MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef
SHA3-384 hash:	35918c60e4aaca02839d3d2b52527c216d581ea15e5c1a4c96fa02d29edfc1b5df8e893a1044553eab1bf13ea14bb1c8
SHA1 hash:	0a7af4bb31249419603b60005670aec36aa7d6e4
MD5 hash:	b4f60407cc688d2327c5bc8dd39c0b00
humanhash:	don-bravo-triple-one
File name:	b4f60407cc688d2327c5bc8dd39c0b00
Download:	download sample
Signature	AsyncRAT Alert Create hunting rule
File size:	418'816 bytes
First seen:	2023-07-25 09:25:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:9QRlML1eQcUtQbRselQswFhg7nkwmMfwJ9MgjqJqim7PH7:9QK1e1mKQswFhgLnoJ2XJqig/7
Threatray	10 similar samples on MalwareBazaar
TLSH	T1039423250BF523DAD47103B042C0AC59367F81EBE45BAB4A8C0A86AE8D8377DB5445FF
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.8% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	zbetcheckin
Tags:	64 AsyncRAT exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

274

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN asyncrat

Malware family:

asyncrat

Alert

Create hunting rule

ID:

1

File name:

b4f60407cc688d2327c5bc8dd39c0b00

Verdict:

Malicious activity

Analysis date:

2023-07-25 09:26:53 UTC

Tags:

trojan rat asyncrat remote stealer

Link:

https://app.any.run/tasks/a4c6a4f5-a4f4-4b57-bbc4-ae6654225fa3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/432059/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.97730.11216.26896.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Reading critical registry keys

Forced shutdown of a system process

Setting a global event handler for the keyboard

Unauthorized injection to a system process

FileScan.io

Gathering data

Hybrid Analysis MSILHeracles.Generic

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6fb4164d-345b-408e-bea8-f026b2197204

Joe Sandbox AsyncRAT, StormKitty, VenomRAT

Result

Threat name:

AsyncRAT, StormKitty, VenomRAT

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1278978

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected BrowserPasswordDump

Yara detected Costura Assembly Loader

Yara detected StormKitty Stealer

Yara detected UAC Bypass using CMSTP

Yara detected VenomRAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Fsysna

Threat name:

ByteCode-MSIL.Trojan.Fsysna

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-07-24 19:05:21 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

2

AV detection:

19 of 23 (82.61%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jsj2vmc4f6vssjdnagqs4d6nd57xfuoekyvefr4uzqssnoblqpxq._file

Threatray malicious

Verdict:

malicious

Similar samples:

2471e14de265a1cc39ea6030cec91bc81960aebcb02d50e0e59cb31fc55552e6

AsyncRAT

24e365e6ec99a774571ec4d93960c3896bbb987f43badd26406de8faa79b7211

AsyncRAT

2b8cd7175430c7efadb5156b883b63cbbd179579ee58dccb27efc68c22cdc819

AsyncRAT

67349de16fcd49c2df92647f3c27f5ef96506676261409e37da49c6ac5238435

AsyncRAT

8101d65f0f12946bd742b2b7513075ea485e3134258032252bef1938ac3cd3cd

AsyncRAT

97998689dcca7f8fac116a458168c2e7575f6442ef68e4729543799d07ccd849

AsyncRAT

a2d2a62835ec13260cc35eb5773e32b5205adf74c8dac852e614f6034c634309

AsyncRAT

ae5bf7d05d5714bf2758fd5c127f405de0c02223643a22279bcbf03fb648cd2d

AsyncRAT

b958a7545a164e5dc51389b078ed83e0fa5439d78cd8053b78f2dd70d67e7a58

AsyncRAT

f5c8ba20e455c2932d230c67583a09ddf63cc0b65e3c1cd3b0382eca083c9ee5

AsyncRAT

Hatching Triage asyncrat

Result

Malware family:

asyncrat

Alert

Create hunting rule

Score:

  10/10

Tags:

family:asyncrat botnet:default rat

Link:

https://tria.ge/reports/230725-ldmkkace2t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

89.185.85.103:4444

UnpacMe

Unpacked files

SH256 hash:

4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef

MD5 hash:

b4f60407cc688d2327c5bc8dd39c0b00

SHA1 hash:

0a7af4bb31249419603b60005670aec36aa7d6e4

Link:

https://www.unpac.me/results/a5b32bfb-16e9-4fbb-a1ab-0e0dc439c77d/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4c93aab05c2f/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

exe 4c93aab05c2fab29246d01a12e0fcd1f7f72d1c4562a42c794cc2526b82b83ef

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/432059/

  

URLhaus

https://urlhaus.abuse.ch/url/2689603/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-07-25 09:25:05 UTC

url : hxxps://hostedpk.com/misc/m4HBom6QaF.exe