MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48b29546e6b607eb912ce4b9957224c9606b0df8f5fa5b0da0ba1fd7a6ec9e7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	48b29546e6b607eb912ce4b9957224c9606b0df8f5fa5b0da0ba1fd7a6ec9e7c
SHA3-384 hash:	d4fc79f8213fb9839425580ad2adaa8f9e9e8802852497f02193fa4bb3127890689d5f36e433999eef84a7e384c0a803
SHA1 hash:	d81e792f7350c084cec6e2252a50f357df66d56d
MD5 hash:	1626f5ac8fdc4d59d1837a9730ce0900
humanhash:	muppet-vegan-oregon-lion
File name:	Pago.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	594'944 bytes
First seen:	2023-01-03 20:55:38 UTC
Last seen:	2023-01-03 22:29:43 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:SlBtD301JqiDErwq/EPIukpw09EHmP5G4gcuNOMqXNnnIX69dLBZc9Y1:S5DGqiQrh/EPIJpwZH0k6uNbqXNnP
Threatray	2'354 similar samples on MalwareBazaar
TLSH	T17BC4E0DD761072EFC86BD872CE982C68EB6175BB931B4103942755EDAA4C897CF180F2
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	0xToxin
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Pago.exe

Verdict:

Malicious activity

Analysis date:

2023-01-03 20:57:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bc65cb0d-f91a-4dd4-b167-deb5d22c9a97

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/349246/

Detection(s):

PUA.Win.Packed.ConfuserEx-6391397-0

PUA.Win.Packed.ConfuserEx-6582917-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Launching a process

Creating a process with a hidden window

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

confuserex packed

Link:

https://www.filescan.io/uploads/63b496630e926711fd76b17e/reports/c40512a3-58bf-4b86-adb8-937b40a680f3/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/7a7d7ec1-58b3-4a3a-9e71-d2163cf08dbe

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48b29546e6b607eb912ce4b9957224c9606b0df8f5fa5b0da0ba1fd7a6ec9e7c/

Threat name:

Win64.Trojan.Leonem

Status:

Malicious

First seen:

2023-01-03 18:09:38 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jczjkrxgwyd6xejm4s4zk4rezfqgwdpy6x5fwdnaxip5pjxmtz6a._file

Verdict:

malicious

Label(s):

asyncrat

AsyncRAT

0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595

AsyncRAT

1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f

AsyncRAT

417ae2d5f5111ddf80b63c443e14b70ec2052b3e64a35940c9f81f262f7e526e

AsyncRAT

68346d23f359a27744b49d6ea9bd229f2929d1cee057670d2ba73545c0ba427d

AsyncRAT

963f054c289e0855e2d119fa2e290bcc3a1d7787c60ed226fb6512b52b3750c5

AsyncRAT

a88df82e4b619c1586b5640c801616486f08b3bd32f766847f468d6a23b6c23e

AsyncRAT

e77f29f3b57b776b5ffb2ed7fdf461702166396172d32809646ef08872894725

AsyncRAT

ef02701e2196f54b5858bcb67a41d34fc9a5f248efdae181c701c200950d638d

AsyncRAT

+ 2'344 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/230103-zqz83sgb4y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

48b29546e6b607eb912ce4b9957224c9606b0df8f5fa5b0da0ba1fd7a6ec9e7c

MD5 hash:

1626f5ac8fdc4d59d1837a9730ce0900

SHA1 hash:

d81e792f7350c084cec6e2252a50f357df66d56d

Link:

https://www.unpac.me/results/d6bb8286-9d5d-4475-8bd9-6582a1fb65db/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.66

Link:

https://yomi.yoroi.company/submissions/48b29546e6b607eb912ce4b9957224c9606b0df8f5fa5b0da0ba1fd7a6ec9e7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/349246/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample