MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a78e2f08052660fdedbb04ec46b40bde9b20b81b2b4695595cfefed1cd5bc40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a78e2f08052660fdedbb04ec46b40bde9b20b81b2b4695595cfefed1cd5bc40
SHA3-384 hash: 4c349dbfec714088c1da92712582a4edc32079940d0bb29a11ac5db4663fa7b320e02be763c136e2e3b05e3c77d10f89
SHA1 hash: a1781c59f2a7de837ac6abaeb1f75516737f6ce3
MD5 hash: cb8707966985e4beaee09da7844c35dc
humanhash: hawaii-oven-venus-july
File name:cb8707966985e4beaee09da7844c35dc.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'268'736 bytes
First seen:2023-01-13 16:51:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:2scuI1acCqFnMGw+tnQ6eYQhqgtklJvSBuGM:EDMEeRrpYZ
Threatray 2'714 similar samples on MalwareBazaar
TLSH T17245E17178F9F9E9F5E28530E9D601BC88EEEF5C25A2CA638142484B3816610E75CF7D
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cb8707966985e4beaee09da7844c35dc.exe
Verdict:
Malicious activity
Analysis date:
2023-01-13 16:54:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb621f13-4f02-4366-8ffd-a8ca91b979bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352678/
Detection(s):
SecuriteInfo.com.Win64.DropperX-gen.30091.10594.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c18c3571fb096abeed83f8/reports/ba43f647-a7a7-4595-8903-ef2c4f4f9d1f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7c185a8-ac31-4e4d-b08b-7a019b1fa3c5
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1151259
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 783994 Sample: qYRH1xLXwo.exe Startdate: 13/01/2023 Architecture: WINDOWS Score: 100 42 raw.githubusercontent.com 2->42 44 github.com 2->44 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected zgRAT 2->56 58 5 other signatures 2->58 9 qYRH1xLXwo.exe 3 2->9         started        12 qYRH1xLXwo.exe 4 2->12         started        signatures3 process4 file5 60 Multi AV Scanner detection for dropped file 9->60 62 Machine Learning detection for dropped file 9->62 64 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->64 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->66 15 cmd.exe 1 9->15         started        18 qYRH1xLXwo.exe 15 2 9->18         started        40 C:\Users\user\AppData\...\qYRH1xLXwo.exe.log, ASCII 12->40 dropped 68 Modifies the context of a thread in another process (thread injection) 12->68 70 Injects a PE file into a foreign processes 12->70 21 cmd.exe 1 12->21         started        23 qYRH1xLXwo.exe 4 12->23         started        signatures6 process7 dnsIp8 26 powershell.exe 17 15->26         started        28 conhost.exe 15->28         started        46 146.70.76.35, 24317, 49695, 49696 TENET-1ZA United Kingdom 18->46 48 140.82.121.3, 443, 49700, 49704 GITHUBUS United States 18->48 50 2 other IPs or domains 18->50 72 Encrypted powershell cmdline option found 21->72 30 powershell.exe 17 21->30         started        32 conhost.exe 21->32         started        38 C:\Users\user\AppData\...\qYRH1xLXwo.exe, PE32+ 23->38 dropped 34 powershell.exe 19 23->34         started        file9 signatures10 process11 process12 36 conhost.exe 34->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a78e2f08052660fdedbb04ec46b40bde9b20b81b2b4695595cfefed1cd5bc40/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2023-01-13 16:52:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rj4of4eakjta7xw3wbhmi22axxu3ec4bwk2gsvmvz7x62hgvxraa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1136869b303bfb491fda58869c898c19d9086fe34fd752018e49804481c6fbb1
AsyncRAT
144c1d3420429517a83b91bc35424b519d2c79b7d9c78cfe14ad84b7ac7e2e87
AsyncRAT
6da6fa5a959ad50302b32db9fad3862abcbd0597402941d66935203300d52821
AsyncRAT
98d78baf7a1ceff6ec4f3d2330a30075df9c461d03ceaac23c478112bb333d48
AsyncRAT
a13d5f2dedff839d945268116a3ba08cc0d5e17ed2b519477d118b447c02929f
AsyncRAT
a3ee09ce29be074b29f2ea1a0eb126bc907c93aed40b880f00eb0b8ee59b8d2c
AsyncRAT
bc6b7187bcc579a4fd0e7ffc54bb1a5fb9fa47a3d781bce55a8c4d9ba4df0139
AsyncRAT
cea71d83aeb6a4257e6d8738fe3e18d530f0f060d59e6a9c817eb93ae3175fb3
AsyncRAT
d0d03da3e2d11c18da8588b4061ea885005160f3bfb0f30f62aa582285ed2e9f
AsyncRAT
eac172cbeaa29cd3fe3dc4980e58f9f3765644d484bd0bed19c61a2c42c515e0
AsyncRAT
+ 2'704 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230113-vdfaxsed5z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
8a78e2f08052660fdedbb04ec46b40bde9b20b81b2b4695595cfefed1cd5bc40
MD5 hash:
cb8707966985e4beaee09da7844c35dc
SHA1 hash:
a1781c59f2a7de837ac6abaeb1f75516737f6ce3
Link:
https://www.unpac.me/results/1a02919b-67b6-4ed5-b370-e05d4d6ada19/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/8a78e2f08052660fdedbb04ec46b40bde9b20b81b2b4695595cfefed1cd5bc40

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 8a78e2f08052660fdedbb04ec46b40bde9b20b81b2b4695595cfefed1cd5bc40

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2506770/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/352678/

Comments