MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c
SHA3-384 hash: 959b534f5557de5f98d0dc53c58fb81375e56ab4f475ec64a62f0740a0a672dd1ad4c2354ea552b6708276df3fb95634
SHA1 hash: e92ec4e696661c50d2ccbe05e44d19c413f58d18
MD5 hash: 4ba81cd6a16ffd3bf5e0e7338df60a5f
humanhash: single-tango-beryllium-queen
File name:lets-win.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:17'901'131 bytes
First seen:2025-02-08 20:34:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 483f0c4259a9148c34961abbda6146c1 (17 x ValleyRAT, 8 x AsyncRAT, 7 x QuasarRAT)
ssdeep 393216:/Fj0IBCLzNxfYrp0ei6EMF9AFulgy8k7JaajjfHnDY5Su:/FXBmNOrpHi6E0Uk7wSnk
TLSH T17C07332673920E3BD28938BCDC1AF5957CA1B5CEA8C118416C3EDB4F077879248BDE59
TrID 74.1% (.EXE) Inno Setup installer (107240/4/30)
9.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.2% (.EXE) Win64 Executable (generic) (10522/11/4)
3.1% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon d0e0f86cf4dcdccc (4 x ValleyRAT, 1 x AsyncRAT, 1 x VenomRAT)
Reporter aachum
Tags:AsyncRAT exe


