MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 21 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7
SHA3-384 hash: b99a56c568823aa9e32383dc57ba9d1987aae865b91d20a240167472d352d9309bca7091f3cff2c02f46fd0715ca9af9
SHA1 hash: fc8014c4c916af6556e677402dfe8ebfd55cd9ef
MD5 hash: 0e0b669d90c80cea6398e81d139d7d29
humanhash: alpha-hydrogen-queen-magnesium
File name:0e0b669d90c80cea6398e81d139d7d29
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:225'280 bytes
First seen:2023-10-09 06:46:52 UTC
Last seen:2023-10-09 07:51:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:H3grKG6eriEss8/8qJqXuN/QR+InqJ0m1fVMaeLnpvAsWtV9Jp:XgfricQ8qJqXuN/QUInxYfaeftV
Threatray 31 similar samples on MalwareBazaar
TLSH T11024F72085A68BD0CFE6B5B1537AE3E415B670591422F6F1684F3EDD630F65A83A0EC3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
0e0b669d90c80cea6398e81d139d7d29
Verdict:
Malicious activity
Analysis date:
2023-10-09 07:04:31 UTC
Tags:
rat asyncrat remote
Link:
https://app.any.run/tasks/50577dbc-22c8-4ebe-9ae1-5f82176d198e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Gathering data
Verdict:
Malicious
Labled as:
Marsilia.Generic
Link:
https://www.hybrid-analysis.com/sample/80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3bc56e4-e8a7-41fc-8369-1538d1547a12
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1321990
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1321990 Sample: Tfg0dDQ5CZ.exe Startdate: 09/10/2023 Architecture: WINDOWS Score: 100 82 amm.mine.nu 2->82 92 Snort IDS alert for network traffic 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 7 other signatures 2->98 9 Tfg0dDQ5CZ.pif 3 2->9         started        12 Tfg0dDQ5CZ.exe 3 2->12         started        14 Tfg0dDQ5CZ.pif.pif.pif.pif 2->14         started        16 7 other processes 2->16 signatures3 process4 signatures5 100 Multi AV Scanner detection for dropped file 9->100 18 Tfg0dDQ5CZ.pif.pif.pif 9->18         started        21 cmd.exe 1 9->21         started        29 2 other processes 9->29 102 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->102 23 cmd.exe 1 12->23         started        32 3 other processes 12->32 25 cmd.exe 14->25         started        35 4 other processes 14->35 27 cmd.exe 16->27         started        37 21 other processes 16->37 process6 dnsIp7 84 Multi AV Scanner detection for dropped file 18->84 45 3 other processes 18->45 49 2 other processes 21->49 86 Drops PE files to the document folder of the user 23->86 88 Uses cmd line tools excessively to alter registry or file data 23->88 90 Drops PE files with a suspicious file extension 23->90 51 3 other processes 23->51 53 2 other processes 25->53 55 2 other processes 27->55 68 C:\Users\user\Documents\Tfg0dDQ5CZ.pif.pif, PE32 29->68 dropped 39 conhost.exe 29->39         started        80 amm.mine.nu 194.169.175.43, 1335, 49711 CLOUDCOMPUTINGDE Germany 32->80 70 C:\Users\user\Documents\Tfg0dDQ5CZ.pif, PE32 32->70 dropped 41 conhost.exe 32->41         started        72 C:\Users\...\Tfg0dDQ5CZ.pif.pif.pif.pif.pif, PE32 35->72 dropped 43 conhost.exe 35->43         started        74 C:\Users\user\...\Tfg0dDQ5CZ.pif.pif.pif, PE32 37->74 dropped 76 C:\...\Tfg0dDQ5CZ.pif.pif.pif.pif.pif.pif, Unknown 37->76 dropped 57 19 other processes 37->57 file8 signatures9 process10 file11 78 C:\Users\user\...\Tfg0dDQ5CZ.pif.pif.pif.pif, PE32 45->78 dropped 106 Uses cmd line tools excessively to alter registry or file data 45->106 59 reg.exe 45->59         started        62 conhost.exe 45->62         started        64 conhost.exe 45->64         started        66 Conhost.exe 53->66         started        108 Creates multiple autostart registry keys 57->108 signatures12 process13 signatures14 104 Creates multiple autostart registry keys 59->104
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-10-07 15:52:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdz2vab5ngukchgz2ystid446htvtqwcht5ls52szcwhnz2p363q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
32bdc05f94a1cd79e80677c623332a0eb1fe83163a62f235c8a50d44034fea41
AsyncRAT
46e321489e9b76e1ccbf661d8d2972efb563de4817f67a9082da5283d2389ba8
AsyncRAT
6a30833b7ec13144c0ce90a7c6f805186b8a61f8a69e13ec684fe533682d65cf
AsyncRAT
864f0cc06b5d4bd910f107bdf56225c18eb90303120c9148b7038e1152655f00
AsyncRAT
88f4284bc8f0f23ab3b6c37b3c1ae3f04993af17c2b968900006960338898546
AsyncRAT
e359c6277dcebf7b485dd5b3e54f25d60b4bbacf25f9818ac3f8604317136f4d
AsyncRAT
e91838e3f9c6aa4e1e043fa30ac176081877347166e52aa9b9cb1e7f25acecbf
AsyncRAT
ef7b8582cd02a9bcb90c8474391b4f6656ecfd716abbe88574476b2abda06f33
AsyncRAT
+ 21 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:raz-exe persistence rat spyware stealer
Link:
https://tria.ge/reports/231009-hj7k5sdb95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
amm.mine.nu:1335
Unpacked files
SH256 hash:
36ac23c7ba2701948e78b4cc19ec03cb34dfb4333e00e5583234bb093acb377c
MD5 hash:
e38e07f6d5cc0825b55502729e74dfd4
SHA1 hash:
c6e3a9a1ebd213a69e0b25cf8f3896eb883233f3
Link:
https://www.unpac.me/results/f743fe78-aca9-4249-bcf2-80a5ea5d6636/
SH256 hash:
d22fb338cdd58b04c847c2a38c956d27fbbd0654e0e086c4c230ae221c3ba2b6
MD5 hash:
6818771f05081a2d9fc91bc2c81e42da
SHA1 hash:
375400071997efbe9798b231f419a1deb27b1747
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/f743fe78-aca9-4249-bcf2-80a5ea5d6636/
SH256 hash:
80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7
MD5 hash:
0e0b669d90c80cea6398e81d139d7d29
SHA1 hash:
fc8014c4c916af6556e677402dfe8ebfd55cd9ef
Link:
https://www.unpac.me/results/f743fe78-aca9-4249-bcf2-80a5ea5d6636/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:malware_asyncrat
Create hunting rule
Description:detect AsyncRat in memory
Reference:https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:Windows_Trojan_Asyncrat_11a11ba1
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_bytecodes
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_unobfuscated
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2718297/

Comments


Avatar
zbet commented on 2023-10-09 06:46:53 UTC

url : hxxps://pmjo.fra1.cdn.digitaloceanspaces.com/1712.exe