MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9abf9cd94bb4fbbbbb189d3e318d45dd6042532c7f73c6a4a920c1a256ecc09f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9abf9cd94bb4fbbbbb189d3e318d45dd6042532c7f73c6a4a920c1a256ecc09f
SHA3-384 hash: c78a11b41facaf7a30a48ed465099e5071a446a8fc64b5b74027f19ad0538dcf222bbad55779a1a0b762d7fe3cd8df07
SHA1 hash: 3960f44dd004c0b27ca093aec83009162deec01e
MD5 hash: b61c2bfecf60e226fc7227ef7e093677
humanhash: three-ceiling-diet-avocado
File name:b61c2bfecf60e226fc7227ef7e093677.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'296'352 bytes
First seen:2023-07-19 06:19:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea2d297e3bd3b5b7def0556d0ff46651 (1 x AsyncRAT, 1 x LummaStealer, 1 x RedLineStealer)
ssdeep 24576:PKK5UKlzyC0rG3ElzweHbF5a16lJie3PGDDcz9lbAUm:zlzyC0rG3Elr/a1aJP/ycpeUm
Threatray 1 similar samples on MalwareBazaar
TLSH T1B755CF1139C0803ADA7331320A69F7B64ABFF4701B655AEF13D8197E5F706C16B3626A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
b61c2bfecf60e226fc7227ef7e093677.exe
Verdict:
Malicious activity
Analysis date:
2023-07-19 06:21:40 UTC
Tags:
asyncrat
Link:
https://app.any.run/tasks/1e27be1c-e4bd-46a7-b160-6556e8e3bc5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/424468/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12297.21810.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/64b78096fd9e198dc115fc24/reports/aa02d04d-0b62-4555-834a-92a982cdec54/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9abf9cd94bb4fbbbbb189d3e318d45dd6042532c7f73c6a4a920c1a256ecc09f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9788d24-2e0c-404d-a9f9-3b163e42a18c
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275744
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
Detection:
dcrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9abf9cd94bb4fbbbbb189d3e318d45dd6042532c7f73c6a4a920c1a256ecc09f/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 22:31:54 UTC
File Type:
PE (Exe)
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tk7zzwklwt53xoyytu7dddkf3vqeeuzmp5z4njfjeda2evxmycpq._file
Verdict:
unknown
Similar samples:
8004bfbed6a65d43e8278bcfaf6eb153b9d37067e0a1c1ed6b7b7d428de93a2d
AsyncRAT
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/230719-g3rhlaha3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
7.tcp.eu.ngrok.io:19187
Unpacked files
SH256 hash:
421b567b5698edbcc05d2b66994b1f81061595b82f2cff78cb0b580fc6a85018
MD5 hash:
dd0ea59625278570cbccd328342f2a8d
SHA1 hash:
967c50c8c78491e46e07ecd7bda157e12694e5f7
Link:
https://www.unpac.me/results/5adddbbe-5da4-4a75-a86c-cf4495fcab43/
SH256 hash:
52bd5f12f27da0f3cb8b4e2acb5387e36c71e4c67e1debc13c569486dfd25823
MD5 hash:
eaa91442ab1fca451c82857c14c37e44
SHA1 hash:
5faf0e867f03ddb408888501d81f4a99ed819567
Link:
https://www.unpac.me/results/5adddbbe-5da4-4a75-a86c-cf4495fcab43/
SH256 hash:
1537a4fc2105ebeed933c74cf658503ff8ae93db64f99c1023898b6a643ebebd
MD5 hash:
ced3a00043fc422c6a26ecd4a8e83a3e
SHA1 hash:
420844efa776a38e195e1168b6084007f7281f36
Detections:
DCRat
Create hunting rule
Link:
https://www.unpac.me/results/5adddbbe-5da4-4a75-a86c-cf4495fcab43/
SH256 hash:
9abf9cd94bb4fbbbbb189d3e318d45dd6042532c7f73c6a4a920c1a256ecc09f
MD5 hash:
b61c2bfecf60e226fc7227ef7e093677
SHA1 hash:
3960f44dd004c0b27ca093aec83009162deec01e
Link:
https://www.unpac.me/results/5adddbbe-5da4-4a75-a86c-cf4495fcab43/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9abf9cd94bb4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/424468/

Comments