MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 535884651e8ced605074dff4220651f4ceb02ea86025ff2721c816de2a94fd6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	535884651e8ced605074dff4220651f4ceb02ea86025ff2721c816de2a94fd6a
SHA3-384 hash:	d21a7d8fe3f80aad3751ed653258d4c973ceb6242bb7dcf2be070b656084590fb1e4413daec79cea384611548c0836cd
SHA1 hash:	185ae7016fa1c6d9405ff55e4bdaab5f3e4c99f9
MD5 hash:	2db6025c02675ae0833b762b2eae2055
humanhash:	william-missouri-ink-arizona
File name:	RequestForQuotationCompanyProfile.scr.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	479'232 bytes
First seen:	2023-09-19 20:00:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	6144:LI7eGY2GhNxjbMQinH87tKaz96NN2t7GtKmvK9bLwhcaZAYTl5LGk4jy+RBT9gj3:eS2iNV1US6NN26C9bGAYTlNGk4jnpy
Threatray	201 similar samples on MalwareBazaar
TLSH	T14EA4125A62FD7F62C2BE87F228D6640243BCA6393090E7A50DC635DB5525B12072BE73
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	AsyncRAT exe RAT

abuse_ch

AsyncRAT C2:
80.76.51.237:2023

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

Vendor Threat Intelligence

Malware family:

asyncrat

ID:

File name:

RequestForQuotationCompanyProfile.scr.exe

Verdict:

Malicious activity

Analysis date:

2023-09-19 20:02:48 UTC

Tags:

rat asyncrat remote

Link:

https://app.any.run/tasks/9f66e121-8cf1-4a2c-a061-d57baf2d9dea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AsyncRat

Link:

https://www.capesandbox.com/analysis/449835/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a process with a hidden window

Launching a process

Restart of the analyzed sample

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/6509fe011edabd99829d3144/reports/ffae8f47-f3a8-41fd-9960-e5aa9885c576/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/535884651e8ced605074dff4220651f4ceb02ea86025ff2721c816de2a94fd6a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d5b84666-1b2f-4f81-ba32-0c57d55eaaf6

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1311104

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

asyncrat

Link:

https://mwdb.cert.pl/sample/535884651e8ced605074dff4220651f4ceb02ea86025ff2721c816de2a94fd6a/

Threat name:

Win32.Backdoor.AsyncRAT

Status:

Malicious

First seen:

2023-09-19 15:27:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 35 (57.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=knmiizi6rtwwaudu372cebsr6thlalvimas76jzbzaln4kuu7vva._file

Verdict:

malicious

Label(s):

asyncrat

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:mass_spread_july rat

Link:

https://tria.ge/reports/230919-yrjgaabg8s/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

mass2023.duckdns.org:2023

Unpacked files

SH256 hash:

0556b7da7a26f9d10ebe66ed3f6c3aa76eec4d0001f15054d768e6af6eef6439

MD5 hash:

cde1ff563a0b3dcee8b0f5cdeeb65b41

SHA1 hash:

cedf8d8677983cec339500586cc1bb19aa8a647e

Detections:

AsyncRAT

win_asyncrat_w0

Link:

https://www.unpac.me/results/3384508c-3943-4c04-88e1-1ef419f7e13d/

Parent samples :

fe9a3910b655d38c2aafa3512aedcdba96fd352d896fc68d8ed345a49c93ec6b
535884651e8ced605074dff4220651f4ceb02ea86025ff2721c816de2a94fd6a

SH256 hash:

4a8d70ece798fb6955e46bdb4b4813924a3bbcf205e585fd0aef148123a44489

MD5 hash:

3bcd5e9d69da03ebe27b9c2e472d9e8d

SHA1 hash:

aa268bd00ed60a5907b4b2a669ddd21a1b8bb4da

Link:

https://www.unpac.me/results/3384508c-3943-4c04-88e1-1ef419f7e13d/

SH256 hash:

cdc409235066f7e33cd97ef153637ea4d78ab4ba63f3670cdaa9943f61477544

MD5 hash:

61f54540651bce6d72a8eda309e21af4

SHA1 hash:

3b78e09b78f20af96604b4fc7e5355e2bda28544

Link:

https://www.unpac.me/results/3384508c-3943-4c04-88e1-1ef419f7e13d/

SH256 hash:

784d4e0af30bcca58d54f86b6966e1c147bcc194a99126ebe79538e9084f6d80

MD5 hash:

5caf74e6818e40e82651781613a42425

SHA1 hash:

2a182b1552373e0907bfd03db31120596df994d0

Link:

https://www.unpac.me/results/3384508c-3943-4c04-88e1-1ef419f7e13d/

SH256 hash:

535884651e8ced605074dff4220651f4ceb02ea86025ff2721c816de2a94fd6a

MD5 hash:

2db6025c02675ae0833b762b2eae2055

SHA1 hash:

185ae7016fa1c6d9405ff55e4bdaab5f3e4c99f9

Link:

https://www.unpac.me/results/3384508c-3943-4c04-88e1-1ef419f7e13d/

Malware family:

AsyncRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/535884651e8c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/535884651e8ced605074dff4220651f4ceb02ea86025ff2721c816de2a94fd6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/449835/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample