MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56e59b7a9a99a1662e1213ed0b9c4278f6e6dcea89068936ea22d318521c9c4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56e59b7a9a99a1662e1213ed0b9c4278f6e6dcea89068936ea22d318521c9c4c
SHA3-384 hash: d03f3d4c72fb17d7c6d839ba5228745f39dc6607221f3c3ffa2e69914ea5819bb58afc3f9420014896474df3079e2b0b
SHA1 hash: 33500513781da4c6ef41db97226c0658274d7d35
MD5 hash: a6d1d3dc7a39ba925ebc17953a7d6b24
humanhash: music-kansas-black-nitrogen
File name:A6D1D3DC7A39BA925EBC17953A7D6B24.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:643'072 bytes
First seen:2024-11-24 02:15:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:GrOR0I5wPYCPQFcwbe/p206gPiwjver7bzoCUlTh4OQg:aImYxcw6/Y+XrcoCIL
Threatray 477 similar samples on MalwareBazaar
TLSH T140D4D07870AF55A7E15BC6740AF8BC631A7130E7B8C5A9B40BAD03558BA7F043E8461F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 1044f2b0e0c1f200 (2 x AsyncRAT, 1 x njrat, 1 x Formbook)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
3.145.156.44:7707

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.145.156.44:7707 https://threatfox.abuse.ch/ioc/1347049/

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A6D1D3DC7A39BA925EBC17953A7D6B24.exe
Verdict:
No threats detected
Analysis date:
2024-11-24 02:17:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89c94b89-00dd-4c63-aab6-563f1685e0b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.8093.9441.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67428c64b31374f09833e48c
Tags:
asyncrat nanocore
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
nanocore packed packed packer_detected
Link:
https://www.filescan.io/uploads/67428c6204cce3ac5e2f6471/reports/fb0aff96-43ea-4532-a30b-03a7f899f319/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/56e59b7a9a99a1662e1213ed0b9c4278f6e6dcea89068936ea22d318521c9c4c
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4864b2ec-c41d-416c-9c1d-d0b2243f2e62
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1561650
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561650 Sample: 4yOuoT4GFy.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 44 skype.onthewifi.com 2->44 46 ronymahmoud.casacam.net 2->46 48 5 other IPs or domains 2->48 52 Multi AV Scanner detection for domain / URL 2->52 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 12 other signatures 2->58 8 4yOuoT4GFy.exe 7 2->8         started        12 StcHfDkbCv.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\StcHfDkbCv.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp1109.tmp, XML 8->40 dropped 42 C:\Users\user\AppData\...\4yOuoT4GFy.exe.log, ASCII 8->42 dropped 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 MSBuild.exe 2 8->19         started        22 schtasks.exe 1 8->22         started        66 Multi AV Scanner detection for dropped file 12->66 24 schtasks.exe 12->24         started        26 MSBuild.exe 12->26         started        signatures6 process7 dnsIp8 68 Loading BitLocker PowerShell Module 14->68 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        32 conhost.exe 17->32         started        50 ronymahmoud.casacam.net 3.145.156.44, 49737, 6606 AMAZON-02US United States 19->50 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        signatures9 process10
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/56e59b7a9a99a1662e1213ed0b9c4278f6e6dcea89068936ea22d318521c9c4c/
Threat name:
ByteCode-MSIL.Backdoor.Asyncrat
Create hunting rule
Status:
Malicious
First seen:
2024-11-17 12:18:28 UTC
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3szw6u2tgqwmlqscpwqxhccpd3onxhkredisnxkeljrquq4trga._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
1c30611e8e3a99301ffe1102d4f70c44fd2d7593878dcdf4178002777fe6e920
AsyncRAT
32dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05
AsyncRAT
56e59b7a9a99a1662e1213ed0b9c4278f6e6dcea89068936ea22d318521c9c4c
AsyncRAT
89d813e660f2438c15b502fe9cba3a61dd069a4f4fafded91feac3039731bdb4
AsyncRAT
error
AsyncRAT
fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e
AsyncRAT
+ 467 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241124-cp5e3synhs/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/efee2ad0-562f-44b3-8bd6-7da436332537
Unpacked files
SH256 hash:
56e59b7a9a99a1662e1213ed0b9c4278f6e6dcea89068936ea22d318521c9c4c
MD5 hash:
a6d1d3dc7a39ba925ebc17953a7d6b24
SHA1 hash:
33500513781da4c6ef41db97226c0658274d7d35
Link:
https://www.unpac.me/results/fa3db217-1d02-4993-9342-b667cb9412d5/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56e59b7a9a99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AsyncRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56e59b7a9a99a1662e1213ed0b9c4278f6e6dcea89068936ea22d318521c9c4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments