MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8346802296fc33b77a434c410fee9e054ce3f670a74907d603a521128465b90b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8346802296fc33b77a434c410fee9e054ce3f670a74907d603a521128465b90b
SHA3-384 hash: 5b11901991c03a4d6a745085c6c01a3960c7ef9c914a4c4606b3ecfdeb66df95a1ad7e1466f84863f40411534271c61c
SHA1 hash: 210678585c82d7a60e7887ff66db1c93866c332f
MD5 hash: 40611a3c5415b7c9220ae63408c02d9a
humanhash: michigan-foxtrot-black-single
File name:40611A3C5415B7C9220AE63408C02D9A.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:394'850 bytes
First seen:2021-06-20 19:21:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 12288:b5393whFOBbMfJhYmyM9nd64Bw3V54qYE:b53uhFPcMNdzB25h
Threatray 360 similar samples on MalwareBazaar
TLSH 1484DFB077F5A0F2E15335727880336837FAF22D4B1445E7A758260ABC259C2A6BD5CB
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
89.45.6.74:56060

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
89.45.6.74:56060 https://threatfox.abuse.ch/ioc/137794/

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
40611A3C5415B7C9220AE63408C02D9A.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-20 19:22:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/593d2625-d9d9-4f8c-8035-1f9c1b15554a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167220/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/524286b2-0d1b-42e1-bed5-f7c7652c53e2
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804970
Signature
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 437381 Sample: NIMPOeli6U.exe Startdate: 20/06/2021 Architecture: WINDOWS Score: 100 51 nstaut.nsupdate.info 2->51 57 Antivirus detection for dropped file 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 8 other signatures 2->63 11 NIMPOeli6U.exe 4 2->11         started        15 Windows Update Assistant.exe 2 2->15         started        signatures3 process4 dnsIp5 47 C:\Users\user\AppData\Local\...\snapshot.exe, PE32 11->47 dropped 69 Contains functionality to register a low level keyboard hook 11->69 18 cmd.exe 1 11->18         started        53 nstaut.nsupdate.info 89.45.6.74, 56060 M247GB Romania 15->53 71 Protects its processes via BreakOnTermination flag 15->71 file6 signatures7 process8 signatures9 55 Uses schtasks.exe or at.exe to add and modify task schedules 18->55 21 snapshot.exe 9 18->21         started        25 conhost.exe 18->25         started        process10 file11 45 C:\Users\user\AppData\Local\...\cnbiehsew.exe, PE32 21->45 dropped 65 Multi AV Scanner detection for dropped file 21->65 67 Machine Learning detection for dropped file 21->67 27 cnbiehsew.exe 7 21->27         started        signatures12 process13 file14 49 C:\Users\...\Windows Update Assistant.exe, PE32 27->49 dropped 73 Antivirus detection for dropped file 27->73 75 Multi AV Scanner detection for dropped file 27->75 77 Detected unpacking (changes PE section rights) 27->77 79 2 other signatures 27->79 31 cmd.exe 1 27->31         started        33 cmd.exe 1 27->33         started        signatures15 process16 process17 35 Windows Update Assistant.exe 3 31->35         started        37 conhost.exe 31->37         started        39 timeout.exe 1 31->39         started        41 conhost.exe 33->41         started        43 schtasks.exe 1 33->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8346802296fc33b77a434c410fee9e054ce3f670a74907d603a521128465b90b/
Threat name:
ByteCode-MSIL.Backdoor.Rastarby
Create hunting rule
Status:
Malicious
First seen:
2021-06-19 21:04:42 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qndiaiuw7qz3o6sdjraq73u6avgoh5tqu5eqpvqduuqrfbdfxefq._file
Verdict:
malicious
Similar samples:
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
AsyncRAT
2678fa4d8a8650f8ce4b24880eaf89c49cffa228a419b8e5cf26972a959d87cc
AsyncRAT
41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1
AsyncRAT
4daba398d1d338f7eb29eef55e1afa4595dde813b27b33dcfb48ceff27e7e8b0
AsyncRAT
561a8b830e902a0ba18457a0aa8db8a8c663de8ee33e6009f236cedff00f8cbb
AsyncRAT
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
AsyncRAT
a0ee463632a3799ed2b21d598d1fa8c4ed7198f3debd175a1eb89b2055b57ccd
AsyncRAT
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
AsyncRAT
c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
AsyncRAT
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
AsyncRAT
+ 350 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210620-ad6ks32lce/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f1f8dd87bb94420cab9574adf997e44e04e29a3b07d63536da278b488f6f0b22
MD5 hash:
bf3d5ee74cec658d24b4c00c1fafa2e3
SHA1 hash:
ef5acdd652aee548fb894c264c92b2b212716798
Link:
https://www.unpac.me/results/143d6519-b60c-4a33-b01d-7c0fd7f47f9b/
SH256 hash:
597096c0543a0b21975ed96e6fb1dff7858bfad512f0f2da1d0643df109c7b4d
MD5 hash:
d1b422f30e6767a4102b1eac71e1caa5
SHA1 hash:
038fe2624e3203a54021bab1e803647a15a65408
Link:
https://www.unpac.me/results/143d6519-b60c-4a33-b01d-7c0fd7f47f9b/
SH256 hash:
3282f3d83d62c626ea109ed3e395b49b7f9dee937dbe1f98cb50d053b98f066c
MD5 hash:
e5cebff01abbd57bdce1c1fc4bf838ab
SHA1 hash:
19c5a65c4bce771f67edfc0d17829aa071f0bd16
Link:
https://www.unpac.me/results/143d6519-b60c-4a33-b01d-7c0fd7f47f9b/
SH256 hash:
79dd0b2eeeef9306976cc0fab233c7027a23c7ad7bc9006f69ec886b048d9abf
MD5 hash:
445ff443e583daf969883c2ff4515153
SHA1 hash:
967dd305d4ba5a8e1169233209bcfb99031c3cf6
Link:
https://www.unpac.me/results/143d6519-b60c-4a33-b01d-7c0fd7f47f9b/
SH256 hash:
8346802296fc33b77a434c410fee9e054ce3f670a74907d603a521128465b90b
MD5 hash:
40611a3c5415b7c9220ae63408c02d9a
SHA1 hash:
210678585c82d7a60e7887ff66db1c93866c332f
Link:
https://www.unpac.me/results/143d6519-b60c-4a33-b01d-7c0fd7f47f9b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8346802296fc33b77a434c410fee9e054ce3f670a74907d603a521128465b90b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167220/

Comments