MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63e4d45c7fce9de0b78e2bc09df98ffe29ac6ca9e36f247977fa37415b8da13a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	63e4d45c7fce9de0b78e2bc09df98ffe29ac6ca9e36f247977fa37415b8da13a
SHA3-384 hash:	f7b00c724521ab88fcd201ea1e6ea0c7614487ea4b5eb5fa420baf33903ff09f4c3e23fc55517f3524969a1e5f4c5e67
SHA1 hash:	d58ff9db5dd504d1cb8c4064be8d2eb6ba3093cd
MD5 hash:	b5ecb3dcc5c8e035dd81c97972a03c67
humanhash:	seventeen-sink-monkey-queen
File name:	b5ecb3dcc5c8e035dd81c97972a03c67.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	474'112 bytes
First seen:	2021-08-26 05:53:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:ZIPxOAzwvUEgOW2u5ZQ5xUWp+L+3cKyfnFRgaS85hvaQPSfjrCq1x/u0B:ZIwA0sq5xUk+AyN+K58ASLWqjGk
Threatray	109 similar samples on MalwareBazaar
TLSH	T16FA403919EEFCDCEC2AF723FA01A0C8215DED316079792E49B464E31B7845239D661E3
dhash icon	0cd2c1c4d0c1f20c (18 x AsyncRAT, 9 x QuasarRAT, 8 x RedLineStealer)
Reporter	abuse_ch
Tags:	AsyncRAT exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b5ecb3dcc5c8e035dd81c97972a03c67.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-26 05:55:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b9b4b95d-ea69-4475-adc7-49425d26d85d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

zgRAT

Link:

https://www.capesandbox.com/analysis/182482/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37478941.27143.1663.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/febfa173-bd85-42ce-b1f2-566ea1ba6027

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/839482

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63e4d45c7fce9de0b78e2bc09df98ffe29ac6ca9e36f247977fa37415b8da13a/

Threat name:

ByteCode-MSIL.Backdoor.NanoBot

Status:

Malicious

First seen:

2021-08-25 21:09:27 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mpsnixd7z2o6bn4ofpaj36mp7yu2y3fj4nxsi6lx7i3ucw4nue5a._file

Verdict:

unknown

AsyncRAT

503daa99af5a571e42bba412296ce3f6e086ce203359cb27f7d04442d10b2999

AsyncRAT

60333b9138bb30f9a4d5d48a699ad137fe46646b276b55e1dbec71f8cf1b1d2c

AsyncRAT

a024f189799cced8d2b2b164f4cc73b0eb9e12784bc977f182175bb61c17a171

AsyncRAT

a3b2cafa928f4fb6d88fe1988d38ae5c7a5323f65739925394d4b641bca02f49

AsyncRAT

fae536169514c5730e6d6d6a582fb988341edd4cc1a62b5a2f172e87dd1708c5

AsyncRAT

+ 99 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat persistence rat

Link:

https://tria.ge/reports/210826-6jv58zd46x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

AsyncRat

Unpacked files

SH256 hash:

2c6af610f9858302d01b68b7b7b23c37618477cf25c4c293240bdf442ac21f65

MD5 hash:

772415af4ba3e59f28eaf2e0d72f4477

SHA1 hash:

d3d0cd3ded508b50954a1a3625a8fcac66ae4d40

Detections:

win_asyncrat_w0

Link:

https://www.unpac.me/results/e4669372-1d75-4a83-bb26-5a02bb70a4b0/

SH256 hash:

6899fccd05ea1b9127b1ed5a6b422d49497a2f46c6a5b3e6799d46f5be8a2ae6

MD5 hash:

44e9e2d95587c4ed12b5069773c3fb4d

SHA1 hash:

ae007bae5b02d0bcfa07efe99e6b06d1b9aa97f2

Link:

https://www.unpac.me/results/e4669372-1d75-4a83-bb26-5a02bb70a4b0/

SH256 hash:

01ef880f2355599e1d374f77e8f0874ebe26eb3dcad5a7863ba22a4f775bc933

MD5 hash:

71cf43629629d9d2cbd3cb584f3f07cb

SHA1 hash:

85d6e9cc3322b0c39b388f11a376c9b66dcf0918

Link:

https://www.unpac.me/results/e4669372-1d75-4a83-bb26-5a02bb70a4b0/

SH256 hash:

63e4d45c7fce9de0b78e2bc09df98ffe29ac6ca9e36f247977fa37415b8da13a

MD5 hash:

b5ecb3dcc5c8e035dd81c97972a03c67

SHA1 hash:

d58ff9db5dd504d1cb8c4064be8d2eb6ba3093cd

Link:

https://www.unpac.me/results/e4669372-1d75-4a83-bb26-5a02bb70a4b0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/63e4d45c7fce9de0b78e2bc09df98ffe29ac6ca9e36f247977fa37415b8da13a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/182482/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample