MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash: 985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9
SHA3-384 hash: 51c7cb2a1ecb3dbfe3f263813e3d2faba0f5bb60ae211ee96a3e49f0abc53059262359efd3b679afecb31228b226a6b7
SHA1 hash: 7cca1a10272b84abf7da155f913a301533ffd2c4
MD5 hash: b28a3a496bb68f9c4308ee7d888e7a27
humanhash: nebraska-muppet-washington-fanta
File name:SecuriteInfo.com.Trojan.InjectNET.14.26458.24870
Download: download sample
Signature AsyncRAT
File size:312'320 bytes
First seen:2022-11-07 22:12:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'083 x AgentTesla, 20'060 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 6144:BoXVkyjpPglDUzV5SZ7KVCgH6kZSPEVRyEPZ3:WlwlDUoqHY4RyKZ3
TLSH T1A2649C0796C469BEDC3A567F1B779FF9676C7952280CC6012361223A512D0CEBE42FB2
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8213013131341131 (10 x AsyncRAT, 4 x zgRAT, 1 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:AsyncRAT exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://github.com/Oumdaddy/Battlefield-2042-External-Hack-Cheat-ESP-AIMBOT/raw/main/battlefield-2042/BattleField%202042%20External%E2%80%AEnls..scr
Verdict:
Malicious activity
Analysis date:
2022-10-24 08:23:48 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Running batch commands
Sending a custom TCP request
Creating a process with a hidden window
Changing a file
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected MSILDownloaderGeneric
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 740426 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 132 zenginler.online 2->132 134 cdn.discordapp.com 2->134 136 Antivirus / Scanner detection for submitted sample 2->136 138 Multi AV Scanner detection for submitted file 2->138 140 Yara detected MSILDownloaderGeneric 2->140 142 2 other signatures 2->142 12 SecuriteInfo.com.Trojan.InjectNET.14.26458.24870.exe 3 2->12         started        16 WIndowShellHost.exe 3 2->16         started        18 OpenWith.exe 2->18         started        signatures3 process4 file5 122 SecuriteInfo.com.T...26458.24870.exe.log, CSV 12->122 dropped 148 Writes to foreign memory regions 12->148 150 Allocates memory in foreign processes 12->150 152 Injects a PE file into a foreign processes 12->152 20 RegAsm.exe 1 3 12->20         started        23 RegAsm.exe 12->23         started        25 RegAsm.exe 12->25         started        27 RegAsm.exe 16->27         started        signatures6 process7 file8 112 C:\Users\user\...\WINDOWSHELLHOSTT.EXE, PE32 20->112 dropped 29 WINDOWSHELLHOSTT.EXE 5 20->29         started        33 DEFENDERRUNTIME.EXE 27->33         started        36 DEFENDERRUNTIMEE.EXE 27->36         started        38 FILEMANAGE.EXE 27->38         started        40 6 other processes 27->40 process9 dnsIp10 124 C:\Users\user\AppData\...\WIndowShellHost.exe, PE32 29->124 dropped 158 Writes to foreign memory regions 29->158 160 Allocates memory in foreign processes 29->160 162 Injects a PE file into a foreign processes 29->162 42 RegAsm.exe 13 29->42         started        45 cmd.exe 1 29->45         started        48 powershell.exe 13 29->48         started        130 192.168.2.1 unknown unknown 33->130 164 Encrypted powershell cmdline option found 33->164 50 powershell.exe 33->50         started        52 powershell.exe 36->52         started        54 powershell.exe 38->54         started        56 powershell.exe 40->56         started        file11 signatures12 process13 file14 114 C:\Users\user\AppData\...\WINDOWSPROTECT.EXE, PE32 42->114 dropped 116 C:\Users\user\...\WINDOWSDEFENDERSMART.EXE, PE32 42->116 dropped 118 C:\Users\user\AppData\...\SECURITYHOST.EXE, PE32 42->118 dropped 120 9 other malicious files 42->120 dropped 58 DEFENDERRUNTIME.EXE 2 42->58         started        61 SECURITYHEALTHSEURVIC.EXE 42->61         started        73 10 other processes 42->73 154 Uses schtasks.exe or at.exe to add and modify task schedules 45->154 75 2 other processes 45->75 63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        67 conhost.exe 52->67         started        69 conhost.exe 54->69         started        71 conhost.exe 56->71         started        signatures15 process16 signatures17 144 Multi AV Scanner detection for dropped file 58->144 146 Encrypted powershell cmdline option found 58->146 77 powershell.exe 58->77         started        80 powershell.exe 61->80         started        84 powershell.exe 73->84         started        86 powershell.exe 73->86         started        88 powershell.exe 73->88         started        90 7 other processes 73->90 process18 dnsIp19 156 Powershell drops PE file 77->156 92 conhost.exe 77->92         started        126 cdn.discordapp.com 162.159.134.233, 443, 49702, 49707 CLOUDFLARENETUS United States 80->126 110 C:\Users\user\...\SecurityHealthServic.exe, PE32 80->110 dropped 94 conhost.exe 80->94         started        128 162.159.135.233, 443, 49703 CLOUDFLARENETUS United States 84->128 96 conhost.exe 84->96         started        98 conhost.exe 86->98         started        100 conhost.exe 88->100         started        102 conhost.exe 90->102         started        104 conhost.exe 90->104         started        106 conhost.exe 90->106         started        108 4 other processes 90->108 file20 signatures21 process22
Threat name:
ByteCode-MSIL.Hacktool.ResInject
Status:
Malicious
First seen:
2022-10-16 12:20:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  1/5
Verdict:
malicious
Result
Malware family:
asyncrat
Score:
  10/10
Tags:
family:asyncrat botnet:filemanager botnet:securityhealthseurvice evasion persistence rat
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Checks computer location settings
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Sets file to hidden
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
217.64.31.3:8437
20.107.115.162:50239
Unpacked files
SH256 hash:
1178eada4d51346cb5107c593cf09a84cefbceac7fc454c9de447df7f8f8b01e
MD5 hash:
048f1c0ada5aea3f7d53c19f0da9fd86
SHA1 hash:
ec20a946d901b410a712e1ce4c37ec8f40e40c7c
SH256 hash:
368d0f0242ee42d89f338cff26a61223400fd1902e5a49a0f905495070c69e9d
MD5 hash:
c7a739caf480fe864aecc21cb8de6562
SHA1 hash:
eab9f0aa7ad7b7027c7ca358108a8f70fa359a55
SH256 hash:
4cdb64920137a54e4e27000908808e8218e389ea0a0763630ec8f83ed4106c12
MD5 hash:
6b09a4fb590bd045c9fb930d31348890
SHA1 hash:
df47a973ca61085875df25976aecd7d0b9773f4c
SH256 hash:
2ec859bd9abeaf5d77d8095b22228d7ee0f1ad72f348e09b791abd0f1d4e0375
MD5 hash:
3f8043b495753e0f1454a283b4fb0056
SHA1 hash:
d08b786ba7fefbf0522a6b619be79c11a5b12660
SH256 hash:
b5ed3ccf6fabb4c33bc62881bfb0cc33391fc69f501d57af5c6dfa35c50a84d5
MD5 hash:
adb48081c7bc5d3061b9929eabdbda5d
SHA1 hash:
c5dc3544076bd1cb840b99aa74b03005a27de550
SH256 hash:
8baad3925ecccc5e1f36ad546456daacd227cabe948742f1d4f4f6f8afd81bdc
MD5 hash:
d1f5b8c61c7d3625ac3bf399e1809454
SHA1 hash:
ab74fe4eea2c2305df5aff758a435b70400fb772
SH256 hash:
a9bbf2e85599d354e29ca797e090526118a60ba0aed7974f5b24a31337765d6e
MD5 hash:
84ae88fb820d78a96482ecf5ff8225e3
SHA1 hash:
a16f95e7dc3583b2d5e953a6882d683a324bd3ca
SH256 hash:
d3d3b0cffd848bdbcb9c24200cfb520b1f84adf65b2f0bbd941289f1edad8885
MD5 hash:
86d8c840abf82333ea4ec7a1cc581150
SHA1 hash:
92ed26c8382f0e0377800dcf09db7431c87bc193
SH256 hash:
d78e9e0a1f6c04c1b91ee040352536530abe1845af8f3d944af7893c67611ae9
MD5 hash:
272a03f015c0c3d3cde1e3c7464ccc53
SHA1 hash:
86563f50b72e1bbc737f169709b442c1c4adead8
SH256 hash:
bb38563f30154213f91e72911b474eeded401a5460a88c334365f8700df9d698
MD5 hash:
d410fc60a0465460f930f09232468e60
SHA1 hash:
7803d0e6a152614f5f9e3a864d5abf7f3b914436
SH256 hash:
3384b96b78193ea1aa7ec97302ac5b60d4885055728d1b0a6080830f304733be
MD5 hash:
19e08e5c5874054097ad21d56d43a9fe
SHA1 hash:
267130895d1418a11ca46b8ecc8f8bc2e0bc7580
SH256 hash:
94b87d71c676b470f2fd87c8a68e9f2b7a4e25416145b2dd18fcee3fd8d8ed6c
MD5 hash:
9e75f2c3d21646bd2e6c2a2df7ea294d
SHA1 hash:
2532d6ecbb308a5be45591ee2846e50fe4226d11
SH256 hash:
04c636ffdc6b27cf22e986188225c0d76a35f9d51197e9cc4f53da9d2242f76e
MD5 hash:
5e7d4fe880e2e06a96a861cdddded2b0
SHA1 hash:
0ab268b44f0786585db5314b71b9298215c7ac9d
SH256 hash:
252dc6aa0cd74244202d39b610a512e1a633b68a57377f195bb1ebba4402c4a3
MD5 hash:
ce3777dbf6272e26b9fb44321900216d
SHA1 hash:
43d90c8b28f204c96b15c697e4d50eedde8d19d1
SH256 hash:
985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9
MD5 hash:
b28a3a496bb68f9c4308ee7d888e7a27
SHA1 hash:
7cca1a10272b84abf7da155f913a301533ffd2c4
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9

(this sample)

Comments