MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c969019ad35d50bba579c1b682b28004e70393ff3d750636e6e6cf139f16406. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c969019ad35d50bba579c1b682b28004e70393ff3d750636e6e6cf139f16406
SHA3-384 hash: 6c85da2c5067c5f50ce76d62d98ca7fabc678cb79afd01981a20236c2d63f3e01d6ea8f25dc98d80dbeeec0270eb8e9b
SHA1 hash: 8ca42bfbcc30dc190bf60d6fd7d273daceaba3a3
MD5 hash: fd1001a56cf5f0c585bcd9d8a15034b9
humanhash: sierra-alabama-dakota-earth
File name:SKM-012002001.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:60'928 bytes
First seen:2022-02-16 17:10:13 UTC
Last seen:2022-02-21 09:06:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'660 x Formbook, 12'252 x SnakeKeylogger)
ssdeep 384:v49k+b2mPzaqAYuueEyuxFTmOETYLNwd9WEfdwO43WaB:v4Db5c+FTmOEkNaWkwR
Threatray 630 similar samples on MalwareBazaar
TLSH T124535E75F2828852D8650239B4494274732BDFC44F03AB3B6BA7BF4E2F75E039E525A1
File icon (PE):PE icon
dhash icon 8084aeacaeae8480 (6 x AsyncRAT)
Reporter cocaman
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
12
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241986/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GLW.genEldorado.18516.15755.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/620d3032a2660f3bb9e7c50a/reports/3942d6b0-3fae-4d8d-a4df-9b58cca28048/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dfffd5cd-ac97-4d53-9ad9-6775be568919
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/941022
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses the Telegram API (likely for C&C communication)
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 573501 Sample: SKM-012002001.exe Startdate: 16/02/2022 Architecture: WINDOWS Score: 96 68 yahoo.com 2->68 90 Malicious sample detected (through community Yara rule) 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Yara detected AsyncRAT 2->94 96 6 other signatures 2->96 9 SKM-012002001.exe 16 7 2->9         started        13 Ubxloikp.exe 1 2->13         started        16 Ubxloikp.exe 2->16         started        signatures3 process4 dnsIp5 80 api.telegram.org 149.154.167.220, 443, 49811 TELEGRAMRU United Kingdom 9->80 82 transfer.sh 144.76.136.153, 443, 49770 HETZNER-ASDE Germany 9->82 62 C:\Users\user\AppData\...\Ubxloikp.exe, PE32 9->62 dropped 64 C:\Users\...\Ubxloikp.exe:Zone.Identifier, ASCII 9->64 dropped 66 C:\Users\user\...\SKM-012002001.exe.log, ASCII 9->66 dropped 18 cmd.exe 1 9->18         started        21 MSBuild.exe 2 9->21         started        24 cmd.exe 1 9->24         started        34 9 other processes 9->34 98 Machine Learning detection for dropped file 13->98 26 cmd.exe 13->26         started        28 cmd.exe 13->28         started        36 2 other processes 13->36 30 cmd.exe 16->30         started        32 cmd.exe 16->32         started        file6 signatures7 process8 dnsIp9 88 Uses ping.exe to check the status of other devices and networks 18->88 38 conhost.exe 18->38         started        40 PING.EXE 1 18->40         started        70 severdops.ddns.net 62.197.136.69, 49817, 6204 SPRINTLINKUS Netherlands 21->70 43 2 other processes 24->43 45 2 other processes 26->45 47 2 other processes 28->47 49 2 other processes 30->49 51 2 other processes 32->51 53 14 other processes 34->53 55 4 other processes 36->55 signatures10 process11 dnsIp12 57 PING.EXE 1 38->57         started        60 conhost.exe 38->60         started        72 yahoo.com 74.6.143.26 YAHOO-3US United States 40->72 74 98.137.11.163 YAHOO-GQ1US United States 43->74 76 74.6.231.20 YAHOO-NE1US United States 53->76 78 74.6.143.25 YAHOO-3US United States 53->78 process13 dnsIp14 84 74.6.231.21 YAHOO-NE1US United States 57->84 86 yahoo.com 57->86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c969019ad35d50bba579c1b682b28004e70393ff3d750636e6e6cf139f16406/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 17:11:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsljagnngxkqxosxtqnwqkziabhhaoj76plvay3onzwpcoprmqda._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1bc7ae65ce4613e96d19dcf560ec6bb47395431ed05480c42895002570c9cb3a
AsyncRAT
274422d8fb0a807ee41552012c99ca2573555c43a3314968554836c1646f4c15
AsyncRAT
47e65f3cd47ce47eb9594e6019dbbaa86ca678dad2b5bb590f072a8cc133e9e0
AsyncRAT
59893fb4830848787d1fd9f791eef1ee05376264d556887e7ad1c5075d1365ea
AsyncRAT
8b77fc7dd49e34fe3183dc9b994cb249dbc50a59e12460cc78fbe115d62c2d09
AsyncRAT
ca9cf9fd1fe5446319f7038465c6e4b33e2969591717350535e4f24ee237c6cd
AsyncRAT
cec4f834904872bea22fc5be10142a10accab72e4fb882a86d91db46891caaa7
AsyncRAT
dbd907b09dd3b29a2482cfd460af698cb64465cd8526607939b05cdf96abfe6f
AsyncRAT
e803c5d292e1684844ff0ac82e76ca90caca1e44e7cd3507ce4ee4507b9d9fb2
AsyncRAT
+ 620 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/220216-vp9znsdbhp/
Behaviour
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
AsyncRat
Unpacked files
SH256 hash:
9c969019ad35d50bba579c1b682b28004e70393ff3d750636e6e6cf139f16406
MD5 hash:
fd1001a56cf5f0c585bcd9d8a15034b9
SHA1 hash:
8ca42bfbcc30dc190bf60d6fd7d273daceaba3a3
Link:
https://www.unpac.me/results/f21c36d3-a0db-45fd-b596-483c45ad7f9b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9c969019ad35/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/9c969019ad35d50bba579c1b682b28004e70393ff3d750636e6e6cf139f16406

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

img 645ece0829d4bdd6b598b9cdf2f496809b1dca21f5b53b97c6a25222294b4bc0

AsyncRAT

Executable exe 9c969019ad35d50bba579c1b682b28004e70393ff3d750636e6e6cf139f16406

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 645ece0829d4bdd6b598b9cdf2f496809b1dca21f5b53b97c6a25222294b4bc0
Cape
Cape
https://www.capesandbox.com/analysis/241986/

Comments