MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 452937d12a7cca9683eefa5c75273560523871c22f12ea56c1933063c2f830bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	452937d12a7cca9683eefa5c75273560523871c22f12ea56c1933063c2f830bc
SHA3-384 hash:	2601be0e56c5dd704095e0e19c71a24d7607a384d0d0930016392abb3867322aeddb70eee3142e55c479575e0f32ace0
SHA1 hash:	9f6fe18754505cb13a14dc7c4deeaf548ea17ccb
MD5 hash:	77d854c933cb22980e553d4b1f888329
humanhash:	magnesium-social-hamper-quiet
File name:	Fwzfq.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	2'536'960 bytes
First seen:	2022-08-27 18:30:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	49152:1A/pXmdvdfK5u7VTWZthCM0qu9TlJNKNANNrjNNrrpH6VR1xsHrqs:bio7wbhSXTlJNKNANNrjNNrGjxsGs
Threatray	2'535 similar samples on MalwareBazaar
TLSH	T1C0C5D021DA8254B8EFB26D9EB0F63CA8ED35095A63C512F2FB17D48C7A805F46F8550C
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	r3dbU7z
Tags:	AsyncRAT backdoor exe

Intelligence

File Origin

# of uploads :

# of downloads :

555

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Fwzfq.exe

Verdict:

No threats detected

Analysis date:

2022-08-27 18:32:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3877824e-0be4-43d2-8865-bef2ad857608

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/301689/

Detection(s):

SecuriteInfo.com.VHO.Backdoor.MSIL.Zlugin.gen.21614.23061.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed wacatac

Link:

https://www.filescan.io/uploads/630a62ed05ef0c24e42b15f8/reports/ce2dbfc7-10e6-44a3-a5bb-c168ee91ec79/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/602b9a9b-a1c7-4d45-8311-ca7f60177be4

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1059009

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AsyncRAT

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/452937d12a7cca9683eefa5c75273560523871c22f12ea56c1933063c2f830bc/

Threat name:

ByteCode-MSIL.Backdoor.Zlugin

Status:

Malicious

First seen:

2022-08-27 18:31:15 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iuutpujkptfjna7o7johkjzvmbjdq4ocf4jouvwbsmyghqxygc6a._file

Verdict:

malicious

Label(s):

masslogger

AsyncRAT

17a9c96093b91e23c0b7eb2482b6c253ba334b1d0999bfa4803cb3364e0e8ad7

AsyncRAT

33ad97412d0ea51dd14c970ea67a92b237b28de04add5ecc3f64f9696fb3ed1c

AsyncRAT

4318422cce325ea41065183cfbd8da31ae43d27d467c02476123b84bddaa6eb3

AsyncRAT

8b23122d08b2c1a1d8217a51a156c68cefb2cdab4ffc58aceb048d21fbc54354

AsyncRAT

989d751b53b8c3d3d57111fe727904298f8723cab3b656db6da4bacfd9a2ed18

AsyncRAT

aacb32e6d8717a1aa7836996f0b6388bffba81978d0d4753cc69c0c56d9beb47

AsyncRAT

b3fe4fd7f741756b5632607a83a4269984b1059f7b60550bafd87482d638b968

AsyncRAT

c53364e68c93eac3f3135721a2e28441af61ca6499a1f3ca5cdd8dcff37e5108

AsyncRAT

+ 2'525 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/220827-w5f7zaeden/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

452937d12a7cca9683eefa5c75273560523871c22f12ea56c1933063c2f830bc

MD5 hash:

77d854c933cb22980e553d4b1f888329

SHA1 hash:

9f6fe18754505cb13a14dc7c4deeaf548ea17ccb

Link:

https://www.unpac.me/results/00fbc997-4545-445b-9a24-f81812c36491/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/452937d12a7cca9683eefa5c75273560523871c22f12ea56c1933063c2f830bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

exe 452937d12a7cca9683eefa5c75273560523871c22f12ea56c1933063c2f830bc

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/301689/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample