MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907
SHA3-384 hash: a5d8c854a25d2c0f6ba8ee751adf4ea530b3a782e5251f44f9f9595191aaf5227f628dbc196829dc343f583fffd00ba4
SHA1 hash: 88771e023b11d778b444c3526d9dea80d16046bf
MD5 hash: 32f55b892056a01033de479bb15f445e
humanhash: vermont-steak-yellow-sad
File name:32f55b892056a01033de479bb15f445e.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:930'304 bytes
First seen:2024-08-06 21:20:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:VZv8Pq6L/0BGg6F8iKm9ZqWMv3OIi43nTJ+:mt/0sg6wm9gp3
TLSH T1E91523D623CC668BE2DA5C74818179260BB380E26F4DDB090F06863746783B79B43BD7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
154.216.20.242:5000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
154.216.20.242:5000 https://threatfox.abuse.ch/ioc/1307453/

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
32f55b892056a01033de479bb15f445e.exe
Verdict:
Malicious activity
Analysis date:
2024-08-07 02:14:29 UTC
Tags:
netreactor rat asyncrat remote
Link:
https://app.any.run/tasks/abef4fea-9439-4a4d-b8f4-cf83d2b87d70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilheracles-10017859-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b293c2aa5b40be0a9fb4d7
Tags:
Execution Network Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/66b293d0b67cf38542c436ba/reports/e296f194-740f-4d45-86b6-f9a95a4d1cca/overview
Verdict:
Malicious
Labled as:
Bulz.Generic
Link:
https://www.hybrid-analysis.com/sample/7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ba47c42f-2639-4f9a-be47-c05a619c9171
Result
Threat name:
AsyncRAT, Neshta, PureLog Stealer, RedLi
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1489077
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Neshta
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1489077 Sample: rfQ3afwShz.exe Startdate: 06/08/2024 Architecture: WINDOWS Score: 100 152 server.underground-cheat.xyz 2->152 154 gia.o7lab.me 2->154 156 3 other IPs or domains 2->156 184 Found malware configuration 2->184 186 Malicious sample detected (through community Yara rule) 2->186 188 Antivirus detection for dropped file 2->188 192 30 other signatures 2->192 15 rfQ3afwShz.exe 1 6 2->15         started        19 powershell.exe 2->19         started        21 svchost.com 2->21         started        23 2 other processes 2->23 signatures3 190 Performs DNS queries to domains with low reputation 152->190 process4 file5 146 C:\Users\user\AppData\Local\Temp\pop3.exe, PE32 15->146 dropped 148 C:\Users\user\AppData\Local\Bqoqoaflz.exe, PE32 15->148 dropped 150 C:\Users\...\Bqoqoaflz.exe:Zone.Identifier, ASCII 15->150 dropped 162 Found many strings related to Crypto-Wallets (likely being stolen) 15->162 164 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->164 166 Writes to foreign memory regions 15->166 25 InstallUtil.exe 4 6 15->25         started        30 cmd.exe 1 15->30         started        32 pop3.exe 2 15->32         started        34 cmd.exe 1 15->34         started        168 Modifies the context of a thread in another process (thread injection) 19->168 170 Found suspicious powershell code related to unpacking or dynamic code loading 19->170 172 Injects a PE file into a foreign processes 19->172 36 dllhost.exe 19->36         started        38 conhost.exe 19->38         started        40 Bqoqoaflz.exe 21->40         started        42 svchost.com 23->42         started        44 2 other processes 23->44 signatures6 process7 dnsIp8 158 gia.o7lab.me 154.216.20.242, 26644, 49730, 49740 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 25->158 140 C:\Users\user\AppData\Local\Temp\rehqmn.exe, PE32 25->140 dropped 142 C:\Users\user\AppData\Local\Temp\okngbd.exe, PE32 25->142 dropped 208 Found many strings related to Crypto-Wallets (likely being stolen) 25->208 46 cmd.exe 25->46         started        49 svchost.com 25->49         started        210 Suspicious powershell command line found 30->210 212 Bypasses PowerShell execution policy 30->212 214 Uses schtasks.exe or at.exe to add and modify task schedules 30->214 216 Uses ipconfig to lookup or modify the Windows network settings 30->216 55 2 other processes 30->55 160 blue.o7lab.me 45.66.231.202, 49731, 49746, 7777 CMCSUS Germany 32->160 57 2 other processes 34->57 218 Injects code into the Windows Explorer (explorer.exe) 36->218 220 Writes to foreign memory regions 36->220 222 Creates a thread in another existing process (thread injection) 36->222 59 5 other processes 36->59 224 Injects a PE file into a foreign processes 40->224 51 svchost.com 40->51         started        61 2 other processes 40->61 53 cmd.exe 42->53         started        63 2 other processes 44->63 file9 signatures10 process11 signatures12 226 Suspicious powershell command line found 46->226 65 powershell.exe 46->65         started        67 conhost.exe 46->67         started        69 cmd.exe 49->69         started        72 cmd.exe 51->72         started        74 conhost.exe 53->74         started        76 ipconfig.exe 53->76         started        78 cmd.exe 61->78         started        process13 signatures14 80 okngbd.exe 65->80         started        194 Suspicious powershell command line found 69->194 84 powershell.exe 69->84         started        86 conhost.exe 69->86         started        88 conhost.exe 72->88         started        90 ipconfig.exe 72->90         started        92 conhost.exe 78->92         started        94 ipconfig.exe 78->94         started        process15 file16 120 C:\Windows\svchost.com, PE32 80->120 dropped 122 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 80->122 dropped 124 C:\Users\user\AppData\Local\...\okngbd.exe, PE32 80->124 dropped 126 138 other malicious files 80->126 dropped 174 Creates an undocumented autostart registry key 80->174 176 Drops PE files with a suspicious file extension 80->176 178 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 80->178 182 2 other signatures 80->182 96 okngbd.exe 80->96         started        180 Drops executables to the windows directory (C:\Windows) and starts them 84->180 99 svchost.com 84->99         started        signatures17 process18 file19 128 C:\Users\user\AppData\Local\...\Install.exe, PE32 96->128 dropped 130 C:\Users\user\AppData\...\$77svchost.exe, PE32 96->130 dropped 101 svchost.com 96->101         started        105 Install.exe 96->105         started        107 rehqmn.exe 99->107         started        process20 file21 132 C:\...\maintenanceservice.exe, PE32 101->132 dropped 134 C:\Program Files (x86)\...\misc.exe, PE32 101->134 dropped 136 C:\Program Files (x86)\...\misc.exe, PE32 101->136 dropped 138 10 other malicious files 101->138 dropped 196 Sample is not signed and drops a device driver 101->196 198 Infects executable files (exe, dll, sys, html) 101->198 109 $77svchost.exe 101->109         started        200 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 107->200 202 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 107->202 204 Tries to harvest and steal browser information (history, passwords, etc) 107->204 206 Tries to steal Crypto Currency Wallets 107->206 112 conhost.exe 107->112         started        signatures22 process23 file24 144 C:\Users\user\AppData\Roaming\WinUpdate.exe, PE32 109->144 dropped 114 svchost.com 109->114         started        116 cmd.exe 109->116         started        process25 process26 118 cmd.exe 114->118         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907/
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-08-06 16:52:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4r72ju6rvvbvwq776xgppa7qryp3zx62hv6zpt56xct322lnedq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:neshta family:redline family:sectoprat botnet:gia.o7lab.me:26644 botnet:o7lab credential_access defense_evasion discovery evasion execution infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240806-z7a1hs1cmm/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Async RAT payload
Credentials from Password Stores: Credentials from Web Browsers
AsyncRat
Detect Neshta payload
Modifies security service
Neshta
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
blue.o7lab.me:7777
server.underground-cheat.xyz:7777
154.216.20.242:5000
gia.o7lab.me:5000
gia.o7lab.me:26644
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3932621c-d8be-4936-88c3-1db6475eb821
Unpacked files
SH256 hash:
95383572260cd255334094b0b9994d2ce19f32b60aab8ee6d7e54bb1832cc9e4
MD5 hash:
c1558292d3b8e79c85178232a5030b6f
SHA1 hash:
6a89f4c24687a7ae158994aa9bd1739b19e04912
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ae2d0256-3f9c-425a-9863-80f6ff1677e2/
SH256 hash:
7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907
MD5 hash:
32f55b892056a01033de479bb15f445e
SHA1 hash:
88771e023b11d778b444c3526d9dea80d16046bf
Link:
https://www.unpac.me/results/ae2d0256-3f9c-425a-9863-80f6ff1677e2/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7723fd269e8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3092473/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3092502/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments