MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
SHA3-384 hash: d8b5b71f9a0e882c145b7b300b2d1589aa38c33697f1af2f7884931e82f2e1b1d9ebe5a537f961583dccfcaa2039d288
SHA1 hash: b24d472f1cb43e0c114de888e9726a6cb8fafca3
MD5 hash: 1b018d9d77edf9c08d39bc6080cf50d2
humanhash: quiet-five-texas-happy
File name:1b018d9d77edf9c08d39bc6080cf50d2.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:3'942'913 bytes
First seen:2024-04-07 22:10:11 UTC
Last seen:2024-04-07 22:33:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 163e11748bde1b8a8c7d5040c9da5ca0 (1 x AsyncRAT)
ssdeep 98304:rwcCJEcjXKOFlOd/iZujgERMOarjSaoYI6gYo1je:rVaawOd/vMsMOaPI6To1je
Threatray 287 similar samples on MalwareBazaar
TLSH T1F2062316E57AB0EDEDD9A8FF8A079FCA3C3F5CE71A750D28A7263D06C49191144CE460
TrID 55.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
6.7% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 6061c4cc8c96f2cc (1 x AsyncRAT)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
172.111.131.97:8808

Intelligence

File Origin
# of uploads :
2
# of downloads :
364
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
babylon
Create hunting rule
ID:
1
File name:
45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe
Verdict:
Malicious activity
Analysis date:
2024-04-07 22:12:11 UTC
Tags:
babylon rat remote asyncrat xenorat darkcomet
Link:
https://app.any.run/tasks/4d6a1315-9cfc-4063-86b2-935783c066fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file
Creating a window
DNS request
Connection attempt
Setting a keyboard event handler
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Changing the hosts file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/661319f835699b4745bff3ae/reports/2f8006a0-9e3b-42ca-8222-6c508970372f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7edbe1a3-73b2-4499-bf34-9787a0a5bb10
Result
Threat name:
AsyncRAT, AveMaria, BabylonRAT, DarkCome
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1421808
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to hide user accounts
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Encoded PowerShell Command Line
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powershell cmdlets to delay payload execution
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected AveMaria stealer
Yara detected BabylonRAT
Yara detected DarkComet
Yara detected Generic Downloader
Yara detected ParadoxRAT
Yara detected UACMe UAC Bypass tool
Yara detected XenoRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1421808 Sample: SYVA2te3iZ.exe Startdate: 08/04/2024 Architecture: WINDOWS Score: 100 176 dgorijan20785.hopto.org 2->176 178 bg.microsoft.map.fastly.net 2->178 192 Snort IDS alert for network traffic 2->192 194 Multi AV Scanner detection for domain / URL 2->194 196 Found malware configuration 2->196 198 19 other signatures 2->198 12 SYVA2te3iZ.exe 2 2->12         started        15 Lfczxnkd.exe 2->15         started        18 Lfczxnkd.exe 2->18         started        20 drvmonit.exe 2->20         started        signatures3 process4 file5 160 C:\Users\user\AppData\Local\...\smsAF55.tmp, PE32 12->160 dropped 22 smsAF55.tmp 15 12->22         started        26 conhost.exe 12->26         started        244 Encrypted powershell cmdline option found 15->244 246 Writes to foreign memory regions 15->246 248 Allocates memory in foreign processes 15->248 250 Injects a PE file into a foreign processes 15->250 28 powershell.exe 15->28         started        252 Uses powershell cmdlets to delay payload execution 18->252 30 powershell.exe 18->30         started        signatures6 process7 file8 152 C:\Users\user\AppData\Local\...\wintskl.exe, PE32+ 22->152 dropped 154 C:\Users\user\AppData\Local\...\winlists.exe, PE32+ 22->154 dropped 156 C:\Users\user\AppData\Local\...\usbserv.exe, PE32 22->156 dropped 158 4 other malicious files 22->158 dropped 240 Multi AV Scanner detection for dropped file 22->240 242 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 22->242 32 rarwin.exe 1 6 22->32         started        36 svlhost.exe 22->36         started        38 winlists.exe 22->38         started        44 4 other processes 22->44 40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        signatures9 process10 file11 122 C:\Users\user\AppData\...\Lfczxnkd.exe, PE32 32->122 dropped 182 Multi AV Scanner detection for dropped file 32->182 184 Encrypted powershell cmdline option found 32->184 186 Creates multiple autostart registry keys 32->186 46 InstallUtil.exe 32->46         started        50 powershell.exe 32->50         started        124 C:\Users\user\AppData\Local\...\smsBA80.tmp, PE32 36->124 dropped 52 smsBA80.tmp 36->52         started        55 conhost.exe 36->55         started        126 C:\Users\user\AppData\Local\...\smsBD11.tmp, PE32 38->126 dropped 57 smsBD11.tmp 38->57         started        59 conhost.exe 38->59         started        128 C:\Users\user\AppData\Roaming\...\usbserv.exe, PE32 44->128 dropped 130 C:\Users\user\AppData\...\drvmonit.exe, PE32 44->130 dropped 132 C:\Users\user\AppData\Local\...\smsBD6E.tmp, PE32 44->132 dropped 134 C:\Users\user\AppData\Local\...\smsB1D6.tmp, PE32 44->134 dropped 188 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->188 190 Uses powershell cmdlets to delay payload execution 44->190 61 drvmonit.exe 5 44->61         started        63 smsB1D6.tmp 1 2 44->63         started        65 5 other processes 44->65 signatures12 process13 dnsIp14 162 C:\Users\user\AppData\Local\...\WINPLAY.EXE, PE32 46->162 dropped 164 C:\Users\user\AppData\Local\...\WINLOGONL.EXE, PE32 46->164 dropped 166 C:\Users\user\AppData\Local\...\WINCPUL.EXE, PE32 46->166 dropped 172 3 other malicious files 46->172 dropped 254 Installs a global keyboard hook 46->254 67 ADOBESERV.EXE 46->67         started        71 WINCPUL.EXE 46->71         started        73 DRVVIDEO.EXE 46->73         started        81 9 other processes 46->81 75 conhost.exe 50->75         started        180 dgorijan20785.hopto.org 172.111.131.97, 19191, 35800, 4488 ASDETUKhttpwwwheficedcomGB United States 52->180 256 Multi AV Scanner detection for dropped file 52->256 258 Contains functionality to steal Chrome passwords or cookies 52->258 260 Contains functionality to capture and log keystrokes 52->260 262 Contains functionality to register a low level keyboard hook 52->262 168 C:\Windows\System32\drivers\etc\hosts, ASCII 57->168 dropped 264 Modifies the hosts file 57->264 170 C:\Users\user\AppData\Local\...\tmpC677.tmp, ASCII 61->170 dropped 266 Uses schtasks.exe or at.exe to add and modify task schedules 61->266 77 schtasks.exe 61->77         started        79 conhost.exe 65->79         started        file15 signatures16 process17 file18 136 C:\Users\user\AppData\Roaming\...\Dbawda.exe, PE32 67->136 dropped 200 Antivirus detection for dropped file 67->200 202 Multi AV Scanner detection for dropped file 67->202 204 Detected unpacking (changes PE section rights) 67->204 222 3 other signatures 67->222 83 powershell.exe 67->83         started        206 Contains functionality to hide user accounts 71->206 208 Encrypted powershell cmdline option found 71->208 210 Uses powershell cmdlets to delay payload execution 71->210 85 WINCPUL.EXE 71->85         started        89 powershell.exe 71->89         started        138 C:\Users\user\AppData\Roaming\...\Qtipp.exe, PE32 73->138 dropped 212 Machine Learning detection for dropped file 73->212 214 Creates multiple autostart registry keys 73->214 91 DRVVIDEO.EXE 73->91         started        93 powershell.exe 73->93         started        95 conhost.exe 77->95         started        140 C:\Users\user\AppData\Roaming\...\Lsqbtn.exe, PE32 81->140 dropped 142 C:\Users\user\AppData\Roaming\...\Mpkly.exe, PE32 81->142 dropped 216 Drops PE files to the document folder of the user 81->216 218 Drops script or batch files to the startup folder 81->218 220 Writes to foreign memory regions 81->220 97 AUDIOPT.EXE 81->97         started        100 powershell.exe 81->100         started        102 8 other processes 81->102 signatures19 process20 dnsIp21 104 conhost.exe 83->104         started        144 C:\Users\user\Documents\wintsklt.exe, PE32 85->144 dropped 146 C:\Users\user\...\Documents:ApplicationData, PE32 85->146 dropped 148 C:\Users\user\AppData\...\programs.bat:start, ASCII 85->148 dropped 150 C:\Users\user\AppData\...\programs.bat, ASCII 85->150 dropped 224 Creates files in alternative data streams (ADS) 85->224 226 Contains functionality to hide user accounts 85->226 228 Increases the number of concurrent connection per server for Internet Explorer 85->228 106 conhost.exe 89->106         started        230 Writes to foreign memory regions 91->230 232 Allocates memory in foreign processes 91->232 234 Hides that the sample has been downloaded from the Internet (zone.identifier) 91->234 236 Creates a thread in another existing process (thread injection) 91->236 108 conhost.exe 93->108         started        110 conhost.exe 95->110         started        174 45.74.4.244, 35800, 5199, 8808 M247GB United States 97->174 238 Installs a global keyboard hook 97->238 112 conhost.exe 100->112         started        114 conhost.exe 102->114         started        116 conhost.exe 102->116         started        118 conhost.exe 102->118         started        120 4 other processes 102->120 file22 signatures23 process24
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf/
Threat name:
Win64.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-04-01 05:19:47 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ividsj7zb7sk5lrmshdpcpj2mrztr5cfmxgczitluda5jglizg7q._file
Verdict:
malicious
Similar samples:
0aa53c306f231af2bc7097242847e6603b2856d97aa49b36cff179d645d1dd58
AsyncRAT
2b733276f28e8a547f7e2197e1be209c13718d5371922855264d1a5511ca66a5
AsyncRAT
3f0b1837b836c8f882db35bc5b0510b47e6c06a996148371a05b2d2b8b46ee0f
AsyncRAT
3f7658a27f67bee2e61e5232cc9219ad6d0b02725300bcc426ac527fc7099ab6
AsyncRAT
5d7f6ab4f324bfaa347af5917a59a9b633f4dd891a96870235c6509fb9e7b5d4
AsyncRAT
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c
AsyncRAT
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69
AsyncRAT
+ 277 additional samples on MalwareBazaar
Result
Malware family:
xenorat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:babylonrat family:darkcomet family:warzonerat family:xenorat botnet:2024+apre2-new botnet:new-july-july4-0 botnet:new-july-july4-02 infostealer persistence rat trojan upx
Link:
https://tria.ge/reports/240407-13xjdsfh7t/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Drivers directory
Async RAT payload
Warzone RAT payload
AsyncRat
Babylon RAT
Darkcomet
WarzoneRat, AveMaria
XenorRat
Malware Config
C2 Extraction:
dgorijan20785.hopto.org
dgorijan20785.hopto.org:6606
dgorijan20785.hopto.org:7707
dgorijan20785.hopto.org:8808
45.74.4.244:6606
45.74.4.244:7707
45.74.4.244:8808
dgorijan20785.hopto.org:35800
dgorijan20785.hopto.org:5199
45.74.4.244:5199
45.74.4.244:35800
Unpacked files
SH256 hash:
45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
MD5 hash:
1b018d9d77edf9c08d39bc6080cf50d2
SHA1 hash:
b24d472f1cb43e0c114de888e9726a6cb8fafca3
Link:
https://www.unpac.me/results/9387df38-bc25-4a1d-b4ad-6cb79fd1cf36/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments