 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220905-pav93sbce9/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
3d234bd4ef217ffa9ef446eda0229535561fe05b9858f01b0e2c5980f52e2df9
MD5 hash:
a7bb6208831e685e039d0c4bce6661e9
SHA1 hash:
a7876a7048bedf3f47053a291138f3c1ce7ea507
Link:
https://www.unpac.me/results/920582c8-3ec7-4bcd-9ecc-f4bb370bdcc6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/3d234bd4ef217ffa9ef446eda0229535561fe05b9858f01b0e2c5980f52e2df9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe 3d234bd4ef217ffa9ef446eda0229535561fe05b9858f01b0e2c5980f52e2df9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/307871/

Comments