MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300
SHA3-384 hash: 95b273731ff1062361469562bd3d94f2dd1b75076b82d907148e4741eb7391dd1d057de20be5b12331d764fc46033fe4
SHA1 hash: 3182546c9062b070561dab1962898a4c0dca6087
MD5 hash: 95ac8bb99267f46e20857b7caf76a6e0
humanhash: georgia-cola-zulu-mockingbird
File name:ORDER-MTC04RFQGENZAK1220637501220524622023.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:908'800 bytes
First seen:2023-03-07 07:49:50 UTC
Last seen:2023-03-08 14:32:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:jUrXlUMk+/FF7phaWVLuIwlAfDbAbg5dMS7TYH5Z8h4R2Yb4cXBZ:jUzlUMkgF7pxVLxDj5dM1H5yYb7XBZ
Threatray 189 similar samples on MalwareBazaar
TLSH T14A157C942F79EE63EB85A0B3180436A6DF6C7D5D2526F0081DE6308F8DF9D2C5111EAE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter cocaman
Tags:AsyncRAT exe RFQ

Intelligence

File Origin
# of uploads :
3
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
ORDER-MTC04RFQGENZAK1220637501220524622023.exe
Verdict:
Malicious activity
Analysis date:
2023-03-07 07:51:35 UTC
Tags:
asyncrat
Link:
https://app.any.run/tasks/51f1f003-a8c2-483c-afce-9ee51d3d39e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372159/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a file
Running batch commands
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
packed
Link:
https://www.filescan.io/uploads/6406ecad67ca02bce170a00d/reports/b931920a-600d-4596-851a-6f0d9e3cd3bd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8eadbcde-24d8-443b-b4ff-23c6885e8f47
Result
Threat name:
AsyncRAT, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188400
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821276 Sample: ORDER-MTC04RFQGENZAK1220637... Startdate: 07/03/2023 Architecture: WINDOWS Score: 100 95 Snort IDS alert for network traffic 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus / Scanner detection for submitted sample 2->99 101 10 other signatures 2->101 10 ORDER-MTC04RFQGENZAK1220637501220524622023.exe 7 2->10         started        14 adobe.exe 2->14         started        16 AerGtGYJlW.exe 5 2->16         started        process3 file4 83 C:\Users\user\AppData\...\AerGtGYJlW.exe, PE32 10->83 dropped 85 C:\Users\...\AerGtGYJlW.exe:Zone.Identifier, ASCII 10->85 dropped 87 C:\Users\user\AppData\Local\...\tmp8598.tmp, XML 10->87 dropped 89 ORDER-MTC04RFQGENZ...20524622023.exe.log, CSV 10->89 dropped 105 Uses schtasks.exe or at.exe to add and modify task schedules 10->105 107 Adds a directory exclusion to Windows Defender 10->107 18 ORDER-MTC04RFQGENZAK1220637501220524622023.exe 6 10->18         started        21 powershell.exe 21 10->21         started        23 powershell.exe 21 10->23         started        25 schtasks.exe 1 10->25         started        109 Antivirus detection for dropped file 14->109 111 Multi AV Scanner detection for dropped file 14->111 113 Machine Learning detection for dropped file 14->113 27 powershell.exe 14->27         started        29 powershell.exe 14->29         started        35 2 other processes 14->35 115 Injects a PE file into a foreign processes 16->115 31 schtasks.exe 16->31         started        33 AerGtGYJlW.exe 16->33         started        signatures5 process6 file7 81 C:\Users\user\AppData\Roaming\adobe.exe, PE32 18->81 dropped 37 cmd.exe 18->37         started        39 cmd.exe 18->39         started        41 conhost.exe 21->41         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 31->51         started        53 conhost.exe 35->53         started        process8 process9 55 adobe.exe 37->55         started        58 conhost.exe 37->58         started        60 timeout.exe 37->60         started        62 conhost.exe 39->62         started        64 schtasks.exe 39->64         started        signatures10 103 Adds a directory exclusion to Windows Defender 55->103 66 adobe.exe 55->66         started        69 powershell.exe 55->69         started        71 powershell.exe 55->71         started        73 2 other processes 55->73 process11 dnsIp12 91 milanooffice.hopto.org 194.59.218.147, 4040, 49686 FASTWEBIT Netherlands 66->91 93 192.168.2.4, 138, 4040, 443 unknown unknown 66->93 75 conhost.exe 69->75         started        77 conhost.exe 71->77         started        79 conhost.exe 73->79         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 04:42:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
16 of 39 (41.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkp33uqzu7glwzgnyf5la3yx6kleifgdwtwv37tj3lckv7rqqmaa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0bc4886cebbde3d4a932203fa8596540269e0c92bb20cf2f8250f063c43798b8
AsyncRAT
34daae4c26da65a8a6b4b5fe0286dcd9c412610120e31ddb98ab67f0466b3a56
AsyncRAT
5fdb6e2373c18ec9d19f822279bce3d0e84c731ae8c0410fdd613c59379e6ad9
AsyncRAT
6b5b7eaba354864363cd0c95de9d926b2878201de9030cbb0bbd512a84697b40
AsyncRAT
7465ebf31275971c5df2f8f6b41cbd9660e940ad02e1937c99f80756fa1d33c4
AsyncRAT
76000176614d6ee212baf69e6589e97a94ed6ffe7ce762c6e40d3ae5aca30fd3
AsyncRAT
8197e71791a36b364c735addbf05c9533530aae40f1c4d124d7ed098705d2a2f
AsyncRAT
896363cb6c5505b48615777ce409a415de259e7277888afc1bceae8afbf3b03c
AsyncRAT
c31db5aec9add40498b70fadc64eecb0b036cc0d894868ecd365213bd23dd064
AsyncRAT
d413604ffcd2897d729fd0079881b7b4a0dbd3d9d5869a97d7ec76713a12739c
AsyncRAT
+ 179 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/230307-jn93hagf4x/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
milanooffice.hopto.org:6606
milanooffice.hopto.org:7707
milanooffice.hopto.org:8808
milanooffice.hopto.org:4040
milanooffice.hopto.org:5058
milanooffice.hopto.org:80
51.68.180.4:6606
51.68.180.4:7707
51.68.180.4:8808
51.68.180.4:4040
51.68.180.4:5058
51.68.180.4:80
Unpacked files
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/78762588-3cdb-47cd-8ec6-91ff2a83d668/
SH256 hash:
91356b3a3d5f153921fe44a70dd142ff94157fc134257297c89bade2b31103e4
MD5 hash:
991a9d420b677d33edbe2b64551de31b
SHA1 hash:
a8acc013c1a10ae3a263607720b2003b6b18668d
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/78762588-3cdb-47cd-8ec6-91ff2a83d668/
Parent samples :
ca0b1b8a0b420154b135f21acdc3612ad594ab31a56f0216979017514443c428
6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300
73bd75310c7d227be8a35416785e4fa58b79796bed6fdccee63c8a73628173dd
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/78762588-3cdb-47cd-8ec6-91ff2a83d668/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
712710c60c2076ac44b6e50cc8b36191fab0f2db8f5ea779e2884af28dcaab93
MD5 hash:
fa8f57c06bb98d9655a5d774f06f7617
SHA1 hash:
8d5282ebdb1c913a68529d845547057457533dc7
Link:
https://www.unpac.me/results/78762588-3cdb-47cd-8ec6-91ff2a83d668/
SH256 hash:
a625c12b4d9499aa9b9b250b2cf8d38c030f2d4b14772032cfeaaecd1010aaea
MD5 hash:
b8280d899041ba70e8860dfbd2daa767
SHA1 hash:
0a15812d282d3fbe46f9ac6bf54e2c31ae129efd
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/78762588-3cdb-47cd-8ec6-91ff2a83d668/
SH256 hash:
6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300
MD5 hash:
95ac8bb99267f46e20857b7caf76a6e0
SHA1 hash:
3182546c9062b070561dab1962898a4c0dca6087
Link:
https://www.unpac.me/results/78762588-3cdb-47cd-8ec6-91ff2a83d668/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6a9fbdd219a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip a16b5f3c6b4f73563ed5f276337c0bc59319dcfafce5273a7b75a080bc20ca1a

AsyncRAT

Executable exe 6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/372159/
  
Dropped by
SHA256 a16b5f3c6b4f73563ed5f276337c0bc59319dcfafce5273a7b75a080bc20ca1a
  
Dropped by
MD5 8bd7320fa277aeeb9d3724fce742a732

Comments