MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1

SHA256 hash: 9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc
SHA3-384 hash: e97a38169877bf805c8e9acde0ad33d8b0f5af98e0f057a0cb1e0b7d905388f2dc25f4e20cbc4910916f4ea14af1d494
SHA1 hash: b6ca93a2c12c164a73339020070662b618723744
MD5 hash: d4278af4c129db3ea1c48d890304abd1
humanhash: table-mexico-twelve-don
File name:d4278af4c129db3ea1c48d890304abd1
Download: download sample
Signature AsyncRAT
File size:631'296 bytes
First seen:2022-08-05 18:22:08 UTC
Last seen:2022-08-05 20:11:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (31'209 x AgentTesla, 10'508 x Formbook, 5'466 x SnakeKeylogger)
ssdeep 12288:AzTgQCM0ei0Hth5PSQ7OBOXhsAOf9vHg6SKlpx:tTAhPSkOBOPOf9vJLlpx
TLSH T152D40295B2EB9B23E9784FF2B42152644770A03F956BE24E5C893CFB55B1B134B80B43
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter @zbetcheckin
Tags:32 AsyncRAT exe trojan

Intelligence


File Origin
# of uploads :
2
# of downloads :
380
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
asyncrat
ID:
1
File name:
d4278af4c129db3ea1c48d890304abd1
Verdict:
Malicious activity
Analysis date:
2022-08-05 18:22:37 UTC
Tags:
asyncrat

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Creates executable files without a name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679457 Sample: BfwPdttqxH Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 7 other signatures 2->76 10 BfwPdttqxH.exe 7 2->10         started        process3 file4 58 C:\Users\user\AppData\...\ZgolgcKGNozdg.exe, PE32 10->58 dropped 60 C:\...\ZgolgcKGNozdg.exe:Zone.Identifier, ASCII 10->60 dropped 62 C:\Users\user\AppData\Local\...\tmp6E9F.tmp, XML 10->62 dropped 64 C:\Users\user\AppData\...\BfwPdttqxH.exe.log, ASCII 10->64 dropped 84 Uses schtasks.exe or at.exe to add and modify task schedules 10->84 86 Adds a directory exclusion to Windows Defender 10->86 88 Injects a PE file into a foreign processes 10->88 14 BfwPdttqxH.exe 6 10->14         started        18 powershell.exe 23 10->18         started        20 schtasks.exe 1 10->20         started        22 2 other processes 10->22 signatures5 process6 file7 66 C:\Users\user\AppData\Roaming\.exe, PE32 14->66 dropped 90 Creates executable files without a name 14->90 24 cmd.exe 1 14->24         started        26 cmd.exe 1 14->26         started        28 conhost.exe 14->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        signatures8 process9 process10 34 .exe 5 24->34         started        37 conhost.exe 24->37         started        39 timeout.exe 1 24->39         started        41 conhost.exe 26->41         started        43 schtasks.exe 1 26->43         started        signatures11 78 Multi AV Scanner detection for dropped file 34->78 80 Machine Learning detection for dropped file 34->80 82 Adds a directory exclusion to Windows Defender 34->82 45 powershell.exe 34->45         started        47 schtasks.exe 34->47         started        49 .exe 34->49         started        52 .exe 34->52         started        process12 dnsIp13 54 conhost.exe 45->54         started        56 conhost.exe 47->56         started        68 37.0.14.198, 49763, 49768, 49774 WKD-ASIE Netherlands 49->68 process14
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Status:
Malicious
First seen:
2022-08-05 18:23:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Result
Malware family:
asyncrat
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
37.0.14.198:6161
Unpacked files
SH256 hash:
46073591e006a5026853317eea5502089a126b8845ae1b46e87dffa7040737d9
MD5 hash:
31648f8474e83e3133b7fab0eef003c9
SHA1 hash:
f67b9d9ad9a20692b3d5ed41c2174149e92c3af6
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
SH256 hash:
b49b2285a56992bf312603ecbc025cbd0700c45118915c6fea997bce99becea3
MD5 hash:
6fa4db7bd885eccbdd540bf4f9f55ba7
SHA1 hash:
c55f8a015af2067df875853eefe0e61dc9daa490
SH256 hash:
a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66
MD5 hash:
228ff1006be83039e4de2b5e0475a5b0
SHA1 hash:
3adef5cc343067fa6b9d5e712114dc619c867a72
SH256 hash:
9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc
MD5 hash:
d4278af4c129db3ea1c48d890304abd1
SHA1 hash:
b6ca93a2c12c164a73339020070662b618723744

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc

(this sample)

  
Delivery method
Distributed via web download

Comments



Avatar
zbet commented on 2022-08-05 18:22:19 UTC

url : hxxp://ramalubegroup.ydns.eu/time/dub.exe