MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57962424bffff920ffddd397bb18ea1dcb43b641ff8a8d72c73c8e6db3d9b63d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 3 File information Comments

SHA256 hash:	57962424bffff920ffddd397bb18ea1dcb43b641ff8a8d72c73c8e6db3d9b63d
SHA3-384 hash:	379a2b1d70902e9896f718988e0363878381756723f5f1836d752ad1962928ed891bb6cbea329ea2d50ffc34b08813f3
SHA1 hash:	4ad6adfbe4c4c3bb18eeb5a7045df890d34e28e3
MD5 hash:	01f255c3992d9003b1d01848a2d2a662
humanhash:	hamper-delta-william-wolfram
File name:	01F255C3992D9003B1D01848A2D2A662.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	1'512'960 bytes
First seen:	2021-03-26 20:06:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6ed4f5f04d62b18d96b26d6db7c18840 (221 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep	24576:IuwcFJBDq3o+YKpAZiz9eCUoCBTYRIsUIVzD7xgTh3kBNNhDJmohjuWEeEDNMstp:nNJRio+nAozoo0MRI9CXxyKNFRQ3eEDD
Threatray	1'606 similar samples on MalwareBazaar
TLSH	826533F92E65682AFEE8587B16974DA24718531204F4F0BF616EF7323A77F328D81016
Reporter	abuse_ch
Tags:	AsyncRAT exe RAT

abuse_ch

AsyncRAT C2:
47.241.99.19:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
47.241.99.19:80	https://threatfox.abuse.ch/ioc/5517/

Intelligence

File Origin

# of uploads :

# of downloads :

224

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

01F255C3992D9003B1D01848A2D2A662.exe

Verdict:

Malicious activity

Analysis date:

2021-03-26 20:08:59 UTC

Tags:

trojan rat asyncrat

Link:

https://app.any.run/tasks/1b94ae05-76d6-4706-bd98-0abebaca5043

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BitRAT

Link:

https://www.capesandbox.com/analysis/127200/

Detection(s):

PUA.Win.Packer.Upolyx-12

Win.Malware.Mikey-9819889-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Setting a global event handler

Sending a custom TCP request

Sending a UDP request

Setting a global event handler for the keyboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d981dd3c-06d9-4309-b18a-ac984fe235fa

Result

Threat name:

BitRAT Xmrig

Detection:

malicious

Classification:

troj.evad.mine

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/655475

Signature

Antivirus / Scanner detection for submitted sample

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected BitRAT

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/57962424bffff920ffddd397bb18ea1dcb43b641ff8a8d72c73c8e6db3d9b63d/

Threat name:

Win32.Spyware.Solmyr

Status:

Malicious

First seen:

2021-03-24 00:43:45 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k6lcijf7774sb7652ol3wghkdxfuhnsb76fi24whhshg3m6zwy6q._file

Verdict:

malicious

AsyncRAT

146de084ff60046edb599a6f8ae1503aa2a7f39c550807e9af069c2e8c9ea34c

AsyncRAT

493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927

AsyncRAT

4e4cd19c835a2fafb63df3429c6db21507e34fcb33c3072c93f28fb4fc32967b

AsyncRAT

7fa734ae8d4dd945ab53df6bc39a42134e91411aa06ea0bdda0425e7c60911c6

AsyncRAT

a863c5d16b5aa24f51529b7482d42401caf457ef0560545725be60bbbc16bd6a

AsyncRAT

ad3c67acd7773a47ac0d46c544f1bcaa03ddbeb577b195e66fc4a15cd4413dab

AsyncRAT

b05d95907bad3746cc161aa8bd74c71191a25fc383557fbf754d7c417daeb8f4

AsyncRAT

d16be9bd809afa992d073da2f25af20fc450b33d9e645de51ea086b5c8f07978

AsyncRAT

d80f533d3202def1e03d6b4a21cc01eefb5cec003e4740174dbcfbc9112e17f4

AsyncRAT

+ 1'596 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/210326-jqq83dv1vj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

57962424bffff920ffddd397bb18ea1dcb43b641ff8a8d72c73c8e6db3d9b63d

MD5 hash:

01f255c3992d9003b1d01848a2d2a662

SHA1 hash:

4ad6adfbe4c4c3bb18eeb5a7045df890d34e28e3

Link:

https://www.unpac.me/results/8b23638d-915c-431b-91e8-4ea7d5d7b5ff/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/57962424bffff920ffddd397bb18ea1dcb43b641ff8a8d72c73c8e6db3d9b63d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	MALWARE_Win_BitRAT Create hunting rule
Author:	ditekSHen
Description:	Detects BitRAT RAT

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/127200/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample