MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80296fd8a32f5a02fd9d8ac1fb010df2736d89293b3a2a124f3062ef2ed9836a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80296fd8a32f5a02fd9d8ac1fb010df2736d89293b3a2a124f3062ef2ed9836a
SHA3-384 hash: da329cecce4926deac3510e8b51433d4cd1800ec00a2fb07b4989d54fb8a55378a7ff33e5b46e3ead459160d32807f6d
SHA1 hash: 6ba11eb1f686e3fccd225d7bb162bd20f67037a5
MD5 hash: 7bf0cf26aa0bb42776ffa79feb7ff3d0
humanhash: skylark-cup-may-vermont
File name:PO00045789632.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:717'312 bytes
First seen:2023-05-07 04:21:02 UTC
Last seen:2023-05-13 22:55:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:eXJcu0qu2P4smwHO2Q3NOW1CetS0V7At+SRyG0o+VBYUk2gk0rYk4BTN:vuA4FuhgpM7EyGyUUk2gNStN
Threatray 1'084 similar samples on MalwareBazaar
TLSH T1B7E4D0293363FE91C9668379E28590005F329C01D37BE79B1FCA61D91A467EEB8147CB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter koluke
Tags:AsyncRAT exe


Avatar
koluker
Distributed via encrypted RAR file

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
PO00045789632.exe
Verdict:
Malicious activity
Analysis date:
2023-05-07 04:22:10 UTC
Tags:
trojan rat asyncrat quasar warzone stealer avemaria
Link:
https://app.any.run/tasks/a3a9e9ba-bd1a-4739-803e-1768e8941d6b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387215/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/645727346bfa3326714dffef/reports/d08f18a2-b9d4-43ef-a59f-d2800676a637/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/80296fd8a32f5a02fd9d8ac1fb010df2736d89293b3a2a124f3062ef2ed9836a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccb892be-ad02-43b8-a414-2693771e6297
Result
Threat name:
AsyncRAT, AveMaria, Neshta, UACMe
Create hunting rule
Detection:
malicious
Classification:
spre.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227649
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected AveMaria stealer
Yara detected BrowserPasswordDump
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Neshta
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 860613 Sample: PO00045789632.exe Startdate: 07/05/2023 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 18 other signatures 2->90 11 PO00045789632.exe 3 2->11         started        14 svchost.com 2->14         started        process3 file4 68 C:\Users\user\...\PO00045789632.exe.log, ASCII 11->68 dropped 16 MSBuild.exe 5 5 11->16         started        20 MSBuild.exe 11->20         started        22 MSBuild.exe 11->22         started        24 vmncky.exe 14->24         started        process5 dnsIp6 72 192.3.101.190, 2015, 2323, 49696 AS-COLOCROSSINGUS United States 16->72 56 C:\Users\user\AppData\Local\Temp\vmncky.exe, MS-DOS 16->56 dropped 58 C:\Users\user\AppData\Local\Temp\syoyjw.exe, PE32 16->58 dropped 26 cmd.exe 1 16->26         started        29 svchost.com 16->29         started        file7 process8 file9 110 Suspicious powershell command line found 26->110 112 Bypasses PowerShell execution policy 26->112 32 powershell.exe 12 26->32         started        34 conhost.exe 26->34         started        70 C:\Windows\directx.sys, ASCII 29->70 dropped 114 Multi AV Scanner detection for dropped file 29->114 116 Sample is not signed and drops a device driver 29->116 36 cmd.exe 29->36         started        signatures10 process11 signatures12 39 vmncky.exe 4 32->39         started        92 Suspicious powershell command line found 36->92 43 powershell.exe 36->43         started        45 conhost.exe 36->45         started        process13 file14 60 C:\Windows\svchost.com, MS-DOS 39->60 dropped 62 C:\Users\user\Desktop\PO00045789632.exe, MS-DOS 39->62 dropped 64 C:\Users\user\AppData\Local\...\setup.exe, MS-DOS 39->64 dropped 66 107 other malicious files 39->66 dropped 100 Creates an undocumented autostart registry key 39->100 102 Drops PE files with a suspicious file extension 39->102 104 Drops executable to a common third party application directory 39->104 106 Infects executable files (exe, dll, sys, html) 39->106 47 vmncky.exe 4 2 39->47         started        108 Drops executables to the windows directory (C:\Windows) and starts them 43->108 51 svchost.com 43->51         started        signatures15 process16 dnsIp17 74 172.245.251.219, 2323 AS-COLOCROSSINGUS United States 47->74 76 Multi AV Scanner detection for dropped file 47->76 78 Contains functionality to check if Internet connection is working 47->78 80 Contains functionality to inject threads in other processes 47->80 82 4 other signatures 47->82 53 syoyjw.exe 51->53         started        signatures18 process19 signatures20 94 Tries to steal Mail credentials (via file / registry access) 53->94 96 Tries to harvest and steal browser information (history, passwords, etc) 53->96 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->98
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80296fd8a32f5a02fd9d8ac1fb010df2736d89293b3a2a124f3062ef2ed9836a/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-07 04:22:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qauw7wfdf5naf7m5rla7wain6jzw3cjjhm5cuespgbro6lwzqnva._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
1a1e7d4db4f6a68a1ca3574653feb692b3ca415ea1667fc3b672e286a32fe51d
AsyncRAT
287d5151a1e3009d79543ca7c343088e6104a308812101e7caa8397a9310af3a
AsyncRAT
3da2da75681d61e8bcfde31b394b6512b4e1ba03fe7d436e9cbb9404ee95c9a5
AsyncRAT
3eaf9b1988ad1983591b49b12dfa7590c2906491421d9e544c75388cbca2353c
AsyncRAT
449d68f816f777220922b061ddd7b58a5ad931b7fed71a7e8aa0e31ffa8c004a
AsyncRAT
87576351067ea79fe0acb467ddb9c29ddce87f1179c0de4519df93bfad53dfe0
AsyncRAT
d24dd6cd68f406d083ebc0690537254dcaabfd26ef4987dd6c2cc99c29be277e
AsyncRAT
+ 1'074 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/230507-eym89sfa65/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
192.3.101.190:2015
Unpacked files
SH256 hash:
8e83c71d4e02081cb39e39cdaec5a935e594ddbc141eb9d01d7a0651fa12b7eb
MD5 hash:
ae501e1a14d197e5b46fe7a9f1a70228
SHA1 hash:
e3091fbc265d0f65c4f59a4f1cd9c98484bd0272
Link:
https://www.unpac.me/results/6d275849-faea-4dde-abe3-9ac403b54b16/
SH256 hash:
280001013946838a651abbdee890fa4a4d49c382b7b5e78b7805caef036304e2
MD5 hash:
d4b6893a5512534104c6c7403be60897
SHA1 hash:
d4b51c3e4cafb3b146435a4e2e21bb5ddf15956d
Link:
https://www.unpac.me/results/6d275849-faea-4dde-abe3-9ac403b54b16/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/6d275849-faea-4dde-abe3-9ac403b54b16/
SH256 hash:
dd54dadb0f9bac1b1727388a4240bc5af650b72b7ee9e70c32b5efb17317d659
MD5 hash:
c5621b78cf8a0b27cc7a2ef5df078b97
SHA1 hash:
85c52dca18ec2d90c9e817ecfe8a5efddbbbe71b
Link:
https://www.unpac.me/results/6d275849-faea-4dde-abe3-9ac403b54b16/
SH256 hash:
8b8eecbd8754a4bf665f0d4197085bebe96dbb1053018d87e9f37fd64f51ff40
MD5 hash:
7e77dd0b3f8fcda58a43f4a01bef831d
SHA1 hash:
50a35237f23c84b364851fc848685a7a625ceb66
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/6d275849-faea-4dde-abe3-9ac403b54b16/
SH256 hash:
80296fd8a32f5a02fd9d8ac1fb010df2736d89293b3a2a124f3062ef2ed9836a
MD5 hash:
7bf0cf26aa0bb42776ffa79feb7ff3d0
SHA1 hash:
6ba11eb1f686e3fccd225d7bb162bd20f67037a5
Link:
https://www.unpac.me/results/6d275849-faea-4dde-abe3-9ac403b54b16/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80296fd8a32f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80296fd8a32f5a02fd9d8ac1fb010df2736d89293b3a2a124f3062ef2ed9836a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe 80296fd8a32f5a02fd9d8ac1fb010df2736d89293b3a2a124f3062ef2ed9836a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387215/

Comments