Avatar
iamaachum
https://kuailian555.com/lets-win_install.zip

AsyncRAT C2: 27.124.4.150:51311

Intelligence

File Origin
# of uploads :
1
# of downloads :
522
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lets-win.exe
Verdict:
Malicious activity
Analysis date:
2025-02-08 20:37:41 UTC
Tags:
websocket
Link:
https://app.any.run/tasks/96f32b4f-3f91-48a5-97c2-d5323f10c3be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Systweak.Gen4.14801.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a7c0a3d010e522d1b81c66
Tags:
dropper virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Running batch commands
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.spyw.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/1610249
Signature
Bypasses PowerShell execution policy
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses Register-ScheduledTask to add task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1610249 Sample: lets-win.exe Startdate: 08/02/2025 Architecture: WINDOWS Score: 66 156 yandex.com 2->156 158 www.yandex.com 2->158 160 11 other IPs or domains 2->160 174 Malicious sample detected (through community Yara rule) 2->174 176 Multi AV Scanner detection for submitted file 2->176 178 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->178 180 7 other signatures 2->180 15 lets-win.exe 2 2->15         started        18 powershell.exe 2->18         started        21 svchost.exe 2->21         started        23 6 other processes 2->23 signatures3 process4 dnsIp5 154 C:\Users\user\AppData\Local\...\lets-win.tmp, PE32 15->154 dropped 26 lets-win.tmp 3 6 15->26         started        170 Loading BitLocker PowerShell Module 18->170 29 conhost.exe 18->29         started        172 Modifies the DNS server 21->172 168 127.0.0.1 unknown unknown 23->168 31 drvinst.exe 23->31         started        33 drvinst.exe 23->33         started        file6 signatures7 process8 file9 120 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 26->120 dropped 122 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 26->122 dropped 124 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 26->124 dropped 35 lets-win.exe 2 26->35         started        126 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 31->126 dropped 128 C:\Windows\System32\...\SETE7F4.tmp, PE32+ 31->128 dropped 130 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 33->130 dropped 132 C:\Windows\System32\drivers\SETED90.tmp, PE32+ 33->132 dropped process10 file11 110 C:\Users\user\AppData\Local\...\lets-win.tmp, PE32 35->110 dropped 38 lets-win.tmp 22 10 35->38         started        process12 file13 112 C:\Users\Public\...\pHHY_506.exe (copy), PE32 38->112 dropped 114 C:\Users\user\AppData\...\unins000.exe (copy), PE32 38->114 dropped 116 C:\Users\user\AppData\Local\is-T4799.tmp, PE32 38->116 dropped 118 6 other files (none is malicious) 38->118 dropped 41 cmd.exe 1 38->41         started        44 cmd.exe 1 38->44         started        process14 signatures15 186 Uses netsh to modify the Windows network and firewall settings 41->186 188 Uses ipconfig to lookup or modify the Windows network settings 41->188 190 Performs a network lookup / discovery via ARP 41->190 46 pHHY_506.exe 10 299 41->46         started        50 conhost.exe 41->50         started        52 ksUu.exe 2 44->52         started        54 conhost.exe 44->54         started        process16 file17 144 C:\Program Files (x86)\...\tap0901.sys, PE32+ 46->144 dropped 146 C:\Program Files (x86)\...\LetsPRO.exe, PE32 46->146 dropped 148 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 46->148 dropped 152 219 other files (1 malicious) 46->152 dropped 196 Bypasses PowerShell execution policy 46->196 198 Modifies the windows firewall 46->198 200 Sample is not signed and drops a device driver 46->200 56 LetsPRO.exe 46->56         started        58 powershell.exe 46->58         started        61 tapinstall.exe 46->61         started        66 8 other processes 46->66 150 C:\Users\user\AppData\Local\Temp\...\ksUu.tmp, PE32 52->150 dropped 64 ksUu.tmp 3 5 52->64         started        signatures18 process19 file20 68 LetsPRO.exe 56->68         started        194 Loading BitLocker PowerShell Module 58->194 72 conhost.exe 58->72         started        136 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 61->136 dropped 138 C:\Users\user\AppData\Local\...