MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0
SHA3-384 hash: 7a603c5b58d4aea3750745c0325243c0feb054c29667a649b70903f6ec06a56cb1875d36768ab8a34e47618d3d778322
SHA1 hash: 6fb52c21afe5fe112e586ea69568c7e70158afa1
MD5 hash: f8917dd23a244af6a89a7c388bfb2d5c
humanhash: wisconsin-north-fruit-spaghetti
File name:ORDER-REQUIRMENT-REF-000042531.cmd
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'312'256 bytes
First seen:2025-01-23 12:51:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ce36606f623718466016a09db99c028 (1 x Formbook, 1 x AsyncRAT)
ssdeep 24576:JUWe1lsIh7u57Mhl0Siz+h4dYEXvVzlFjG31di:JClztlpiz+adRvVR2D
Threatray 59 similar samples on MalwareBazaar
TLSH T10A559ED2F08285B1C19A0E34BD3BA768A52E3D3E6F1E66452DE1FD4C5E37381621A5C3
TrID 38.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
28.2% (.EXE) Win64 Executable (generic) (10522/11/4)
12.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon ff8f8b8c8c8a8fff (1 x Formbook, 1 x AsyncRAT)
Reporter JAMESWT_WT
Tags:AsyncRAT exe NEOFX Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
873
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER-REQUIRMENT-REF-000042531.cmd.exe
Verdict:
Malicious activity
Analysis date:
2025-01-23 12:56:12 UTC
Tags:
delphi m0yv sinkhole evasion snake keylogger stealer smtp
Link:
https://app.any.run/tasks/3edf0c33-0a73-4e4c-b8d0-215a2c7c8d20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67923c6be708b6e7a3b063e4
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching a process
Searching for the window
Creating a service
Launching a service
Loading a system driver
Moving a recently created file
Creating a file in the %AppData% directory
Modifying an executable file
Searching for synchronization primitives
Modifying a system executable file
Creating a file in the Windows subdirectories
Connection attempt to an infection source
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Infecting executable files
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger masquerade
Link:
https://www.filescan.io/uploads/67923b7a33bf9c7630044e43/reports/4c5229be-9a14-4584-9492-479bfd92f0de/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61b059bc-fad3-4346-ba83-d9f8aaf6b63d
Result
Threat name:
DBatLoader, MassLogger RAT, PureLog Stea
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1597580
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1597580 Sample: ORDER-REQUIRMENT-REF-000042... Startdate: 23/01/2025 Architecture: WINDOWS Score: 100 60 reallyfreegeoip.org 2->60 62 zlenh.biz 2->62 64 55 other IPs or domains 2->64 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 90 19 other signatures 2->90 8 ORDER-REQUIRMENT-REF-000042531.cmd.exe 1 10 2->8         started        13 Lqsrhpvh.PIF 2->13         started        15 alg.exe 1 2->15         started        17 19 other processes 2->17 signatures3 88 Tries to detect the country of the analysis system (by using the IP) 60->88 process4 dnsIp5 72 drive.google.com 142.250.184.206, 443, 49704, 49705 GOOGLEUS United States 8->72 74 drive.usercontent.google.com 172.217.18.1, 443, 49706 GOOGLEUS United States 8->74 52 C:\Windows \SysWOW64\truesight.sys, PE32+ 8->52 dropped 54 C:\Windows \SysWOW6454ETUTILS.dll, PE32+ 8->54 dropped 56 C:\Users\Public\Libraries\hvphrsqL.pif, PE32 8->56 dropped 58 7 other files (6 malicious) 8->58 dropped 104 Drops PE files with a suspicious file extension 8->104 106 Writes to foreign memory regions 8->106 108 Allocates memory in foreign processes 8->108 110 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->110 19 hvphrsqL.pif 15 3 8->19         started        24 cmd.exe 3 8->24         started        26 cmd.exe 1 8->26         started        112 Sample uses process hollowing technique 13->112 114 Sample is not signed and drops a device driver 13->114 116 Allocates many large memory junks 13->116 28 hvphrsqL.pif 13->28         started        30 TieringEngineService.exe 13->30         started        32 cmd.exe 13->32         started        34 cmd.exe 13->34         started        76 oflybfv.biz 47.129.31.212, 50003, 50012, 50033 ESAMARA-ASRU Canada 15->76 78 dlynankz.biz 85.214.228.140, 50053, 80 STRATOSTRATOAGDE Germany 15->78 80 10 other IPs or domains 15->80 118 Creates files in the system32 config directory 15->118 120 Contains functionality to behave differently if execute on a Russian/Kazak computer 15->120 122 Found direct / indirect Syscall (likely to bypass EDR) 17->122 file6 signatures7 process8 dnsIp9 66 reallyfreegeoip.org 104.21.48.1, 443, 49753, 49863 CLOUDFLARENETUS United States 19->66 68 saytjshyf.biz 44.221.84.105, 49771, 49790, 50014 AMAZON-AESUS United States 19->68 70 7 other IPs or domains 19->70 44 C:\Windows\System32\wbengine.exe, PE32+ 19->44 dropped 46 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 19->46 dropped 48 C:\Windows\System32\vds.exe, PE32+ 19->48 dropped 50 141 other malicious files 19->50 dropped 92 Detected unpacking (changes PE section rights) 19->92 94 Detected unpacking (overwrites its own PE header) 19->94 96 Tries to steal Mail credentials (via file / registry access) 19->96 102 2 other signatures 19->102 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        98 Tries to harvest and steal browser information (history, passwords, etc) 28->98 100 Creates files inside the volume driver (system volume information) 30->100 40 conhost.exe 32->40         started        42 conhost.exe 34->42         started        file10 signatures11 process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2025-01-23 12:48:16 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mckgn7foiy2euqm6jai6qo2sthrlsqihxqmvnp3roe3wjiktwhaa._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
asyncrat
Create hunting rule
expiro
Create hunting rule
Similar samples:
3335d593c4a2f7ab94a35fd5a0991026d1800592a18cc842686d3bf6bb66503d
AsyncRAT
3ca1c11c2d4173581e8007b955c912dd1d6abdb1bafe03924aca8cba437df745
AsyncRAT
5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83
AsyncRAT
829026e0d6a6f73f3328bb4aabd5f0e3f063f000cd9d860c051b307e148395d5
AsyncRAT
9a759f2ef8ee16b697f30aab51fc726f9697b338e0aba56c063860146bbfc76b
AsyncRAT
a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466
AsyncRAT
efd64c0b88bbe45461d13b2a0acd9544218f819f4579af35b5fc92e20d5f6fa5
AsyncRAT
error
AsyncRAT
ff3bcc4bc70f9e6724fcc0fb36c4f57cc5956136850bd39c9581413f7c4688a9
AsyncRAT
+ 49 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250123-p32ybszqcx/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/5686a4ec-e510-4b83-a0dc-2203411edda5
Unpacked files
SH256 hash:
609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0
MD5 hash:
f8917dd23a244af6a89a7c388bfb2d5c
SHA1 hash:
6fb52c21afe5fe112e586ea69568c7e70158afa1
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/c37d547c-ed34-46d1-b72f-221de86922a3/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/609466fcae46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowA
user32.dll::OpenClipboard
user32.dll::PeekMessageA

Comments