MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e7ec7610373a200dcf87da34869f28d29ec2947fb5defd0dfa5886e12b6b1cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e7ec7610373a200dcf87da34869f28d29ec2947fb5defd0dfa5886e12b6b1cd
SHA3-384 hash: bda220f341a675e690a59dd59690491ce828104823e410582b5a1551fdf493cd53dc4b0f9bea8152b948310121cce35d
SHA1 hash: 615da510d407090f63123b6072945dc859fe0be8
MD5 hash: 3428604986a909a10bf68f47eefca6a1
humanhash: lactose-one-delta-fillet
File name:uncryptLHR.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:488'448 bytes
First seen:2022-11-12 22:20:31 UTC
Last seen:2022-11-12 23:41:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:kQ5vRWNLeKSk4DM41Fme36w9n+Zb2dqwq+fGNg:J5vRCLeqv431v9gqdRqWG
Threatray 2'713 similar samples on MalwareBazaar
TLSH T1AEA4235121508436EC813FFC6332CD0488F43B23D9258D7A2A4A45DAB1A767EDEB7A7C
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 0ac4c898ac444124 (1 x AsyncRAT)
Reporter r3dbU7z
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
uncryptLHR.exe
Verdict:
No threats detected
Analysis date:
2022-11-12 22:23:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef1e54d8-b78e-4cb6-8c99-69b824fd7165

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333048/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.23561.32088.25848.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process with a hidden window
Deleting a recently created file
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63701c4e20a0b4943a8f2148/reports/0a04c75a-3b6f-495a-be64-48bd6aa7dfe8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5727b41a-ccc6-417a-a42b-12c1a127ee28
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1112004
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 744700 Sample: uncryptLHR.exe Startdate: 12/11/2022 Architecture: WINDOWS Score: 100 37 pearl.crabdance.com 2->37 41 Multi AV Scanner detection for domain / URL 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 8 uncryptLHR.exe 14 4 2->8         started        13 Cjoag.exe 2->13         started        15 uncryptLHR.exe 4 2->15         started        signatures3 process4 dnsIp5 39 pearl.crabdance.com 81.161.229.133, 4040, 49703, 49704 CMCSUS Germany 8->39 31 C:\Users\user\AppData\Local\Temp\Cjoag.exe, PE32+ 8->31 dropped 55 Antivirus detection for dropped file 8->55 57 Multi AV Scanner detection for dropped file 8->57 59 Suspicious powershell command line found 8->59 63 2 other signatures 8->63 17 powershell.exe 16 8->17         started        19 powershell.exe 15 8->19         started        61 Machine Learning detection for dropped file 13->61 33 C:\Users\user\AppData\...\uncryptLHR.exe, PE32+ 15->33 dropped 35 C:\Users\user\AppData\...\uncryptLHR.exe.log, CSV 15->35 dropped file6 signatures7 process8 process9 21 Cjoag.exe 4 17->21         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        file10 29 C:\Users\user\AppData\Roaming\Cjoag.exe, PE32+ 21->29 dropped 49 Antivirus detection for dropped file 21->49 51 Multi AV Scanner detection for dropped file 21->51 53 Machine Learning detection for dropped file 21->53 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e7ec7610373a200dcf87da34869f28d29ec2947fb5defd0dfa5886e12b6b1cd/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-11-12 22:21:11 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
6
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pz7moyidoorabxhypwruq2psruu6ykkh7no67ug7uweg4evwwhgq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
bec2c4c72b0297624093232878a45e9f5e467a9f838268a4403bc9416bde8189
AsyncRAT
d57321805b57d9a004d652b7d8b00d9045d6940800653374e2a47c7dad2e9196
AsyncRAT
d5d8501413231217f31c6b614fbc4e5cba5ba8cabb6da772e5ed82e484238088
AsyncRAT
de41596200eab56b30eddafa626ae24de9cf7ee54e0c2c35be0554af08207a63
AsyncRAT
e8b057817c2bbda7191f4b4e53b913caff6f2cbda1a0cbf68f32e2f4d45f1c42
AsyncRAT
f15bf4c786172149ed0b9e57b08c695b01095b9167de714ea61768f021ae9ff0
AsyncRAT
fa8d8657315c0ff3057652f4b34194de08fa9d2ff3028ad2043b53c551851358
AsyncRAT
+ 2'703 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221112-19m9ascg9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3c5a86eb-3b59-49c0-a5f4-6e8f016279d3
Unpacked files
SH256 hash:
7e7ec7610373a200dcf87da34869f28d29ec2947fb5defd0dfa5886e12b6b1cd
MD5 hash:
3428604986a909a10bf68f47eefca6a1
SHA1 hash:
615da510d407090f63123b6072945dc859fe0be8
Link:
https://www.unpac.me/results/7b3c0b03-6def-4e89-aba3-7466031347c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e7ec7610373a200dcf87da34869f28d29ec2947fb5defd0dfa5886e12b6b1cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 7e7ec7610373a200dcf87da34869f28d29ec2947fb5defd0dfa5886e12b6b1cd

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/333048/
  
URLhaus
https://urlhaus.abuse.ch/url/2409444/

Comments