MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9218755901d3d68d1e17b5cc7782666a2abedfb09ecbf7b34cd30f4ab7cd15c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9218755901d3d68d1e17b5cc7782666a2abedfb09ecbf7b34cd30f4ab7cd15c1
SHA3-384 hash: 0e04c0a01c786408db088ad14e86c2e7cceb1dace3ae986800851d023c3aa31250ddb2bac0c687f479c603da79acdbc7
SHA1 hash: a22ad65bfc77ebf9f97e7f4372e62b43d427d1a2
MD5 hash: 5bd0e360baea9241983ddec144ae7607
humanhash: dakota-michigan-vegan-lactose
File name:file
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:329'728 bytes
First seen:2022-11-12 21:03:03 UTC
Last seen:2022-11-13 07:12:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:qSm088/9qR5ioaYkQySeXTJFRhgoy4Hv1sGVvvBj9m:aU/WioaJ6eDJV7yEvpvBk
Threatray 563 similar samples on MalwareBazaar
TLSH T1BE64CF772C91C9E0F26058B5CFD6EA88AC764CD6B49CBF47AE850921485F38DED2385C
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter andretavare5
Tags:AsyncRAT exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_655950238?hash=ihGAwKoDSRGyZnzVwzsEyxdOuzvYfUYz4pZxkEZJNJg&dl=G43DANZVGAYDSNY:1668286148:RWHwpMuoJcdhs17YiToJzdvMIi2nS8fuAlT0QvFlWeH&api=1&no_preview=1#10_1

Intelligence

File Origin
# of uploads :
270
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-12 21:04:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/71ad3f95-fb5c-4368-a813-c820795e878e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333028/
Detection(s):
SecuriteInfo.com.BackDoor.AsyncRATNET.2.14847.9972.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63700a4382dd9f2e2653dc51/reports/afa70b79-2ce1-4599-bcce-68615efe81d2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/224aaeb5-64bf-4fa3-b329-52eb7738bfec
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1111981
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DcRat
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 744677 Sample: file.exe Startdate: 12/11/2022 Architecture: WINDOWS Score: 100 23 Snort IDS alert for network traffic 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 Yara detected DcRat 2->27 29 8 other signatures 2->29 6 file.exe 1 1 2->6         started        10 file.exe 2->10         started        12 file.exe 2->12         started        process3 file4 19 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 6->19 dropped 31 Creates autostart registry keys with suspicious names 6->31 33 Writes to foreign memory regions 6->33 35 Injects a PE file into a foreign processes 6->35 14 InstallUtil.exe 1 2 6->14         started        17 InstallUtil.exe 6->17         started        signatures5 process6 dnsIp7 21 212.227.169.228, 4449, 49702 ONEANDONE-ASBrauerstrasse48DE Germany 14->21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9218755901d3d68d1e17b5cc7782666a2abedfb09ecbf7b34cd30f4ab7cd15c1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-12 21:04:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=simhkwib2pli2hqxwxghpatgnivl5x5qt3f7pm2m2mhuvn6ncxaq._file
Verdict:
malicious
Similar samples:
34259ebe24b406dd57d293d68a2d035f25e229a5f65cd9eef0215e40331a3d21
AsyncRAT
44e70f14e20d43e59bee945d443ba00adc352d38a22b1a6b82731a83bc02ebfe
AsyncRAT
4f28d606adaacc365adde510380b2d5111339ecca6fc7e996d68e6ebb66d29b8
AsyncRAT
560a2b36202c7ffffb40372f390dddc776a8fb0d3deef44e7c7b4cbb02a61138
AsyncRAT
9f38198ca55e984bd65f7a324853411d19a3426ac0455f64b76eb3aa2c1d85e8
AsyncRAT
bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac
AsyncRAT
ebc1c03760f08f8e264c69a6515c4dfd91698ad720f625c02b389a5081380e9b
AsyncRAT
+ 553 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:venom clients persistence rat
Link:
https://tria.ge/reports/221112-zv288she82/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
212.227.169.228:4449
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/49139729-44da-4c1c-a132-d2fd959ef6f3
Unpacked files
SH256 hash:
9218755901d3d68d1e17b5cc7782666a2abedfb09ecbf7b34cd30f4ab7cd15c1
MD5 hash:
5bd0e360baea9241983ddec144ae7607
SHA1 hash:
a22ad65bfc77ebf9f97e7f4372e62b43d427d1a2
Link:
https://www.unpac.me/results/41fdcd63-8fcc-4616-b0e1-760b18ac488a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9218755901d3d68d1e17b5cc7782666a2abedfb09ecbf7b34cd30f4ab7cd15c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/333028/

Comments