MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 50 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
SHA3-384 hash: b4091635fb5a6f7ee7141dab2afc76baf71fc2a8f0f49ff12bd66b1e718fecfe9972983f5b3e1f1348150d5d46a4450a
SHA1 hash: 1d88ed5170efab2d32d83341be56e1b9f6720d7c
MD5 hash: 713e742f7314ca8d684137f996540b4b
humanhash: cup-wyoming-carbon-five
File name:713e742f7314ca8d684137f996540b4b.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:6'992'896 bytes
First seen:2024-08-11 06:58:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 98304:tbqknnTC8vHM8aKN+3v4FOjfU2TNe7vWL26AaNeWgPhlmVqkQ7XSKUR83B:tzO8vH04FmMnG4S03B
TLSH T1B966AE003BF88E22E1AEA277D5F2444557F0EC2AB3A3E70B6591777E1C537919C01AA7
TrID 63.6% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
13.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
10.3% (.EXE) InstallShield setup (43053/19/16)
3.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.1% (.SCR) Windows screen saver (13097/50/3)
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
713e742f7314ca8d684137f996540b4b.exe
Verdict:
Malicious activity
Analysis date:
2024-08-11 07:09:47 UTC
Tags:
quasar xworm rat dcrat remote darkcrystal orcus asyncrat
Link:
https://app.any.run/tasks/6f396a58-08af-4699-8090-6b3f4f29cdfe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Packed.Razy-9625918-0
Create hunting rule

Win.Packed.Generic-9805849-0
Create hunting rule

Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Packed.AsyncRAT-9861056-1
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Malware.Generic-9883083-0
Create hunting rule

Win.Malware.Msilheracles-9900242-0
Create hunting rule

Win.Malware.Bulz-9937329-0
Create hunting rule

Win.Malware.Uztuby-9939317-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Msilzilla-10002982-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

Win.Packed.Loveletter-10023052-0
Create hunting rule

Win.Dropper.Nanocore-10024427-0
Create hunting rule

Win.Packed.Msilzilla-10026193-0
Create hunting rule

Win.Packed.Msilzilla-10026194-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL
Create hunting rule

Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Packed.Downeks-6898097-0
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b8613daa5b40be0aa0016b
Tags:
Execution Generic Infostealer Network Other Static Stealth Trojan Msil
Verdict:
Malicious
Labled as:
Dropper.Generic.MSIL.PasswordStealerA
Link:
https://www.hybrid-analysis.com/sample/41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50c08e06-d2fa-4ff3-9b34-dbf9dcbc179c
Result
Threat name:
Quasar, AsyncRAT, DCRat, Orcus, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1491204
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Quasar
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected DCRat
Yara detected Generic Downloader
Yara detected Orcus RAT
Yara detected Quasar RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1491204 Sample: zFONuE0fId.exe Startdate: 11/08/2024 Architecture: WINDOWS Score: 100 105 wiznon.000webhostapp.com 2->105 107 wiz.bounceme.net 2->107 109 7 other IPs or domains 2->109 119 Multi AV Scanner detection for domain / URL 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 29 other signatures 2->125 10 zFONuE0fId.exe 6 2->10         started        13 Ass.exe 2->13         started        16 NXhPRejLcBISWlheToUOPXVweRH.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 file5 97 C:\Users\user\AppData\...\WizWormStub.exe, PE32 10->97 dropped 99 C:\Users\user\AppData\...\QuasarStub.exe, PE32 10->99 dropped 101 C:\Users\user\AppData\Local\...\OrcusStub.exe, PE32 10->101 dropped 103 2 other malicious files 10->103 dropped 20 DCRatStub.exe 3 7 10->20         started        24 OrcusStub.exe 6 10->24         started        26 QuasarStub.exe 5 10->26         started        28 2 other processes 10->28 155 Antivirus detection for dropped file 13->155 157 Multi AV Scanner detection for dropped file 13->157 159 Machine Learning detection for dropped file 13->159 161 Protects its processes via BreakOnTermination flag 18->161 163 Installs a global keyboard hook 18->163 signatures6 process7 dnsIp8 83 C:\ChainPortsessionbroker\Fontsession.exe, PE32 20->83 dropped 85 C:\...\QV4mcYA2Sc8KOpCoQlEXh.vbe, data 20->85 dropped 135 Antivirus detection for dropped file 20->135 137 Multi AV Scanner detection for dropped file 20->137 139 Machine Learning detection for dropped file 20->139 31 wscript.exe 1 20->31         started        34 wscript.exe 20->34         started        87 C:\Windows\SysWOW64\WindowsInput.exe, PE32 24->87 dropped 89 C:\Users\user\AppData\...\AudioDriver.exe, PE32 24->89 dropped 141 Drops executables to the windows directory (C:\Windows) and starts them 24->141 36 AudioDriver.exe 24->36         started        39 WindowsInput.exe 24->39         started        91 C:\Windows\System32\SubDir\Client.exe, PE32 26->91 dropped 143 Uses schtasks.exe or at.exe to add and modify task schedules 26->143 145 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->145 41 Client.exe 26->41         started        43 schtasks.exe 26->43         started        113 wiz.bounceme.net 65.191.34.109, 53614, 53633, 53649 TWC-11426-CAROLINASUS United States 28->113 115 i.ibb.co 162.19.58.160, 443, 53611 CENTURYLINK-US-LEGACY-QWESTUS United States 28->115 117 us-east-1.route-1.000webhost.awex.io 145.14.144.78, 443, 53615, 53616 AWEXUS Netherlands 28->117 93 C:\Users\user\AppData\Local\Temp\Ass.exe, PE32 28->93 dropped 95 C:\ProgramData\WizWormStub.exe, PE32 28->95 dropped 147 Protects its processes via BreakOnTermination flag 28->147 149 Creates multiple autostart registry keys 28->149 151 Bypasses PowerShell execution policy 28->151 153 Adds a directory exclusion to Windows Defender 28->153 45 powershell.exe 28->45         started        47 cmd.exe 28->47         started        49 cmd.exe 28->49         started        file9 signatures10 process11 dnsIp12 165 Windows Scripting host queries suspicious COM object (likely to drop second stage) 31->165 51 cmd.exe 31->51         started        111 ratings-crime.gl.at.ply.gg 147.185.221.21, 49732, 49733, 49739 SALSGIVERUS United States 36->111 167 Multi AV Scanner detection for dropped file 36->167 169 Protects its processes via BreakOnTermination flag 36->169 171 Installs a global keyboard hook 36->171 173 Reads the Security eventlog 39->173 175 Reads the System eventlog 39->175 177 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->177 53 schtasks.exe 41->53         started        179 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->179 55 conhost.exe 