MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 581cd8671e414c5a4aad5d5874713e6ddbbb0c342e73493e28e59c86ed713ff8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 581cd8671e414c5a4aad5d5874713e6ddbbb0c342e73493e28e59c86ed713ff8
SHA3-384 hash: 60b1519e78c91d9e077029b0ab1d65c279aaf6b641cade64e08fe493c5de1c3c51cd9e84b4ed4b955acfdcb877c2ad5e
SHA1 hash: e75d194ef7c651d35e1c2d0c7ea4f53df94a7807
MD5 hash: f0b5de4ab78e051f7b35d5848dafc981
humanhash: potato-purple-king-mirror
File name:SecuriteInfo.com.W32.AIDetectNet.01.13626.20085
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:479'232 bytes
First seen:2022-05-23 05:33:01 UTC
Last seen:2022-05-31 07:29:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:NOHMCAxpNkXSuWf+I7U3hvMn1AVXhy0XJMXMyoRkznjJuS6q9qFdLXiUju5:05i+IAhuaVhHMZo0njJH59qF5XTju
Threatray 1'172 similar samples on MalwareBazaar
TLSH T1B0A4010029AC8B7BDC4D4B78DC6111DC13F65D05BE12E2079FE976EB6A323D0D2166AB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 688e33f0e8e071b2 (10 x AgentTesla, 8 x Formbook, 7 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.13626.20085
Verdict:
Malicious activity
Analysis date:
2022-05-23 05:42:19 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/db0c3ff9-dee4-45e5-92ad-0b763c8ea078

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273509/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expand.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/628b1cd0054dcf0ecae17717/reports/8d7dbb26-4e9c-4548-a1b5-51d964e7389a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/821fcab5-44e1-405a-9e30-4f2f945068cf
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999498
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631991 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 10 other signatures 2->40 7 SecuriteInfo.com.W32.AIDetectNet.01.13626.exe 7 2->7         started        process3 file4 26 C:\Users\user\AppData\...\BmhaFqjfQksKN.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\tmpB203.tmp, XML 7->28 dropped 30 SecuriteInfo.com.W...et.01.13626.exe.log, ASCII 7->30 dropped 42 Uses schtasks.exe or at.exe to add and modify task schedules 7->42 44 Adds a directory exclusion to Windows Defender 7->44 46 Injects a PE file into a foreign processes 7->46 11 SecuriteInfo.com.W32.AIDetectNet.01.13626.exe 2 7->11         started        14 powershell.exe 24 7->14         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        signatures5 process6 dnsIp7 32 niiarmah.kozow.com 2.56.56.88, 2406, 49768 GBTCLOUDUS Netherlands 11->32 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        process8
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/581cd8671e414c5a4aad5d5874713e6ddbbb0c342e73493e28e59c86ed713ff8/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 05:34:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=laonqzy6ifgfusvnlvmhi4j6nxn3wdbufzzuspri4woin3lrh74a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
20270f15d9070f9c2b1d22f0bf2f77ca5ca3dbcf6ccc148b8383a947eb6ebcd5
AsyncRAT
5f9e348e3e48670f658701a635bd7d463202a6c6699bc42c632b1a10c905423c
AsyncRAT
7133536be647a4809ef0e92fc1c0ca8a49db7ed0c79aad39874ae7731bc849b5
AsyncRAT
7d86068523fe035aec83fcb57be4edc0bdca3000fa6046fb66ef246b20e15601
AsyncRAT
abd704dcd33af5d9f679485aec1a95cc2b994a084348c5e6145d99f7f7c2c2b3
AsyncRAT
b48c018d252b5974a13a65c6b67856d4f2059a90499f65037a63324e4a42001c
AsyncRAT
b8d2156946bcfe52c373195328252483b1bb3edb9e54de58ae6a7fe679a38bca
AsyncRAT
c7fbbdd84572a117d47a54168e71b8bd86f0c70198468486f6c3a040e9ecc310
AsyncRAT
db8077047dd69f232e9318ca7b5c6fdbbd012390453f0be9aaf2bffe4981bb94
AsyncRAT
+ 1'162 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:java rat suricata
Link:
https://tria.ge/reports/220523-f8v8asbge9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Async RAT payload
AsyncRat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:2406
niiarmah.kozow.com:6606
niiarmah.kozow.com:7707
niiarmah.kozow.com:8808
niiarmah.kozow.com:2406
Unpacked files
SH256 hash:
fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55
MD5 hash:
f20fd214bbda1a459a3eb415eec86017
SHA1 hash:
c658f61e4f308a69a4509649439814166c655e84
Link:
https://www.unpac.me/results/83bd7cb2-78bb-4ce8-a222-0e37f58b8af0/
SH256 hash:
3ccf62991ac8ae2d178e665d6718c974ebe45e4c3864c274ec8284f7900139d1
MD5 hash:
73cdcd73736f225bfe54789b52b1e904
SHA1 hash:
c65832ca96467c761ec6b2f31a8c83471e97fb45
Link:
https://www.unpac.me/results/83bd7cb2-78bb-4ce8-a222-0e37f58b8af0/
SH256 hash:
727094ebe687bd9e69fd282d150c041879e2c9a7b7801cce594dd64624239ec1
MD5 hash:
bd2f310417a137f9f8f6e8a69c2401dd
SHA1 hash:
67a45276db4e93e59a8c61284ac71bb858eb112f
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/83bd7cb2-78bb-4ce8-a222-0e37f58b8af0/
Parent samples :
581cd8671e414c5a4aad5d5874713e6ddbbb0c342e73493e28e59c86ed713ff8
1b369655f627c3dd2f7cfc06f8cac5c9a91152b1286608fd03f78c26ce62029c
SH256 hash:
3099c62cbaaf430204186a9b89a2ca71f5adc71bc8ae23b4635996845517a94d
MD5 hash:
5489cf723b57cd045a9013a4a84b2cb9
SHA1 hash:
46583f0bf45f60bc20a90333d32cab9f713d32cb
Link:
https://www.unpac.me/results/83bd7cb2-78bb-4ce8-a222-0e37f58b8af0/
SH256 hash:
da64eeedaa22f8044446ca5d9f211345f1c6d65aed7cef8c668f572c53b24224
MD5 hash:
9b1c24e1918fc33969d7938d587f15d8
SHA1 hash:
0623f8e8d58bb58c7b4c85f0116eb73a49540ac5
Link:
https://www.unpac.me/results/83bd7cb2-78bb-4ce8-a222-0e37f58b8af0/
SH256 hash:
581cd8671e414c5a4aad5d5874713e6ddbbb0c342e73493e28e59c86ed713ff8
MD5 hash:
f0b5de4ab78e051f7b35d5848dafc981
SHA1 hash:
e75d194ef7c651d35e1c2d0c7ea4f53df94a7807
Link:
https://www.unpac.me/results/83bd7cb2-78bb-4ce8-a222-0e37f58b8af0/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/581cd8671e41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/581cd8671e414c5a4aad5d5874713e6ddbbb0c342e73493e28e59c86ed713ff8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273509/

Comments