MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e1526ff008fb0bac26c27ae1260d723d3200351f84f9a7b9a3c5b50a05bc5fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e1526ff008fb0bac26c27ae1260d723d3200351f84f9a7b9a3c5b50a05bc5fa
SHA3-384 hash: 1fdfa929519a46004932c406d91c89a71ce70e185b10d44901468c158a195f7e6bcc6f934c7be078c1df106374ec928c
SHA1 hash: b933a8103e5333a3cd5bba0acbdd5cc6c0c81add
MD5 hash: c0bb576dab19181cdf9a2ccf378f9c41
humanhash: blossom-october-winter-jersey
File name:c0bb576d_by_Libranalysis
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:275'456 bytes
First seen:2021-05-25 12:00:45 UTC
Last seen:2021-05-25 12:02:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:Owj6OcDj2rEKx1gV1jWeScKbTjEfnrF+tAPWRsVDwFN9nga5OXQHTM:Owj6OcDj2rEKx1gV1llRfrF+teWRsV0j
Threatray 31 similar samples on MalwareBazaar
TLSH 6644BF2617D40922F6B7473980B78E409FADBD12B5629F8940D5765B0CB33E6ED9032E
Reporter Libranalysis
Tags:AsyncRAT


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161880/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791559
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5e1526ff008fb0bac26c27ae1260d723d3200351f84f9a7b9a3c5b50a05bc5fa/
Threat name:
Win32.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 12:01:08 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
AsyncRAT
1e92ffaaee0217be3540c5a8e0b465d639008e15bb1335fc1aab14ef252f4072
AsyncRAT
78396f7f4448c533637a2ceddd8cf6e94681b7f0c2c7b446c3db3704bda8b928
AsyncRAT
79079eeea81f1225adddc2f707d5a9702877cb7d8fa6843c807b083d56edd813
AsyncRAT
9c5f7b56a45f41ab3d9f7cbdff363a4d738c59679f073af932ac8e1b483075f0
AsyncRAT
c6fa147a533664a8bb8568cddc6efb45663e9153b62c69feedb4fd04c487582b
AsyncRAT
d3369b50e963787693bdc2a967f3f156c91c09a83227e8c2d7851841150e4993
AsyncRAT
e0845f3788d8a7d0e289da2908730a8eeecfc3541df4900099ac31b2dd64b0b5
AsyncRAT
f14a3d76508b0b87878f3a39064fb59af9bf3461e3bdc0f505c05e1da26a39de
AsyncRAT
ff9175a892b7139c1d34f6fed7c028e6f2a8c8c8fd5befea281cca4bb955918d
AsyncRAT
+ 21 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210525-s8yfj7azts/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/5e1526ff008fb0bac26c27ae1260d723d3200351f84f9a7b9a3c5b50a05bc5fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/161880/

Comments