MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 902f0e40972d39b34ce4f03e000d16b77c3ad9383fbaa6a49b7428cae1b08e93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 902f0e40972d39b34ce4f03e000d16b77c3ad9383fbaa6a49b7428cae1b08e93
SHA3-384 hash: d3adaecb8fcefaab6bb15b13ab192f75e6e076ba48aa7bd4b275093ca5f496f85f8fbccc0cd1fb4b2ca882c3d67861c9
SHA1 hash: 7bf21667ceae63881bc00fca91dd9ee98994730a
MD5 hash: 0e78fdd576e7936d5c866f9307979fb4
humanhash: september-skylark-cardinal-failed
File name:SOPORTE DE PAGO DETALLE DE CONFIRMACION.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:543'744 bytes
First seen:2023-02-28 19:48:08 UTC
Last seen:2023-02-28 21:34:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:xvgQNODKe/eIhJdQFlzynZim5OpzvruB2ZElQNJDSb6i9WH3c2WInOAG:aDN/eIhkUEW2/NQbz9y3s
Threatray 352 similar samples on MalwareBazaar
TLSH T1EEC4D06FB7D01A21DEAEF531D4760A4CD7B1DA660300A62797CB15CB3F2A20B6D06ED1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter 0xToxin
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
SOPORTE DE PAGO DETALLE DE CONFIRMACION.exe
Verdict:
Malicious activity
Analysis date:
2023-02-28 19:49:40 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/10a20afd-8fa4-4686-a7ea-a082d9075219

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370708/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.13462.13661.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63fe5aafbfec0852a68df41e/reports/5abc116b-f6b6-4372-aaf0-930a90805388/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/902f0e40972d39b34ce4f03e000d16b77c3ad9383fbaa6a49b7428cae1b08e93
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5667b8fc-17bc-4a0b-9af9-e1a6506a53f4
Result
Threat name:
AsyncRAT, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1184556
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DarkTortilla Crypter
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 817406 Sample: SOPORTE DE PAGO DETALLE DE ... Startdate: 28/02/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 9 other signatures 2->72 7 SOPORTE DE PAGO DETALLE DE CONFIRMACION.exe 15 3 2->7         started        12 System32.exe 5 2->12         started        14 System32.exe 14 2 2->14         started        process3 dnsIp4 50 www.google.com 142.250.203.100, 443, 49695, 49696 GOOGLEUS United States 7->50 46 SOPORTE DE PAGO DE...ONFIRMACION.exe.log, ASCII 7->46 dropped 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->74 16 cmd.exe 1 7->16         started        19 cmd.exe 3 7->19         started        48 C:\Users\user\AppData\Local\...\watchdog.exe, PE32 12->48 dropped 76 Writes to foreign memory regions 12->76 78 Injects a PE file into a foreign processes 12->78 22 watchdog.exe 12->22         started        24 InstallUtil.exe 12->24         started        80 Machine Learning detection for dropped file 14->80 file5 signatures6 process7 dnsIp8 58 Uses ping.exe to sleep 16->58 60 Uses ping.exe to check the status of other devices and networks 16->60 27 PING.EXE 1 16->27         started        30 conhost.exe 16->30         started        32 reg.exe 1 1 16->32         started        42 C:\Users\user\AppData\Roaming\System32.exe, PE32 19->42 dropped 44 C:\Users\...\System32.exe:Zone.Identifier, ASCII 19->44 dropped 34 System32.exe 2 19->34         started        36 conhost.exe 19->36         started        38 PING.EXE 1 19->38         started        40 PING.EXE 1 19->40         started        62 Antivirus detection for dropped file 22->62 64 Machine Learning detection for dropped file 22->64 52 ertyftgfg.duckdns.org 177.255.88.17, 49699, 8020 ColombiaMovilCO Colombia 24->52 file9 signatures10 process11 dnsIp12 54 127.0.0.1 unknown unknown 27->54 56 www.google.com 34->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/902f0e40972d39b34ce4f03e000d16b77c3ad9383fbaa6a49b7428cae1b08e93/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-02-28 19:49:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
14 of 25 (56.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=saxq4qexfu43gthe6a7aadiww56dvwjyh65knje3oqumvynqr2jq._file
Verdict:
unknown
Similar samples:
0bf8d1b56d9ee5eae096286c987f3433ee9e1141afdd45581c0b644316e2fdb2
AsyncRAT
135cbc54b63c8ec17f8174791d5fdfce239e587a319a335d4c22ef7e7ec225d0
AsyncRAT
22b8eea77c280d8bbfe86c7a3acac4e60f11bfeb5fa03cfef44678513af49600
AsyncRAT
24055d43a09021ce0a445076e9b729b335a726937080337752854f2883103f67
AsyncRAT
3c95ad2e565262c2324a40bb1778e70a197d6452a9a7457d0fd639befa1466d4
AsyncRAT
4fa8e3ed74b9d941888ab229b323154e2a2bdb2274fd7e767e16bb8dadd97365
AsyncRAT
60a45dd4711c5aaa146e4b973d33934a6e7e29e530666202b7a88a6fb845ccb1
AsyncRAT
797c253df096431e69f1aa84f0010f248384fe437cda4bf8df916c48fbb7984f
AsyncRAT
d063eec4ec30ecc633469e28b06bf8288a9107cd9f16ea97720877a6f761e248
AsyncRAT
+ 342 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default persistence rat
Link:
https://tria.ge/reports/230228-yjne9sch59/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
ertyftgfg.duckdns.org:8020
Unpacked files
SH256 hash:
902f0e40972d39b34ce4f03e000d16b77c3ad9383fbaa6a49b7428cae1b08e93
MD5 hash:
0e78fdd576e7936d5c866f9307979fb4
SHA1 hash:
7bf21667ceae63881bc00fca91dd9ee98994730a
Link:
https://www.unpac.me/results/ad135747-bb1e-4890-97cc-1f749566278f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/902f0e40972d39b34ce4f03e000d16b77c3ad9383fbaa6a49b7428cae1b08e93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370708/

Comments