MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7281624072d7fa3ba1991c4312684fb92595b6d5ff3a0cc889e60108f2ab2771. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	7281624072d7fa3ba1991c4312684fb92595b6d5ff3a0cc889e60108f2ab2771
SHA3-384 hash:	6d0a50a004f3419ef7fab10a5811ffa7a73c94c9ccc62f7ffb05fd016ec72e505a3a668078b235886b449d5d8f21b2a9
SHA1 hash:	aa5280aba0f4387e895695a4ac7224eb9ddb8ad3
MD5 hash:	8049add7236589827177ac212b419033
humanhash:	quebec-venus-spring-jersey
File name:	SecuriteInfo.com.Win64.Evo-gen.1299.12720
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	594'432 bytes
First seen:	2023-01-04 05:30:49 UTC
Last seen:	2023-01-06 00:53:06 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:QzOETojcRS+eIW1R/9mf8Ir/bg8KcPjYBro9v3MZL/hqU/Nv1Bbk26SrOWAc:QKIiIW/988ILbLGro93MZlqU1vL
Threatray	2'345 similar samples on MalwareBazaar
TLSH	T178C4F19D766071EFC867D4B6CEA81DB8EA5475BB930B410390230AEE9A4D897CF140F7
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	SecuriteInfoCom
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

188

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/349316/

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.1299.12720.UNOFFICIAL

PUA.Win.Packed.ConfuserEx-6391397-0

PUA.Win.Packed.ConfuserEx-6582917-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Launching a process

Creating a process with a hidden window

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a window

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

confuserex packed

Link:

https://www.filescan.io/uploads/63b50f190e926711fd76c960/reports/901f56e3-335d-4746-880a-9472b2c99054/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9390f737-8aa2-4f5f-9576-c9f0bca186b6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7281624072d7fa3ba1991c4312684fb92595b6d5ff3a0cc889e60108f2ab2771/

Threat name:

Win64.Trojan.Leonem

Status:

Malicious

First seen:

2023-01-04 05:31:08 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=okaweqds275dximzdrbre2cpxeszlnwv745azsej4yaqr4vle5yq._file

Verdict:

malicious

Label(s):

asyncrat

AsyncRAT

0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595

AsyncRAT

1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f

AsyncRAT

417ae2d5f5111ddf80b63c443e14b70ec2052b3e64a35940c9f81f262f7e526e

AsyncRAT

48b29546e6b607eb912ce4b9957224c9606b0df8f5fa5b0da0ba1fd7a6ec9e7c

AsyncRAT

68346d23f359a27744b49d6ea9bd229f2929d1cee057670d2ba73545c0ba427d

AsyncRAT

963f054c289e0855e2d119fa2e290bcc3a1d7787c60ed226fb6512b52b3750c5

AsyncRAT

a88df82e4b619c1586b5640c801616486f08b3bd32f766847f468d6a23b6c23e

AsyncRAT

e77f29f3b57b776b5ffb2ed7fdf461702166396172d32809646ef08872894725

AsyncRAT

ef02701e2196f54b5858bcb67a41d34fc9a5f248efdae181c701c200950d638d

AsyncRAT

+ 2'335 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/230104-f7pzwsea64/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

XMRig Miner payload

xmrig

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7eaef625-117f-43df-aebb-b9aa82cd3b2b

Unpacked files

SH256 hash:

7281624072d7fa3ba1991c4312684fb92595b6d5ff3a0cc889e60108f2ab2771

MD5 hash:

8049add7236589827177ac212b419033

SHA1 hash:

aa5280aba0f4387e895695a4ac7224eb9ddb8ad3

Link:

https://www.unpac.me/results/3bfb4ee5-f5f2-44fb-b5a4-e4d746b022d6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.66

Link:

https://yomi.yoroi.company/submissions/7281624072d7fa3ba1991c4312684fb92595b6d5ff3a0cc889e60108f2ab2771

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/349316/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample