MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cfdb205a07646b4323ad50572dd591f84aef2594dd2b4c1107e11e4f6980efd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cfdb205a07646b4323ad50572dd591f84aef2594dd2b4c1107e11e4f6980efd
SHA3-384 hash: 6005a6439a073b01eed58fecb5006fc6e3aa477390f3963a56b36b68542e1135d0a233716bf059c003a9b124ad8e6b7e
SHA1 hash: 95679cacb84b8b09c5c1c616ba981cd9cf9b202c
MD5 hash: f54c6b8ef19dd85969433fcb4ae7ed3a
humanhash: alanine-delaware-johnny-apart
File name:Xreutkuij.bin
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:589'312 bytes
First seen:2022-06-26 18:24:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:4fWbbcJtzUV76KsCDLx8E+CwNrPnmLXx2peCPaf:4fWcJtzUhsm3+CwNrmtWeu
Threatray 1'615 similar samples on MalwareBazaar
TLSH T1D1C4F05FE600F86AECEB6134E50CBB643B10AC2105669D67A8F9BF290C701177AF8775
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c420c4cca2c4f071 (1 x QuasarRAT, 1 x AsyncRAT)
Reporter KdssSupport
Tags:AsyncRAT exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.135.106.246:8808 https://threatfox.abuse.ch/ioc/729177/

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
Xreutkuij.exe
Verdict:
Malicious activity
Analysis date:
2022-06-26 17:48:00 UTC
Tags:
asyncrat trojan rat
Link:
https://app.any.run/tasks/a35f95af-6977-4fc3-bd15-684fa5834748

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283358/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b8a4891fcdba4e1a5c5230/reports/d48ce450-310f-4b89-9809-f3e0f2306f2a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f59dcf27-2bf6-454f-ba87-4b88f94913f6
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1020018
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652514 Sample: Xreutkuij.bin Startdate: 26/06/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 8 other signatures 2->51 7 Xreutkuij.exe 1 7 2->7         started        11 Gjgnig.exe 4 2->11         started        13 Gjgnig.exe 3 2->13         started        process3 file4 35 C:\Users\user\AppData\Roaming\...behaviorgraphjgnig.exe, PE32 7->35 dropped 37 C:\Users\user\...behaviorgraphjgnig.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\...\Xreutkuij.exe.log, ASCII 7->39 dropped 53 Encrypted powershell cmdline option found 7->53 15 InstallUtil.exe 1 2 7->15         started        19 powershell.exe 15 7->19         started        55 Antivirus detection for dropped file 11->55 57 Multi AV Scanner detection for dropped file 11->57 59 Machine Learning detection for dropped file 11->59 21 powershell.exe 11->21         started        23 InstallUtil.exe 11->23         started        25 powershell.exe 13->25         started        27 InstallUtil.exe 13->27         started        signatures5 process6 dnsIp7 41 147.135.106.246, 49771, 49773, 8808 OVHFR United States 15->41 43 Tries to harvest and steal browser information (history, passwords, etc) 15->43 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6cfdb205a07646b4323ad50572dd591f84aef2594dd2b4c1107e11e4f6980efd/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2022-06-26 16:37:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nt63ebnaozdlimr22ucxfxkzd6ck54szjxjljqiqpyi6j5uyb36q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1525076c87558a452430e1a867c8e889f0f15fc658162debd2cd29c617b372c7
AsyncRAT
3f140dbc69924c00d56b0797cd7cc50aceea1bf858bbadc05dab6f7ede11821c
AsyncRAT
879855eb9b481225aea2cd966c4b9781a517d664c06ea32debb1bdd067a45faa
AsyncRAT
aff09f337cf7a6feb5384d7f4013ea98efc7ce95ddec70dc8fc4f2a5b0293ad4
AsyncRAT
cf3dab2a4ba21609762dff658b3b6831f2ae5976adfe0aed8f76090d30c7f1b3
AsyncRAT
dbba46df2d1653b3df8765b6574d270664357af209b7931374fc5c098871828e
AsyncRAT
+ 1'605 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default persistence rat suricata
Link:
https://tria.ge/reports/220626-w2lnaabhej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Async RAT payload
AsyncRat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
0.0.0.0:6606
0.0.0.0:7707
0.0.0.0:8808
147.135.106.246:6606
147.135.106.246:7707
147.135.106.246:8808
Unpacked files
SH256 hash:
5b1e1cfdd90989e68dce40ae050ab5b0c411181cc38e3ef9e428a23b5b86d8cc
MD5 hash:
aa41dace39fca70e9de0f498d1d790c0
SHA1 hash:
9dcd3c2a3c0704c1c66facd04a8ba9a6a85784f0
Link:
https://www.unpac.me/results/1281d48c-6c80-4609-88bd-9566e2436b35/
SH256 hash:
f6063bc3a7f47dc6d9b5325c4c869ee8050e93bc5860a0ef4f4bf59bb6e42c29
MD5 hash:
7a2f12035d915b741ac4def4f55d9f9b
SHA1 hash:
80285043b1b795ae4e1059918b38336169a0043b
Link:
https://www.unpac.me/results/1281d48c-6c80-4609-88bd-9566e2436b35/
SH256 hash:
8e73034198bbf2ab34f6167916a1702c5faac7e5701a1aa53b674e6c0902b516
MD5 hash:
e7b5f4b7613c70746a628fea0762d501
SHA1 hash:
488aaef6fb0e441b25e9e2402f563ede56847c34
Detections:
win_asyncrat_w0
Create hunting rule
AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/1281d48c-6c80-4609-88bd-9566e2436b35/
SH256 hash:
6cfdb205a07646b4323ad50572dd591f84aef2594dd2b4c1107e11e4f6980efd
MD5 hash:
f54c6b8ef19dd85969433fcb4ae7ed3a
SHA1 hash:
95679cacb84b8b09c5c1c616ba981cd9cf9b202c
Link:
https://www.unpac.me/results/1281d48c-6c80-4609-88bd-9566e2436b35/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6cfdb205a076/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cfdb205a07646b4323ad50572dd591f84aef2594dd2b4c1107e11e4f6980efd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283358/

Comments