MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6934497e39a6dd42ceda1d21255b717ee3b1639820406cfa6c62cf3c9182d271. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6934497e39a6dd42ceda1d21255b717ee3b1639820406cfa6c62cf3c9182d271
SHA3-384 hash: ebb514eba08512931c4bf5ee8ee31f5ed8a71415eff5b03ab5305b81ea235a221180a78c7e34ea79a79f16457701ff4a
SHA1 hash: c346b3f224cd4ac9082f6af497547dfcf2716429
MD5 hash: b1e81013ac84144cc31ee082f51dda9f
humanhash: jig-happy-hotel-fourteen
File name:b1e81013ac84144cc31ee082f51dda9f.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:620'544 bytes
First seen:2022-03-11 17:05:15 UTC
Last seen:2022-03-11 19:16:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ZWDw3gxOCeUg3rbuLGJ4XxLhxqfwMB3WUAUXjII8:Zi4UdqJWzxk3B
Threatray 1'970 similar samples on MalwareBazaar
TLSH T142D45AD23B487A4CC4659B3A82B9797F82B65DDC6336C128AF99761FC4B74358F70280
File icon (PE):PE icon
dhash icon e0d8f8c8c9fcf8e0 (1 x AsyncRAT, 1 x Vidar)
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249544/
Detection(s):
MiscreantPunch.SingleXOR.EXE.113.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/622b817e0cd58dbd927f98a2/reports/5b894ff9-4c47-4e31-b928-875a2e3b0e19/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6dffd123-5d27-479b-9c77-e83d57f3226f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/955239
Signature
.NET source code contains potential unpacker
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables Windows Defender (via service or powershell)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 587717 Sample: Jx8qQ3h5r7.exe Startdate: 11/03/2022 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for submitted file 2->42 44 .NET source code contains potential unpacker 2->44 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->46 48 Yara detected Costura Assembly Loader 2->48 8 Jx8qQ3h5r7.exe 3 2->8         started        process3 file4 38 C:\Users\user\AppData\...\Jx8qQ3h5r7.exe.log, ASCII 8->38 dropped 50 Uses ipconfig to lookup or modify the Windows network settings 8->50 52 Modifies the context of a thread in another process (thread injection) 8->52 54 Disables Windows Defender (via service or powershell) 8->54 56 Injects a PE file into a foreign processes 8->56 12 Jx8qQ3h5r7.exe 3 3 8->12         started        signatures5 process6 signatures7 58 Protects its processes via BreakOnTermination flag 12->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->60 62 Disables Windows Defender (via service or powershell) 12->62 64 3 other signatures 12->64 15 ipconfig.exe 1 12->15         started        18 powershell.exe 19 12->18         started        20 powershell.exe 18 12->20         started        22 9 other processes 12->22 process8 dnsIp9 40 192.168.2.1 unknown unknown 15->40 24 conhost.exe 15->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 5 other processes 22->36 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6934497e39a6dd42ceda1d21255b717ee3b1639820406cfa6c62cf3c9182d271/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-03-10 18:17:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
17 of 27 (62.96%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ne2es7rzu3ouftw2duqskw3rp3r3cy4yebagz6tmmlhtzemc2jyq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
374ec0de5ab31bc54adc80e494194f0070a78839701d19b73b27ca605f05c768
AsyncRAT
4c6c6d26b853d44fc189e67eaa4f65e440d6ee75ac8a5bde95ccc73b0b611c2a
AsyncRAT
700a6ba703505b60689b1e935be88efc68ec5a00cddfa9044f571c9c7285d2c2
AsyncRAT
790b75e1d50978e41ae57a87008b3d1922d3efd15924b59a2a0967f29abdab8a
AsyncRAT
8cb84526f67ca8bb0454e0cbdd81d265a70fc90edbcf97aec591d9e340dca013
AsyncRAT
b097632bd99f8ed079b4c9a709b00b67048950a1bee7f39434f4d52d2b8f9131
AsyncRAT
b0bf885d8534981dd430ff106215c5910917262fbc42b339d5f5b58d3f1af819
AsyncRAT
b78d1a08d070c59c01a026f22639c157f41074a14f572e32298cf8a4b9cb3505
AsyncRAT
c35f5536d8732a6b5a06362d550ddfee4e79a778e63317a09179e4e5704b37ab
AsyncRAT
e59fbf01fe2ade6245736ab14a9ab1b29cf8f543b17da61ab3b0184724831614
AsyncRAT
+ 1'960 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/220311-vmeqraade4/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Windows security modification
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/a951fc13-a3f3-4abe-9565-26c7d0a0e2b9/
SH256 hash:
80a4805b8a4c5e506dd15d32d7943e88704a8a6990869c1ad5f437f02ebc7fa1
MD5 hash:
962bf29ffb1f87645926707c1456e6d5
SHA1 hash:
ba05e98979e66b80bfaac5a7cb311f030fa4a671
Link:
https://www.unpac.me/results/a951fc13-a3f3-4abe-9565-26c7d0a0e2b9/
SH256 hash:
485e47f539290c7de47c840af82188ded4fb5bff27266ce17f1d9aa58ab2140b
MD5 hash:
43caadda5e15b4ffa83f0a0813de2df1
SHA1 hash:
80258d0ba46d0e3a91699bd6e56a2a8cbadeb219
Link:
https://www.unpac.me/results/a951fc13-a3f3-4abe-9565-26c7d0a0e2b9/
SH256 hash:
6934497e39a6dd42ceda1d21255b717ee3b1639820406cfa6c62cf3c9182d271
MD5 hash:
b1e81013ac84144cc31ee082f51dda9f
SHA1 hash:
c346b3f224cd4ac9082f6af497547dfcf2716429
Link:
https://www.unpac.me/results/a951fc13-a3f3-4abe-9565-26c7d0a0e2b9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6934497e39a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6934497e39a6dd42ceda1d21255b717ee3b1639820406cfa6c62cf3c9182d271

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249544/

Comments