\SETE6CB.tmp, PE32+ 61->138 dropped 74 conhost.exe 61->74         started        140 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 64->140 dropped 142 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 64->142 dropped 76 ksUu.exe 2 64->76         started        79 conhost.exe 64->79         started        81 conhost.exe 66->81         started        83 conhost.exe 66->83         started        85 conhost.exe 66->85         started        87 10 other processes 66->87 signatures21 process22 dnsIp23 162 yandex.com 77.88.55.88, 443, 49845 YANDEXRU Russian Federation 68->162 164 in2-gw2-03-3d6c3051.eastus2.cloudapp.azure.com 20.57.103.21, 443, 50063 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 68->164 166 13 other IPs or domains 68->166 184 Loading BitLocker PowerShell Module 68->184 89 cmd.exe 68->89         started        92 cmd.exe 68->92         started        94 cmd.exe 68->94         started        134 C:\Users\user\AppData\Local\Temp\...\ksUu.tmp, PE32 76->134 dropped 96 ksUu.tmp 22 11 76->96         started        file24 signatures25 process26 file27 192 Performs a network lookup / discovery via ARP 89->192 102 C:\Users\user\...\msedgewebview2.exe (copy), PE32+ 96->102 dropped 104 C:\Users\user\...\msedge_elf.dll (copy), PE32+ 96->104 dropped 106 C:\Users\user\AppData\...\is-N4R5N.tmp, PE32+ 96->106 dropped 108 5 other files (none is malicious) 96->108 dropped 99 msedgewebview2.exe 96->99         started        signatures28 process29 signatures30 182 Suspicious powershell command line found 99->182
Score:
60%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-02-08 20:35:21 UTC
File Type:
PE (Exe)
Extracted files:
863
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=na7q5au65megb4m2yms3wom5jo2ig7m4aenmagh64yiyjefbmzwa._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default defense_evasion discovery execution persistence privilege_escalation rat
Link:
https://tria.ge/reports/250208-zcl5astpcq/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates processes with tasklist
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Network Service Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Async RAT payload
AsyncRat
Asyncrat family
Malware Config
C2 Extraction:
27.124.4.150:51311
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bbeffea3-6e06-4a51-a903-299d96439c68
Unpacked files
SH256 hash:
683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c
MD5 hash:
4ba81cd6a16ffd3bf5e0e7338df60a5f
SHA1 hash:
e92ec4e696661c50d2ccbe05e44d19c413f58d18
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
907ecdb0d7f7018307367c0a46714cd864aa6372c83abc1be4c54488df39f8d6
MD5 hash:
c9dc536d570ca2632f8a7309d6049fe6
SHA1 hash:
d942102af540762a1ed173505b7253a67eb2ec47
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
b61184c727ecfeed0d77a237872ba282a544e15cfc54c28f420f06a5abea55db
MD5 hash:
070f66d3e84cd5ecccbb772fcf8e7811
SHA1 hash:
bc9c66bbe77da53a8d57ad9e41fd92936e892937
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
MD5 hash:
b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 hash:
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
dfb3bb98cfe620841fbf2a15aa67c1614d4746a2ea0e5925211de1fee7138b38
MD5 hash:
bf2bbecd323865428aa9c919c81def68
SHA1 hash:
b74c6ef70d5ec4f28eaa706e55aaf852059b6077
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
68cb6afdeb65a16a62604d6b9ac0c140733d0ad63fe80eff44d6eba050c4ace2
MD5 hash:
6bd76a0a8062956fb717ccf36f74ea31
SHA1 hash:
88ea909b3a0d5d6154fc621a2c8dd28c05f25b85
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
f528502962c07c3193668b598b52e6705cbe9ce8ec7ccc762eeaca476ff7cf51
MD5 hash:
aacabeec08a9e03a974b6cb649bb5d2b
SHA1 hash:
355e873fba17b9be2a932aba92b5cd9272eab21f
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
329bcbdd665fa9b246a53e711539647588eb66246802fc14763d0ee9982dc01c
MD5 hash:
6d08566b733b57301592e1c43acbe8ce
SHA1 hash:
c3d1a7e3400ebeccf1545773f061c19da9b02b13
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
Parent samples :
683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c
