MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f
SHA3-384 hash: d8f112de0a2dd61ff337560d46a59adef2e64bc1acdd5140c96ff93f46797661e97863366982fc144b07b785f1ba942d
SHA1 hash: 4e18269b4c70931dcad3f7ca58e4f5db00411549
MD5 hash: 7f264ba8e4c519ce90c6e3b430945476
humanhash: april-oxygen-nevada-autumn
File name:7f264ba8e4c519ce90c6e3b430945476
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:522'240 bytes
First seen:2024-03-28 15:21:21 UTC
Last seen:2024-03-28 17:19:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 6144:rKeacbD2RU5+csDgVortcBiWg3cPXblkqDHd16Z6Zm5rULuW1+inHsvzUHFYWg5l:r3y1/D+McxaZvkL1pHyzWPp4xje9
Threatray 3'077 similar samples on MalwareBazaar
TLSH T1EFB42347F631D9B4EC86C2F045DA6E716BFAB45E999B11264CA8FA372B00C4B0C18FD5
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
349
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f.exe
Verdict:
Malicious activity
Analysis date:
2024-03-28 15:24:52 UTC
Tags:
rat asyncrat remote
Link:
https://app.any.run/tasks/75ac5a05-ef77-465e-a6c4-bb7a4d5a32ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending a custom TCP request
Running batch commands
Creating a file in the %AppData% directory
Creating a file
Searching for the window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/66058b32f7095ca3446da1c2/reports/269bd8fe-9c36-46d5-86ae-d96002723d16/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c17952a6-8806-44ed-86c5-f25e5f215cd8
Result
Threat name:
AsyncRAT, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1417126
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected UAC Bypass using CMSTP
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417126 Sample: V1yLpoS3XR.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 50 leetboy.dynuddns.net 2->50 52 blue.o7lab.me 2->52 68 Snort IDS alert for network traffic 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 76 16 other signatures 2->76 9 V1yLpoS3XR.exe 3 2->9         started        13 svchos.exe 2->13         started        signatures3 74 Uses dynamic DNS services 50->74 process4 dnsIp5 46 C:\Users\user\AppData\Local\Temp\start.exe, PE32 9->46 dropped 48 C:\Users\user\AppData\Local\Temp\pop3.exe, PE32+ 9->48 dropped 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->78 16 pop3.exe 2 9->16         started        19 start.exe 7 9->19         started        56 leetboy.dynuddns.net 185.196.11.223, 1339, 49743 SIMPLECARRIERCH Switzerland 13->56 80 Antivirus detection for dropped file 13->80 82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 file6 signatures7 process8 file9 58 Multi AV Scanner detection for dropped file 16->58 60 Machine Learning detection for dropped file 16->60 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->62 66 4 other signatures 16->66 22 jsc.exe 1 2 16->22         started        25 WerFault.exe 19 16 16->25         started        27 jsc.exe 16->27         started        44 C:\Users\user\AppData\Roaming\svchos.exe, PE32 19->44 dropped 64 Antivirus detection for dropped file 19->64 29 cmd.exe 1 19->29         started        32 cmd.exe 1 19->32         started        signatures10 process11 dnsIp12 54 blue.o7lab.me 94.156.66.112, 4449, 49735 TERASYST-ASBG Bulgaria 22->54 86 Uses schtasks.exe or at.exe to add and modify task schedules 29->86 34 conhost.exe 29->34         started        36 schtasks.exe 29->36         started        38 conhost.exe 32->38         started        40 timeout.exe 32->40         started        42 svchos.exe 32->42         started        signatures13 process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2024-03-28 04:23:37 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfl5rvofqpxkif3s7omxspqt7hl6hq6cwdvszwdwyzorqnomrwhq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
32bdc05f94a1cd79e80677c623332a0eb1fe83163a62f235c8a50d44034fea41
AsyncRAT
35c73c6c8bed8697de74b1509caf030fae69fb856edefc47342adde573da928c
AsyncRAT
6bd3a9be98f3e06d4cefbc574149bd6f80e1bd96b6ac7131349313c2c9c19fae
AsyncRAT
88f4284bc8f0f23ab3b6c37b3c1ae3f04993af17c2b968900006960338898546
AsyncRAT
9c4382baca1a31a12c7e60bf324113f763e3d4e813ee518638a6f6f85aac3c70
AsyncRAT
e359c6277dcebf7b485dd5b3e54f25d60b4bbacf25f9818ac3f8604317136f4d
AsyncRAT
e3922972e0bf6c9b59bf0a4234818b92d9ccecda13d6ad729c86ab6143f79179
AsyncRAT
e91838e3f9c6aa4e1e043fa30ac176081877347166e52aa9b9cb1e7f25acecbf
AsyncRAT
fb0cedd17622c47554bc9fada82b2135838059aae5fa17ead92ab3fd222cfab5
AsyncRAT
+ 3'067 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:exodus_market botnet:wdkiller rat spyware stealer
Link:
https://tria.ge/reports/240328-srwhysad77/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
leetboy.dynuddns.net:1339
blue.o7lab.me:4449
Unpacked files
SH256 hash:
447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759
MD5 hash:
c1ade258f05c512e98ebc4d9d1165f8a
SHA1 hash:
acf20f6a7dc7841ae06f801b887289fdc99e0488
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
asyncrat
Create hunting rule
Link:
https://www.unpac.me/results/a4962954-0db1-432d-b57d-bcfbdeb972e9/
Parent samples :
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f
447eae52ab1979405497866c72df7ec0703085ad6946ab0127f612b1518f8759
SH256 hash:
5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f
MD5 hash:
7f264ba8e4c519ce90c6e3b430945476
SHA1 hash:
4e18269b4c70931dcad3f7ca58e4f5db00411549
Link:
https://www.unpac.me/results/a4962954-0db1-432d-b57d-bcfbdeb972e9/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5157d8d5c583/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2794944/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments


Avatar
zbet commented on 2024-03-28 15:21:22 UTC

url : hxxp://93.123.39.68/go.exe