43->55         started        181 Loading BitLocker PowerShell Module 45->181 57 conhost.exe 45->57         started        59 conhost.exe 47->59         started        61 schtasks.exe 47->61         started        63 conhost.exe 49->63         started        65 timeout.exe 49->65         started        signatures13 process14 process15 67 Fontsession.exe 51->67         started        71 conhost.exe 51->71         started        73 conhost.exe 53->73         started        file16 75 C:\Users\user\Music\services.exe, PE32 67->75 dropped 77 C:\Recovery77XhPRejLcBISWlheToUOPXVweRH.exe, PE32 67->77 dropped 79 C:\...79XhPRejLcBISWlheToUOPXVweRH.exe, PE32 67->79 dropped 81 8 other malicious files 67->81 dropped 127 Antivirus detection for dropped file 67->127 129 Multi AV Scanner detection for dropped file 67->129 131 Creates an undocumented autostart registry key 67->131 133 4 other signatures 67->133 signatures17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5/
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-08-06 17:38:02 UTC
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ig6soghcjmrwprfctjxlsqcf2thb4knu23fjtv6s3cyu4mlodd2q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:dcrat family:quasar family:xworm botnet:default botnet:office04 discovery evasion execution infostealer persistence rat spyware trojan
Link:
https://tria.ge/reports/240811-hr3l6azcjn/
Behaviour
Delays execution with timeout.exe
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Disables Task Manager via registry modification
Async RAT payload
DCRat payload
AsyncRat
DcRat
Detect Xworm Payload
Modifies WinLogon for persistence
Process spawned unexpected child process
Quasar RAT
Quasar payload
Xworm
Malware Config
C2 Extraction:
thing-wine.gl.at.ply.gg:55280
businesses-eric.gl.at.ply.gg:55282
projects-pf.gl.at.ply.gg:55284
wiz.bounceme.net:6000
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/380fb892-1d08-4a43-9aaf-2ce1c7bbbe56
Unpacked files
SH256 hash:
f52798a690f661a2b30e2fb3a3689a0aa09fcc0f7ea4efe669e265670742254e
MD5 hash:
cdff2cee70c00c73f066e1c9a7515a95
SHA1 hash:
f8bfe41193a917830dc13450c2665d862fea08d1
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/ccb86f9d-0b0c-4bf4-af3e-98b312a9be4a/
SH256 hash:
b11ad1adfa96eacf5f18cf87785884947a6d35a1baebf4f20f16402b04d5109f
MD5 hash:
89bf0f7e9adf290c6d571eccf79206a9
SHA1 hash:
65f95791234ff93bc3e35f1d35d7a6664872dc56
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/ccb86f9d-0b0c-4bf4-af3e-98b312a9be4a/
Parent samples :
d5775aecd2e8d149e2b9ba576ddc2db3624a974cafc8fc1df318226fc2c6d4b4
8e997bef9ad61722cb7b782da93b7373acd19dbdc4cb91b47e80280e2100b6a3
5ba1b028da2c0e52c38c7a55bf1e7952cc50c907576ec2f22b6a25d691dde2d6
be15d47389920ab9637eefc24bbf6c191607013a3d2608c1243a377aacb5d4ce
f027301d00c6bc4b1c87e5e3266775f395907fa04e2c768b7082381d60880f82
b1088573c2e783e97fb07ccf1d8d8e9372ccd8983cc07c7ee9c6989a3844b334
e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff
45e1440acf3453915252d0d61ffcee6fd96170ccf2323c16178dfaaa186565f8
1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
f733fbe95a7fe8a2c0ef459b05fed88b7a295de5e39c591bf62d3e0a5575e6fc
658b0a01404144b5da03574e2a05b6c02030baa2276b9e047174c6ccb3e8918d
cf4efad0b9d74151b09be4acfb12d1aea2a9e316b97a2eb7f4ca8ac12b0e6d8c
381bb149e04bec8f62336cdf3c81741c2c7a471f6dacc2f7835eb174643abad7
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
1a39cff5d5b0b550cd9b30f08c0e32430c2e1b92aecc663d4151789e54d13f64
1b881d8c3ba53e9b250de6d1118a27738fd8e88fd475e3e01afabd4e627f83a2
e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
2ec983b4653f6a5ee028e9ecfa37d8cf2404a10e9691bb8ed39023be643ef55e
797bbd3d5e08ab4919540911ab6149be0c6f38de3659378bf38fc5ac01ccee48
4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
4d908524b238846077a6fb1df34be93ae926e13c15bb8ac5c45a8980ef4862ce
581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892
8ac5083f52da0ff312259331f65b326782803aa837a7b371a6d43a021b0c24c3
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
e1a60229372db9d65dbadfe6db923edf3987ac9f908878491bd12497613324d8
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
ab71530434f64e6aa105732c42dbb5a409ac0aae4258b3c3e7db1a7d5914cc30
3b88fdeb5144b0f3a710b42cefa937e57aed28001acb82562229472ce258a124
70fbebc77d5f37a0ffd373be6ee9f218a5ea30b86e395e7212b850f0f6934b6f
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
1d6628a6cd66f3dd7f3377ee1c30e8a92cedb1d40f5a121b84e5ab84a0e19909
841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4
1b304c8a2ae4546bd7958c7f22becaf6b682a5c88b7a01945a952de991b0ef0b
693cf45b243073eeb5479f4b29ff36c417b858b042363cf1a53d7623504a6d29
f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
48be2502fad84657b383c41b2616f34a029f9a39d63aae1a1714faf7ba79e3da
SH256 hash:
44a30d53788ccbbef510a68b894c40a093ecc4a934b6a7c91037d3180987bf71
MD5 hash:
e68c730d5e9eea130b20f99f8380e644
SHA1 hash:
d5387728b7aa9724e5f49d9ebe871c4bcc447c01
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ccb86f9d-0b0c-4bf4-af3e-98b312a9be4a/
SH256 hash:
42a913fedb31db5ba0cf28abd0fe6afc3b9807aac7045a1c02579c2b3282a3b1
MD5 hash:
6940c38a8661b0b8713afd4c63b12456
SHA1 hash:
cc78ac6b4974bb3352890b8e89d038ddc4c4eae4
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
win_quasarrat_j2
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
Link:
https://www.unpac.me/results/ccb86f9d-0b0c-4bf4-af3e-98b312a9be4a/
Parent samples :
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
42a913fedb31db5ba0cf28abd0fe6afc3b9807aac7045a1c02579c2b3282a3b1
SH256 hash:
fe1aa0fe9fa3c3faf64fef5ef7604170ac2934f4a52fd44b7f93bc79867aacf9
MD5 hash:
a08ad61a962a02e8a41a5f4c34140e79
SHA1 hash:
8efc6f35df0017ce8a6239164698675725bb83ad
Link:
https://www.unpac.me/results/ccb86f9d-0b0c-4bf4-af3e-98b312a9be4a/
SH256 hash:
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5
MD5 hash:
e854a4636afc652b320e12e50ba4080e
SHA1 hash:
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc
Link:
https://www.unpac.me/results/ccb86f9d-0b0c-4bf4-af3e-98b312a9be4a/
SH256 hash:
be6c566ca9e0f0c620ccbd0581b48ba0cdf616135195dc4f5b9236f985b3172f
MD5 hash:
3de8bb77473e360e1b15d2f80f489248
SHA1 hash:
507f0223797e077f25775908d911dbbdc64e04a9
Detections:
HVNC
Create hunting rule
win_orcus_rat_a0
Create hunting rule
HiddenVNC
Create hunting rule
Agenttesla_type2
Create hunting rule
win_orcus_rat_simple_strings_dec_2023
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
Link:
https://www.unpac.me/results/ccb86f9d-0b0c-4bf4-af3e-98b312a9be4a/
SH256 hash:
d1ba8885bb27b8b53e8754181b474f47d0afc57ce406ca4c18edf111cbb63226
MD5 hash:
2498d43b33fdf705d23a044d0704271b
SHA1 hash:
79b2ee6e706d561533936cde87a46830fbfeec9b
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
asyncrat
Create hunting rule
Link:
https://www.unpac.me/results/ccb86f9d-0b0c-4bf4-af3e-98b312a9be4a/
Parent samples :
d1ba8885bb27b8b53e8754181b474f47d0afc57ce406ca4c18edf111cbb63226
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
SH256 hash:
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
MD5 hash:
713e742f7314ca8d684137f996540b4b
SHA1 hash:
1d88ed5170efab2d32d83341be56e1b9f6720d7c
Detections:
QuasarRAT
Create hunting rule
HVNC
Create hunting rule
win_orcus_rat_a0
Create hunting rule
win_asyncrat_w0
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
HiddenVNC
Create hunting rule
win_quasarrat_j2
Create hunting rule
Agenttesla_type2
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
win_orcus_rat_simple_strings_dec_2023
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
asyncrat
Create hunting rule
Link:
https://www.unpac.me/results/ccb86f9d-0b0c-4bf4-af3e-98b312a9be4a/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/41bd2718e24b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:dcrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Diff_QuasarRAT_01
Create hunting rule
Author:schmidtsz
Description:Identify QuasarRAT samples
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:HiddenVNC
Create hunting rule
Author:@bartblaze
Description:Identifies HiddenVNC, which can start remote sessions.
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:malware_asyncrat
Create hunting rule
Description:detect AsyncRat in memory
Reference:https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_QuasarStealer
Create hunting rule
Author:ditekshen
Description:Detects Quasar infostealer
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RAT_win_Orcus
Create hunting rule
Author:KrknSec
Description:Detects Orcus RAT
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat
Rule name:RC6_Constants
Create hunting rule
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_803feff4
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Asyncrat_11a11ba1
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_orcus_rat_simple_strings_dec_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Strings observed in Orcus RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA

Comments