MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
SHA3-384 hash: 2375da02c6a64e09c1b772cb710f897006819d26f97c519132185777386620ec07af0089fe4a6701a2975dc910ca2664
SHA1 hash: 4ea5792f72f540c58a54f5cfce9de19eb05ffaaa
MD5 hash: 54dbe54846a05d5a1677a5ab2970bd6a
humanhash: grey-winner-paris-mockingbird
File name:Invoice-BL. Payment TT $ 28,945.99.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:804'352 bytes
First seen:2024-12-31 13:27:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:5NMKhM39TXsTAiYRH3wbrccYpea/jiAsRaT21tKkxRzb53/x6Io5kZaiB:HMaciYlwkp5/o0i1tVRp6IfB
TLSH T19005CFC07B26B702DE59B4708936EEB862582F38700878F27EEE3B5775B9152591CF06
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 863b292b234d2b96 (7 x RedLineStealer, 3 x AsyncRAT, 1 x Formbook)
Reporter Anonymous
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
500
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
Verdict:
Malicious activity
Analysis date:
2024-12-14 19:06:21 UTC
Tags:
stealer stormkitty evasion telegram ims-api generic pastebin asyncrat rat arch-doc
Link:
https://app.any.run/tasks/3ce66ff9-d854-4d31-988c-660ebc4ad9b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Jalapeno-10038995-0
Create hunting rule

Win.Packed.Pwsx-10039066-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675dd72b8fb73f13afc70a94
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Launching the process to change network settings
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit masquerade packed packed packer_detected
Link:
https://www.filescan.io/uploads/6773f163500104185a2d03ca/reports/2f506aa1-0d7c-4b81-88ee-6bd5e9f5aaee/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/aa5841bb-a97b-452b-b5f6-82a4ae4e9032
Result
Threat name:
AsyncRAT, StormKitty, WorldWind Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582796
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected WorldWind Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582796 Sample: Invoice-BL. Payment TT $  2... Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 70 api.telegram.org 2->70 72 59.60.14.0.in-addr.arpa 2->72 74 2 other IPs or domains 2->74 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 96 21 other signatures 2->96 9 Invoice-BL. Payment TT $  28,945.99.exe 7 2->9         started        13 SFHAWxtoIpgL.exe 5 2->13         started        signatures3 94 Uses the Telegram API (likely for C&C communication) 70->94 process4 file5 62 C:\Users\user\AppData\...\SFHAWxtoIpgL.exe, PE32 9->62 dropped 64 C:\Users\...\SFHAWxtoIpgL.exe:Zone.Identifier, ASCII 9->64 dropped 66 C:\Users\user\AppData\Local\...\tmp532A.tmp, XML 9->66 dropped 68 Invoice-BL. Paymen...  28,945.99.exe.log, ASCII 9->68 dropped 98 Found many strings related to Crypto-Wallets (likely being stolen) 9->98 100 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->100 102 Adds a directory exclusion to Windows Defender 9->102 15 Invoice-BL. Payment TT $  28,945.99.exe 15 163 9->15         started        19 powershell.exe 23 9->19         started        21 schtasks.exe 1 9->21         started        104 Multi AV Scanner detection for dropped file 13->104 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->106 108 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 13->108 110 Tries to harvest and steal WLAN passwords 13->110 23 SFHAWxtoIpgL.exe 13->23         started        25 schtasks.exe 13->25         started        signatures6 process7 dnsIp8 76 127.0.0.1 unknown unknown 15->76 78 api.telegram.org 149.154.167.220, 443, 49743, 49744 TELEGRAMRU United Kingdom 15->78 80 2 other IPs or domains 15->80 82 Tries to harvest and steal WLAN passwords 15->82 27 cmd.exe 15->27         started        30 cmd.exe 15->30         started        84 Loading BitLocker PowerShell Module 19->84 32 conhost.exe 19->32         started        34 WmiPrvSE.exe 19->34         started        36 conhost.exe 21->36         started        86 Tries to harvest and steal browser information (history, passwords, etc) 23->86 38 cmd.exe 23->38         started        40 cmd.exe 23->40         started        42 conhost.exe 25->42         started        signatures9 process10 signatures11 112 Uses netsh to modify the Windows network and firewall settings 27->112 114 Tries to harvest and steal WLAN passwords 27->114 44 conhost.exe 27->44         started        46 chcp.com 27->46         started        48 netsh.exe 27->48         started        50 findstr.exe 27->50         started        52 conhost.exe 30->52         started        54 chcp.com 30->54         started        56 netsh.exe 30->56         started        58 4 other processes 38->58 60 3 other processes 40->60 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-12-11 06:55:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kolf6rzbqpaor3eueavtxidrn6xy4ck6a45grdzts3clrxgkn4ya._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
unknown_loader_037
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
error
AsyncRAT
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty botnet:default discovery execution persistence phishing privilege_escalation rat spyware stealer
Link:
https://tria.ge/reports/241231-qqm43ssldt/
Behaviour
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Verdict:
Malicious
Tags:
Win.Packed.Jalapeno-10038995-0
YARA:
n/a
Link:
https://app.threat.zone/submission/4e9571a0-d4f8-45ec-8c1e-1eff9d02690a
Unpacked files
SH256 hash:
366cfb2015078d80637bad5e41ba879903fafc17fe6d24d74210fbbfeaa07bd6
MD5 hash:
6c6509adcd386e5aa612f7a9c3d8a04b
SHA1 hash:
d36a9e2f20a88d035da9f976ba551358cbb3f913
Link:
https://www.unpac.me/results/a7d435f8-0075-4ef0-8d23-4e66a6ec740d/
SH256 hash:
153a321e178bc28e0f2c6432763bb44fc47b573596387ec241ca45d8775e12af
MD5 hash:
f69889d705f5d72d65661b48535ae1b3
SHA1 hash:
4c8f3cf14130e6519339a370bba4527ecb012cde
Detections:
WorldWindStealer
Create hunting rule
win_asyncrat_w0
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
asyncrat
Create hunting rule
win_asyncrat_bytecodes
Create hunting rule
win_asyncrat_unobfuscated
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
MALWARE_Win_StormKitty
Create hunting rule
MALWARE_Win_Multi_Family_InfoStealer
Create hunting rule
MALWARE_Win_WorldWind
Create hunting rule
Link:
https://www.unpac.me/results/a7d435f8-0075-4ef0-8d23-4e66a6ec740d/
Parent samples :
53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
5fe6e19d2d832aa15fbad4b015f118e0915ee904c4c0db8f58b9af90ce011513
153a321e178bc28e0f2c6432763bb44fc47b573596387ec241ca45d8775e12af
e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480
SH256 hash:
42d42ff2ebb040c744dd2ec338acf7a19a7ed7f0e2927449449c9faacd321204
MD5 hash:
6f49d28d16bf0969db5f5ac5b1e75c20
SHA1 hash:
39bf016382b45baaefe52b588be95ae5e75ac711
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a7d435f8-0075-4ef0-8d23-4e66a6ec740d/
SH256 hash:
fc4d3a7aad821226b92264c3ea56ecb2864123142008049fa51040af850d22a5
MD5 hash:
2dfd5777eccf0c5eda37f8f77cd73938
SHA1 hash:
635224c8609483eed664e6556b666381db642a77
Link:
https://www.unpac.me/results/a7d435f8-0075-4ef0-8d23-4e66a6ec740d/
SH256 hash:
53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
MD5 hash:
54dbe54846a05d5a1677a5ab2970bd6a
SHA1 hash:
4ea5792f72f540c58a54f5cfce9de19eb05ffaaa
Link:
https://www.unpac.me/results/a7d435f8-0075-4ef0-8d23-4e66a6ec740d/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/53965f472183/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments