MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59893fb4830848787d1fd9f791eef1ee05376264d556887e7ad1c5075d1365ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59893fb4830848787d1fd9f791eef1ee05376264d556887e7ad1c5075d1365ea
SHA3-384 hash: 9eb8b088907f2fb389716cd79fbf26af65ccbd2fcba29c0ddf1a589121ec9b3eb416a4d94f9ae557654cd86701bd2d70
SHA1 hash: ea47d9daf34f039bb457271494f24fc363da9411
MD5 hash: 604f96ec72f0f4a77ebc2d8e9ae2728f
humanhash: timing-connecticut-failed-oscar
File name:SO-GWR14-2022_reversed.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:672'768 bytes
First seen:2022-02-16 10:26:46 UTC
Last seen:2022-02-16 10:31:07 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 12288:bj+yDKLgMElOYSVzZe5YTpvWOFV8C/LwRe62Ntljw0z/SWFeGI/MBt:GpGAVzNBnFV8QsRx2N/M0r3eL2t
Threatray 280 similar samples on MalwareBazaar
TLSH T1BCE47CA12EDA8A77DBA98736C4F1CA009F76D158359BE39F14AC72783487332715AC31
Reporter pr0xylife
Tags:AsyncRAT dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241875/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/620cd179ac8ad0468b4664f4/reports/ec5a3892-95c5-444c-9f53-246c28462ba5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f049cdb2-e2a6-4f28-b15f-da281225dd9e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/940720
Signature
Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Call by Ordinal
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573194 Sample: SO-GWR14-2022_reversed.exe Startdate: 16/02/2022 Architecture: WINDOWS Score: 56 13 Malicious sample detected (through community Yara rule) 2->13 15 Sigma detected: Suspicious Call by Ordinal 2->15 17 Yara detected Costura Assembly Loader 2->17 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59893fb4830848787d1fd9f791eef1ee05376264d556887e7ad1c5075d1365ea/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-16 10:27:10 UTC
File Type:
PE (.Net Dll)
Extracted files:
5
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lget7nedbbehq7i73h3zd3xr5yctoyte2vliq7t22hcqoxitmxva._file
Verdict:
unknown
Similar samples:
05ba36adc06b3ca377293860d2fc9663ef886d04f13b524f34d1d21bce10fb84
AsyncRAT
0e6860a8ce361236ec4bff327266a53152fe642e30bc076cada2d8ec9c1fa3c1
AsyncRAT
1bc7ae65ce4613e96d19dcf560ec6bb47395431ed05480c42895002570c9cb3a
AsyncRAT
274422d8fb0a807ee41552012c99ca2573555c43a3314968554836c1646f4c15
AsyncRAT
47e65f3cd47ce47eb9594e6019dbbaa86ca678dad2b5bb590f072a8cc133e9e0
AsyncRAT
674cac26b5ee006a476669c6857e24a8187ef94945d521c8bbe9069ec74494ba
AsyncRAT
ca9cf9fd1fe5446319f7038465c6e4b33e2969591717350535e4f24ee237c6cd
AsyncRAT
d8079b19aa1f119485291950ae0580757618dd23c4d18eed64e06aa3a86c1751
AsyncRAT
dbd907b09dd3b29a2482cfd460af698cb64465cd8526607939b05cdf96abfe6f
AsyncRAT
+ 270 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/220216-mg4hxschaj/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Unpacked files
SH256 hash:
59893fb4830848787d1fd9f791eef1ee05376264d556887e7ad1c5075d1365ea
MD5 hash:
604f96ec72f0f4a77ebc2d8e9ae2728f
SHA1 hash:
ea47d9daf34f039bb457271494f24fc363da9411
Link:
https://www.unpac.me/results/3f3c5636-aa3d-47d1-83b7-e7e05641ebc6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/59893fb4830848787d1fd9f791eef1ee05376264d556887e7ad1c5075d1365ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241875/

Comments