a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
d8a9d2f8408a851cdcad1e1bae571e640f9039da09505ce4ea846133fca91800
SH256 hash:
b2ed4a73872319c325d05930b3aa66fdfe181847faaa0929c2628b3e1d794b60
MD5 hash:
e56952961ca7db602ce5cd0dc9b9f988
SHA1 hash:
c28288da6289f1f7625639045cdc45b2a7166f8c
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
f8f290063052cbddf302fb722f983a5c01815c0d710737b9efc6d2dca42af28b
MD5 hash:
14930ae6b509f73f7da98a1374efc139
SHA1 hash:
f1e0b7c322455400143f2c5ac9b425b4d79aa243
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
7836313fb5f6ce68e77034b65a11d20f598bb8f62694342f3fd80f110cafb125
MD5 hash:
3dc6800310abc175beb34900397b197f
SHA1 hash:
43a36279045baf26de3650620bc345fca017fcc2
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
a45bc7d6ab850bab640aa3f6c0b7841d57aa14a726e92fb247144c886b36a436
MD5 hash:
890e867294580343ef642631644d0e23
SHA1 hash:
fc18613f5f245717a351c21598281970642d91e6
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
cf339d703de08366fec41cd4d44e22285fda78189c39002bfa352bafbb7b0058
MD5 hash:
d357bd1656344ae27254c701f1a46625
SHA1 hash:
96e0af30168295d7d2465eff588d48180465ca6b
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
3b444d74033d792e0e8bdc46eb897041cf09a3d409343a0325c0787a4ca7eada
MD5 hash:
a246b305070d5220eaf9950cb43b7f73
SHA1 hash:
7d3e17cef61e1c40f05a65e4466082a1b33ff3ec
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
2e7dcc74aac2c04c000ad32f1249662f0d9e6d4543c71130b5e02a11869cf2da
MD5 hash:
b8c0d43517f818e6b7a08a36d9bb0540
SHA1 hash:
e289352c52866118d031c4648f9f47d8eeb6fddd
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
4572cac392fdf0fb08c1fa786e0184a66163ce4696a426cb1e3009b952c86284
MD5 hash:
f647a0ec9b3aea4d355dc5cec2f2a271
SHA1 hash:
73b666f8e13694df6e29fc7b741a8a5c602486a0
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
205472e569a82d16680747c67e891f3fc5061b2e87e23a294d1b26e179566c6c
MD5 hash:
43b77bcf679a4ef26cb650e5c36ad1e5
SHA1 hash:
a02ef9cd9a23e93049c83bc7032b19b35755a8fc
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
d081198b0b8d8d6750ae316a057d1c2d28c2eedbc66e3908d0c53242799dc558
MD5 hash:
dd373c6f14de246310cc88800f3bc668
SHA1 hash:
2311aa1556ab2511831ab3190b96a7870554d874
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
ea120fb3ff403ca1a0961db9007849980dbaf78b0098e44690d9331f1f8f1b1d
MD5 hash:
b523ff49156a445e6945bb5421d2becb
SHA1 hash:
7de32bcdebddd0abe48f0e292b3070e250856c77
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
80c8a4bf67ed1488bc8b75bfc265f62bbcbf59ba085a0b1f2d73f71fcdcdf751
MD5 hash:
1b6cb28d5e67c18adcc155967f5d90ae
SHA1 hash:
3d74dc82e466b37b1fd76bd293acce5a47ad3177
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
Parent samples :
683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c
a4170fa0f47ab88e7ffa5529c9e4048f2a19e955ca16953e7a8b445d1e977a97
11540a90f1dc6bad4ec1bfa3433253d0a89da35b1195a8284ac262af99046ccf
d8a9d2f8408a851cdcad1e1bae571e640f9039da09505ce4ea846133fca91800
SH256 hash:
234af9baa9d9541f2156f96afcf7b5686c50e2874f34d0341d8727964ec1db1e
MD5 hash:
b8a3adc6bad892fc4167af29ddd08c4a
SHA1 hash:
cee1efe8668cec6204d17673f5357aab6a5e4514
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
57a15bcbe336cce485e00dde7e6385d550db8d3a0006ef18766e332ab370c416
MD5 hash:
18e288fed9d103d01f5cfa687176dd97
SHA1 hash:
5f701ac1be3c8237ff9550a42f98c6bc767062de
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
71ca6db6923e3f5249ac4b7d518755bd7103e9e77c33e05ef3eb75570f54eaab
MD5 hash:
f89e81ccf226d43877d61ea7362c0339
SHA1 hash:
ed9aa9cd61e794a63ff81a4773f40f48e156ec17
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
5a930930cfff5e80e34fb7d7d46ce3f7ac8fc153f43f3f6969fd80b2872c9492
MD5 hash:
0ed4825daa557a64c8f7ac3bc59ddfa1
SHA1 hash:
b3cca8d6621baad4126206d1aa5cd37e6acca5e3
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
24c4e3a4e05d67cde9ea739470256a7ccc12ceda92e0085b392ecc9d573529de
MD5 hash:
ad5724c7fd0be9cc94a8959bc51314ca
SHA1 hash:
511ec59782682693e6dfa2e68b936ad568d81a7a
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
52cd7f70823a67beebf8a7d8e8d8fee19547cec79c711469c3be41976756f831
MD5 hash:
6b87a495441b34a17a809f4a3b1d193d
SHA1 hash:
1406746147bade4afeb3e178618ad8c6c1f18340
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
96534c59ce0fe469f7531fea7547017d5f213861c71aebcf4c49235f38be142b
MD5 hash:
413be7ac0b1facb480ed85eaed7f2dc3
SHA1 hash:
3de6866a7282d7221173ce4a367d1c2aaca43e5d
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
c8ca2987904febc8e6b92fb13e2e725f76102c60922c9c10865b711b7413d63c
MD5 hash:
0d9dccc60b117de300ab8829f208d66a
SHA1 hash:
7f0cf323e7f178ff6d00e0284fa00a73092e8186
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
3bd44bf46f53a5183440fcb5d7681830bb01aaa16caf4ddaa245684c786ea577
MD5 hash:
c3450e9fbe84e1ca25870e6f9bbe4630
SHA1 hash:
e41d29b6cac1c6eea127613b5e140dcb752d4713
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
bb513b7e1456f498eccb9389fc58bb044b17f2cd43f92fe3723354fdad4ae9ac
MD5 hash:
c45c69a436a1930d69f10913d64c5d6f
SHA1 hash:
99d0c57108890e75d97ba2ad19cf1675e118a3cc
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
2f7404587cd0e8e55b1dba5be9e019559d2bbb8c66f0ac85d72e9f3d1ffee8cd
MD5 hash:
3c282c4d060e4401a5e8703e3c20e6ee
SHA1 hash:
44c303f66dccc74673826717d809c61e5fee5970
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
3b18f28fda4f79ced239ee2b6685e6cac26e71563cededfafbd698e1be4795b5
MD5 hash:
12c96f55fb26c778140d15de57c16a85
SHA1 hash:
9f35d3f819713faf54c757d6f3f1a9f49615e036
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
6bdae93cb6f8680963c60a9a5dc6da0ff9bc30e2c46c5677fc121b3d6d1bba71
MD5 hash:
6f41971d108677275201cd4c5b88d607
SHA1 hash:
8d972a40290845d69961ef933f28ff705b5bfb99
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
3025c8d8b85e57f08db8856d0c1395b975578bb3944b56ab0b926d14f74209d3
MD5 hash:
9b8ccf5024e9a396fb8188c615f49ee0
SHA1 hash:
3eb43ef940e99f297775f562e106e0cbc7bbae39
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
955e0f7b9bdaac221451761d1ab8a15417a8aaf7bf8101183344592b8593a2ae
MD5 hash:
5ec27cba4836042aa1cef5565944cf02
SHA1 hash:
152f5e2cd948ffd28d92856200ac0dfa577e3d70
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
6178c391543ff7cca0454c5d72c405cbb3bfae6de1667d55325fb24b0dd105d9
MD5 hash:
21d7ac43d71bed781cead6b46ad16ca6
SHA1 hash:
ad5fae106af6e15bbe84d421f06e34632962e4df
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
f57b2257aa78005d5c5c6c23e036d1c7de43cb840b121fd01f3d4d2c753811a6
MD5 hash:
aa9e4cb043939f4e043221b7eb8825de
SHA1 hash:
c040b75bb107dcfd219c41b084de93b76109fd4d
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
eab6f546269220200d31cf691c1c63fe37042bd23f5a7f2fdfa849049d821c50
MD5 hash:
75b352234694fd4c17e168bce86b36fd
SHA1 hash:
e94ea5a2445d5d622318a2a03f19f89db4af5508
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
d5da1eed85146374e5c339ede25aa6fb02837f523ceac59f4a60d292c85d907d
MD5 hash:
457324783315cd1f67dfc69030542997
SHA1 hash:
85e85f849a9cb8fec724b3a8a92a7f06b3f213f7
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
deb052f3722bf51d70ae18fb07fde87d33423b046b1351121121b13d26b694a9
MD5 hash:
1d9b58f2093351d5ca6b2e858a2d1efa
SHA1 hash:
54a4805544dc8b2a861caf193231dd144cf0d640
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
SH256 hash:
a3133495e1e793165b4fa32c2c6c9757660ee81792d307b11a431962a243ad7c
MD5 hash:
f656c0ebebc0db6dc0fee64f22c4c95b
SHA1 hash:
af7a3ecb339ce739b453be7209f87f0f9540e483
Link:
https://www.unpac.me/results/fbb7db5e-ceba-47c7-af87-ff3d8a13b5fc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:dcrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:dcrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:dcrat_rkp
Create hunting rule
Author:jeFF0Falltrades
Description:Detects DCRat payloads
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:venomrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 683f0e829eeb0860f19ac325bb399d4bb4837d9c011ac018fee6118490a1666c

(this sample)

AsyncRAT

Executable exe 4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8

  
Link
https://tria.ge/250208-y8vwmstnar/behavioral3
  
Delivery method
Distributed via web download
  
Dropping
SHA256 4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8
  
Dropping
MD5 1f2be558a74cb83afab86147e70d87d6

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceW
kernel32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments