MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 43 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68
SHA3-384 hash: f5c1da5b45613cd824cf7722c873ad8972074ecec471cbf641d5fae332c4032ae6d9bb53bf554447554914a37805d0de
SHA1 hash: 109e32187254b27e04ef18bbe1b48fad42bca841
MD5 hash: 33ae2b9c3e710254fe2e2ce35ff8a7c8
humanhash: eighteen-maine-pip-ink
File name:iviewers.dll
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:90'112 bytes
First seen:2025-01-02 18:12:39 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d8b7f311dc1cf9fbfebee86209359312 (1 x AsyncRAT)
ssdeep 1536:L02ifPleVQ8zxlaSRslYzy26igsbuNdn4fuH1e6tsWy4cdlETcgS/iG:5iV4Qaxltsl/ggsCN3oBlQcgkiG
Threatray 14 similar samples on MalwareBazaar
TLSH T1BE937B1171D2D075E57E29351434CA654B3EB920CFE09DAB639A0ABA8F302C0DF35E6B
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter JAMESWT_WT
Tags:147-45-44-131 AsyncRAT booking dll Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6776d73574a2bd296e252dca
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Forced shutdown of a system process
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc
Link:
https://www.filescan.io/uploads/6776d7350a45a868c018af2e/reports/47cd8517-a076-4075-a79f-820f9b30e8bb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BlobRunner
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8abb12fc-9d40-4375-a0f0-051d10b54121
Result
Threat name:
DcRat, KeyLogger, StormKitty, Strela Ste
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1583432
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Compiles code for process injection (via .Net compiler)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Download and Execution Cradles
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BrowserPasswordDump
Yara detected DcRat
Yara detected Generic Downloader
Yara detected Keylogger Generic
Yara detected Powershell download and execute
Yara detected StormKitty Stealer
Yara detected Strela Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1583432 Sample: iviewers.dll Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 112 Suricata IDS alerts for network traffic 2->112 114 Found malware configuration 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 18 other signatures 2->118 11 loaddll32.exe 1 2->11         started        process3 process4 13 rundll32.exe 11->13         started        15 cmd.exe 1 11->15         started        18 cmd.exe 11->18         started        20 2 other processes 11->20 signatures5 22 cmd.exe 13->22         started        126 Suspicious powershell command line found 15->126 25 rundll32.exe 15->25         started        27 powershell.exe 18->27         started        30 cmd.exe 1 20->30         started        process6 file7 120 Suspicious powershell command line found 22->120 32 powershell.exe 22 22->32         started        36 conhost.exe 22->36         started        38 cmd.exe 25->38         started        88 C:\Users\user\AppData\Local\...\snrj5tfq.0.cs, Unicode 27->88 dropped 122 Writes to foreign memory regions 27->122 124 Injects a PE file into a foreign processes 27->124 40 csc.exe 3 27->40         started        42 RegAsm.exe 27->42         started        44 powershell.exe 30->44         started        46 conhost.exe 30->46         started        signatures8 process9 file10 78 C:\Users\user\AppData\...\10esxhtc.cmdline, Unicode 32->78 dropped 94 Found many strings related to Crypto-Wallets (likely being stolen) 32->94 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->96 98 Writes to foreign memory regions 32->98 104 2 other signatures 32->104 48 RegAsm.exe 1 3 32->48         started        52 csc.exe 3 32->52         started        100 Suspicious powershell command line found 38->100 55 powershell.exe 38->55         started        57 conhost.exe 38->57         started        80 C:\Users\user\AppData\Local\...\snrj5tfq.dll, PE32 40->80 dropped 59 cvtres.exe 1 40->59         started        102 Injects a PE file into a foreign processes 44->102 61 csc.exe 5 44->61         started        63 RegAsm.exe 44->63         started        signatures11 process12 dnsIp13 90 157.20.182.177, 4449, 49776, 49810 FCNUniversityPublicCorporationOsakaJP unknown 48->90 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->106 84 C:\Users\user\AppData\Local\...\10esxhtc.dll, PE32 52->84 dropped 65 cvtres.exe 1 52->65         started        92 147.45.44.131, 49726, 49727, 49728 FREE-NET-ASFREEnetEU Russian Federation 55->92 108 Writes to foreign memory regions 55->108 110 Injects a PE file into a foreign processes 55->110 67 csc.exe 4 55->67         started        70 RegAsm.exe 55->70         started        72 RegAsm.exe 55->72         started        86 C:\Users\user\AppData\Local\...\wt2ogsc5.dll, PE32 61->86 dropped 74 cvtres.exe 1 61->74         started        file14 signatures15 process16 file17 82 C:\Users\user\AppData\Local\...\5swi5u3s.dll, PE32 67->82 dropped 76 cvtres.exe 1 67->76         started        process18
Score:
17%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68/
Threat name:
Win32.Exploit.VenomRAT
Create hunting rule
Status:
Malicious
First seen:
2025-01-02 18:05:39 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqudryjay7wvwwbl5xdbo7yuuuvkk6fn52rgtuhzn7drvfn5nzua._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9
AsyncRAT
320db923b7c701a6005e465a082ad48c2f3c8f36145ece15b4980a44202383fe
AsyncRAT
569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157
AsyncRAT
5d8b55532cda3855a8211e70366648a22ef5193dd36931fa61e3393290c2ada9
AsyncRAT
7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10
AsyncRAT
7e129f68ebb1e8730941dcf50344e256bd0e32f29cac0e641426b88a17e131c6
AsyncRAT
ad822394ecd393272d3d1ba77306e502ee90259f4c328dab80e9d6b5e4bd363f
AsyncRAT
b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1
AsyncRAT
error
AsyncRAT
+ 4 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty discovery execution rat stealer
Link:
https://tria.ge/reports/250102-wtqx2azqhz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks installed software on the system
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Unpacked files
SH256 hash:
9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68
MD5 hash:
33ae2b9c3e710254fe2e2ce35ff8a7c8
SHA1 hash:
109e32187254b27e04ef18bbe1b48fad42bca841
Link:
https://www.unpac.me/results/2dc2a756-8660-40fd-947b-9ff3c7755921/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c2838e120c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many VPN software clients. Observed in infosteslers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
Author:ditekSHen
Description:Detects executables with interest in wireless interface using netsh
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Win_ArrowRAT
Create hunting rule
Author:ditekSHen
Description:Detects ArrowRAT
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_CyberStealer
Create hunting rule
Author:ditekSHen
Description:Detects CyberStealer infostealer
Rule name:MALWARE_Win_DLAgent10
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:MALWARE_Win_Multi_Family_InfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects Prynt, WorldWind, DarkEye, Stealerium and ToxicEye / TelegramRAT infostealers
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:MALWARE_Win_UnamedStealer
Create hunting rule
Author:ditekSHen
Description:Detects unknown infostealer. Observed as 2nd stage and injects into .NET AppLaunch.exe
Rule name:MALWARE_Win_VenomRAT
Create hunting rule
Author:ditekSHen
Description:Detects VenomRAT
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:venomrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Windows_Generic_Threat_2bb6f41d
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_DCRat_1aeea1ac
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments