MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b48193aeca9f5ca2a9737981221bffa1d2625eb3098e9cadad18b0c1f40654a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	9b48193aeca9f5ca2a9737981221bffa1d2625eb3098e9cadad18b0c1f40654a
SHA3-384 hash:	e8c08e38580763bfa2c5742aa67ce8be71c651df9a2793fa7be9c2a48e4f8805177cd4939ba4638bd9b01f434a5026d4
SHA1 hash:	125f845b058e48ba231f188137a878520c6f5d6f
MD5 hash:	074a6b553634933fee4a6e5e8c5805d4
humanhash:	mike-indigo-low-yankee
File name:	wdods.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	261'792 bytes
First seen:	2024-01-20 19:44:15 UTC
Last seen:	2024-01-20 21:36:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0141971a8d138ea93bd8cdb6f25fb1d2 (1 x AsyncRAT)
ssdeep	6144:PbTkceHZKQyKjU+VSn7FILUAOtnGStiMVuiW:PbwceHZKQhWOLUq5MVfW
TLSH	T124449E00B5918432E873193349FD9B799A3DB9600B1469EBA3C80A7FCF717D1BA3156B
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	adm1n_usa32
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

341

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9b48193aeca9f5ca2a9737981221bffa1d2625eb3098e9cadad18b0c1f40654a.exe

Verdict:

Suspicious activity

Analysis date:

2024-01-20 19:47:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2b28c3ec-f7b1-4d42-82d1-3fc733aab933

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/471918/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader46.48151.7255.23213.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

DNS request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Sending a custom TCP request

Creating a window

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint overlay packed phishing

Link:

https://www.filescan.io/uploads/65ac22c02593e1cd0bab2390/reports/5c928dc8-7e0c-42a8-b9e3-d9461b431362/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/9b48193aeca9f5ca2a9737981221bffa1d2625eb3098e9cadad18b0c1f40654a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/19290945-2a67-4b75-aa6c-f7786a3024cb

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1378069

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Found stalling execution ending in API Sleep call

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9b48193aeca9f5ca2a9737981221bffa1d2625eb3098e9cadad18b0c1f40654a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b48193aeca9f5ca2a9737981221bffa1d2625eb3098e9cadad18b0c1f40654a/

Threat name:

Win32.Backdoor.AsyncRAT

Status:

Malicious

First seen:

2024-01-18 12:58:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tnebsoxmvh24ukuxg6mbein77iosmjplgcmotsw22gfqyh2amvfa._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240120-ygds2sfhh3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

9b48193aeca9f5ca2a9737981221bffa1d2625eb3098e9cadad18b0c1f40654a

MD5 hash:

074a6b553634933fee4a6e5e8c5805d4

SHA1 hash:

125f845b058e48ba231f188137a878520c6f5d6f

Link:

https://www.unpac.me/results/4896b1f9-010c-4440-aa09-78c1a3ac8e62/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9b48193aeca9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b48193aeca9f5ca2a9737981221bffa1d2625eb3098e9cadad18b0c1f40654a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.hybrid-analysis.com/sample/9b48193aeca9f5ca2a9737981221bffa1d2625eb3098e9cadad18b0c1f40654a/65ac2061b101c689470ce2ac

Cape

https://www.capesandbox.com/analysis/471918/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample