MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56ffd659d8921dab14dd3ea3e6d5702a13c02db0f9e81d343334914e10b1dfac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56ffd659d8921dab14dd3ea3e6d5702a13c02db0f9e81d343334914e10b1dfac
SHA3-384 hash: a4578c912c7b68db3b7e5e325ff18b638a3db1b4c0e06b6926f6e5c800973ec4dc781a254d8727810a36a91fe441474f
SHA1 hash: d57d2fc86bca33214888c5d923530feb5c5ffe09
MD5 hash: 3fbeb0ac2c7cd329a43dbab6e2025f37
humanhash: ten-eleven-lamp-artist
File name:FRED.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'097'152 bytes
First seen:2023-03-28 14:18:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:mEnzWZMHMpOEd2YM0Nyf7S6NGZ/Je8HOTcvVAOljt2z:mEnzWsM3d80NyW5xtOKzjt2
Threatray 1'527 similar samples on MalwareBazaar
TLSH T151A523432FC4C287E13D637474536B9205F5C5B3A502E1AB66A8CB9B2452F0B9A5FC3E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon aa8e9eaecab68eb2 (1 x AsyncRAT)
Reporter malwarelabnet
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
FRED.exe
Verdict:
Malicious activity
Analysis date:
2023-03-28 14:19:49 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/7ee3c2f8-2964-4ded-be58-8d16c2bc1009

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378197/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
Modifying a system executable file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/6422f7578f3f4544f6cc7a38/reports/7bcbb02d-df97-4d45-bb0b-3089803023a7/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/56ffd659d8921dab14dd3ea3e6d5702a13c02db0f9e81d343334914e10b1dfac
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dea9d101-ddd5-49ae-b14b-dda9360fbc33
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1203521
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 836444 Sample: FRED.exe Startdate: 28/03/2023 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 .NET source code contains potential unpacker 2->90 92 3 other signatures 2->92 8 FRED.exe 4 2->8         started        13 FRED.exe 2->13         started        15 FRED.exe 2->15         started        process3 dnsIp4 72 192.168.2.1 unknown unknown 8->72 66 C:\Users\user\AppData\...\phvnc4000new.exe, PE32 8->66 dropped 68 C:\Users\user\AppData\Local\...\FRED.exe.log, ASCII 8->68 dropped 94 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->94 96 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->96 98 Queries memory information (via WMI often done to detect virtual machines) 8->98 17 phvnc4000new.exe 1 8->17         started        20 FRED.exe 8->20         started        22 cmd.exe 3 8->22         started        31 2 other processes 8->31 100 Multi AV Scanner detection for dropped file 13->100 102 Machine Learning detection for dropped file 13->102 104 Injects a PE file into a foreign processes 13->104 25 cmd.exe 13->25         started        27 cmd.exe 13->27         started        33 2 other processes 13->33 29 cmd.exe 15->29         started        35 3 other processes 15->35 file5 signatures6 process7 file8 76 Antivirus detection for dropped file 17->76 78 Multi AV Scanner detection for dropped file 17->78 80 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 17->80 84 4 other signatures 17->84 43 2 other processes 17->43 47 2 other processes 20->47 62 C:\Users\user\AppData\Roaming\FRED\FRED.exe, PE32 22->62 dropped 64 C:\Users\user\...\FRED.exe:Zone.Identifier, ASCII 22->64 dropped 37 conhost.exe 22->37         started        49 2 other processes 25->49 39 conhost.exe 27->39         started        51 2 other processes 29->51 82 Uses schtasks.exe or at.exe to add and modify task schedules 31->82 53 3 other processes 31->53 41 conhost.exe 33->41         started        55 2 other processes 35->55 signatures9 process10 dnsIp11 74 phvnc4000new.duckdns.org 31.42.188.159, 4000, 49715 SERVERIUS-ASNL Ukraine 43->74 106 Tries to harvest and steal Bitcoin Wallet information 43->106 108 Injects a PE file into a foreign processes 47->108 57 WerFault.exe 47->57         started        60 FRED.exe 47->60         started        signatures12 process13 file14 70 C:\ProgramData\Microsoft\...\Report.wer, Unicode 57->70 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56ffd659d8921dab14dd3ea3e6d5702a13c02db0f9e81d343334914e10b1dfac/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-28 14:19:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k375mwoysio2wfg5h2r6nvlqfij4alnq7hub2nbtgsiu4efr36wa._file
Verdict:
malicious
Similar samples:
11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
AsyncRAT
1db6c88a75febdf163850df7ee78b92841542e7c779046ee8d39ee64a312c9d4
AsyncRAT
23473106e8e2e1add3756ee0e4101095710b9663791f57e026e08f99218077ff
AsyncRAT
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
AsyncRAT
80201715ba93ce5c35c6fd6ac3c11bda569f5f7e473f8ae2f67f4405e4faa790
AsyncRAT
8acc5e78093d75cd1679b3314f7e79d8a3135a51a65d92d6fe36ed263e6a5860
AsyncRAT
d279e3202c62da190c154aaa835cffce869db3b7811c382bd8b51cd339302589
AsyncRAT
facf2fbbac21edd7550d00e6f6916f9ee598f9c3bdc2ca0feb288c139d687672
AsyncRAT
+ 1'517 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230328-rmt9nabe29/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
bc522b09157295664368b6269240d50be6a41b48d9bf477ead7517de7c00b889
MD5 hash:
2a3bf4025b94b5ba06974cfeb7fd4afa
SHA1 hash:
3eec7579512305fd6547eac621e81f5ca708cccc
Link:
https://www.unpac.me/results/53e14e1c-263d-4401-8558-93f3fc39a3c5/
SH256 hash:
09726f8c920b4c33ed5c1e9e284e0cc5d12551b764041b976414bf3ca597a7d7
MD5 hash:
623dd286fba4e239f91f8ae70788dd7f
SHA1 hash:
49f2e49e183a2f53633e44aeab3f605a6fcda9a6
Link:
https://www.unpac.me/results/53e14e1c-263d-4401-8558-93f3fc39a3c5/
SH256 hash:
56ffd659d8921dab14dd3ea3e6d5702a13c02db0f9e81d343334914e10b1dfac
MD5 hash:
3fbeb0ac2c7cd329a43dbab6e2025f37
SHA1 hash:
d57d2fc86bca33214888c5d923530feb5c5ffe09
Link:
https://www.unpac.me/results/53e14e1c-263d-4401-8558-93f3fc39a3c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56ffd659d8921dab14dd3ea3e6d5702a13c02db0f9e81d343334914e10b1dfac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/378197/

Comments