MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b
SHA3-384 hash: 9d024cf81b4412e255dbeabbb69dac085c128913c593e3a5480a717b922035850165fae7a2167a7d7982d321d911a882
SHA1 hash: 1b092dbe0a5c797f89d52d853dc4f23a7d0dc87c
MD5 hash: 5616b95c1b71f2a56742274bec64cfc3
humanhash: ceiling-six-november-delta
File name:file.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:358'784 bytes
First seen:2023-05-23 16:55:34 UTC
Last seen:2023-05-23 17:55:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:FjfgX5fZLs1RIu4FsFp7GUb8x9mTnQGo7Q7k91LQqWPzTg3:5YXhZLsyFMQUb8IQ/7R1UqWPzTg3
Threatray 1'445 similar samples on MalwareBazaar
TLSH T1107422BA7E6C6C60DB26087DD2E7D2075F90A721842A4496F477F0B84A031619F3EB7D
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:AsyncRAT exe signed

Code Signing Certificate

Organisation:Windows Security
Issuer:Windows Security
Algorithm:sha256WithRSAEncryption
Valid from:2023-05-23T14:31:55Z
Valid to:2024-05-23T14:31:55Z
Serial number: b07054c2a2587c115254d4be15f91e5e
Thumbprint Algorithm:SHA256
Thumbprint: 66f5e340dca5b6be9b74c1f489e78f2f685ab327a8002d670decc19250af2e6b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-05-23 16:58:56 UTC
Tags:
trojan rat asyncrat stealer
Link:
https://app.any.run/tasks/67275c7d-4158-4aba-86d3-68ee72b751d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/390838/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.2105.3897.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Sending a custom TCP request
Creating a process from a recently created file
Creating a service
Loading a system driver
Changing a file
Creating a window
Using the Windows Management Instrumentation requests
Blocking the User Account Control
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9603e3df-27aa-438c-bd45-41abc8ad0873
Result
Threat name:
AsyncRAT, StormKitty, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241046
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected StormKitty Stealer
Yara detected UAC Bypass using CMSTP
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 874057 Sample: file.exe Startdate: 23/05/2023 Architecture: WINDOWS Score: 100 99 xmr.2miners.com 2->99 101 icanhazip.com 2->101 103 3 other IPs or domains 2->103 111 Snort IDS alert for network traffic 2->111 113 Found malware configuration 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 16 other signatures 2->117 11 file.exe 1 7 2->11         started        15 svchost.exe 4 2->15         started        17 svchost.exe 2->17         started        19 svchost.exe 3 2->19         started        signatures3 process4 file5 89 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 11->89 dropped 91 C:\Users\user\AppData\Local\...\file.exe.log, CSV 11->91 dropped 131 Drops PE files with benign system names 11->131 21 cmd.exe 1 11->21         started        23 cmd.exe 1 11->23         started        26 Conhost.exe 11->26         started        93 C:\Windows\Temp\lrj41zr0.inf, Windows 15->93 dropped 133 Writes to foreign memory regions 15->133 135 Adds a directory exclusion to Windows Defender 15->135 137 Injects a PE file into a foreign processes 15->137 28 MpCmdRun.exe 1 15->28         started        30 consent.exe 15->30         started        32 powershell.exe 15->32         started        36 14 other processes 15->36 95 C:\Windows\Temp\n4qxhlax.inf, Windows 17->95 dropped 38 5 other processes 17->38 34 powershell.exe 19->34         started        signatures6 process7 signatures8 40 svchost.exe 5 5 21->40         started        56 2 other processes 21->56 119 Uses schtasks.exe or at.exe to add and modify task schedules 23->119 58 2 other processes 23->58 44 conhost.exe 28->44         started        121 Writes to foreign memory regions 30->121 46 svchost.exe 30->46 injected 48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        52 Conhost.exe 36->52         started        54 conhost.exe 38->54         started        process9 file10 87 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 40->87 dropped 123 Writes to foreign memory regions 40->123 125 Adds a directory exclusion to Windows Defender 40->125 127 Disables UAC (registry) 40->127 129 2 other signatures 40->129 60 AddInProcess32.exe 40->60         started        65 powershell.exe 19 40->65         started        67 vbc.exe 40->67         started        69 svchost.exe 44->69         started        71 consent.exe 46->71         started        73 consent.exe 46->73         started        signatures11 process12 dnsIp13 105 icanhazip.com 60->105 107 151.80.52.38, 4449, 49704 OVHFR Italy 60->107 109 3 other IPs or domains 60->109 97 C:\Users\user\...\Windows Security.exe, PE32+ 60->97 dropped 139 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 60->139 141 May check the online IP address of the machine 60->141 143 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 60->143 145 Tries to harvest and steal browser information (history, passwords, etc) 60->145 75 conhost.exe 65->75         started        147 Writes to foreign memory regions 69->147 149 Adds a directory exclusion to Windows Defender 69->149 151 Injects a PE file into a foreign processes 69->151 77 powershell.exe 69->77         started        79 SMSvcHost.exe 69->79         started        81 dfsvc.exe 69->81         started        83 4 other processes 69->83 file14 signatures15 process16 process17 85 conhost.exe 77->85         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b/
Threat name:
Win64.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-05-23 16:56:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvgxdsklcyj7fphjbvkjohqrlqz7yv7t26ewltzbs5kmsoj5ey5q._file
Verdict:
malicious
Similar samples:
2267fac6e4bcace94d9ed232cc4ba7e128424e80c5730ea38f23610c11bdc168
AsyncRAT
28ff484ca36b3a1f5d7f59a25e947e9a6b12ca34214f9bcfca01cee5745e6b6a
AsyncRAT
34a6cb7776062b6a981d8f2b1fd7e6e7fc6fb9c5253f57a06cef1903569fd532
AsyncRAT
36f8d4d85b7d03fdbd622909d93638fa20bbdcc1e832591b82dbe7f710ab0be0
AsyncRAT
6159a8ba420cbed9d0ca9abb371cd8b1e600c0e2fd7763f32cec6917605d51d9
AsyncRAT
9bd9cc4e2baf5d47340f1c4e1906289cef6eb1ce07e9889992592baaad5ba759
AsyncRAT
9ef8d74a3ef84feb99d45e04e084fb628c091f8fa3b81b42faacc235ab2e753e
AsyncRAT
d69974ab2591e06f55c58786be3fc436fe992c501dd37724869747e2369c909d
AsyncRAT
f3a73a547e9298562234af0d04a47fe50dd1d6481671e4a5df65e568e89f2c00
AsyncRAT
fb8fdb08cf7984a3bac0cc7daeea3790a92306467543cf556945fc479a165dd8
AsyncRAT
+ 1'435 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default evasion persistence rat trojan
Link:
https://tria.ge/reports/230523-vfn1vagc64/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Windows security modification
Sets service image path in registry
Async RAT payload
AsyncRat
Modifies Windows Defender Real-time Protection settings
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
151.80.52.38:4449
Unpacked files
SH256 hash:
6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b
MD5 hash:
5616b95c1b71f2a56742274bec64cfc3
SHA1 hash:
1b092dbe0a5c797f89d52d853dc4f23a7d0dc87c
Link:
https://www.unpac.me/results/5d0dbc59-d936-451d-bda4-6d98e743d593/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/390838/

Comments