MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af
SHA3-384 hash:	908699f0b9bf761aa1104c212e51ce8778c0c6a204316ff4f1292268c2628ed2277bef846c7fe957908b9a317e0cccbf
SHA1 hash:	bbaf763d8b26f468f6d4fb5cb631e3fedb3c965b
MD5 hash:	f9482bb02601f897d980e64e4b54fe3c
humanhash:	grey-ohio-lemon-twenty
File name:	f9482bb02601f897d980e64e4b54fe3c.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	10'240 bytes
First seen:	2022-10-15 06:23:44 UTC
Last seen:	2022-10-15 07:14:50 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	192:ZBlbXZH5KcyeRrUt0cgh8/2PnH/7AvBp:ZBkurM05S/2vHzM
Threatray	8'391 similar samples on MalwareBazaar
TLSH	T1BE2262693381E6A9CCAC4F71C853C7E01E34BE115E168B9B36E0AB4F6E313907D207A5
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	d292b0b2da36bcbe (11 x AsyncRAT, 7 x Metasploit, 6 x CoinMiner)
Reporter	abuse_ch
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

319

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/320560/

Detection(s):

SecuriteInfo.com.Variant.Cerbu.152983.26423.5246.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated

Link:

https://www.filescan.io/uploads/634a5205b5f60e72b8c6738e/reports/e5acc5b4-b752-4cf8-9b7a-9f262cf36663/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ccdaedb1-e504-48d2-9c69-a767c1682e0b

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1091136

Signature

Antivirus detection for URL or domain

Creates an undocumented autostart registry key

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2022-10-15 04:56:31 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uigweeioh2osmwpokuuzam77gvbl3tqlm2psthnnddo5zzg5ygxq._file

Verdict:

malicious

Label(s):

asyncrat

AsyncRAT

6d47f8ada452dc27e95a28f8a81289605e672ccc37535ead55be796bd1eb861f

AsyncRAT

8f4ccb41b24de4d077f55f9f33455424bafa4f7546bc4f55efb77c94f9877170

AsyncRAT

97cdc8291c3e88742b152e68d8521cffdf47faedd1aad2fadd353837d398d47e

AsyncRAT

a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96

AsyncRAT

ab1e880eff8a63ee635f09beadb45555263f751aa1e2e22c0b4de61724923b36

AsyncRAT

c6d746c1cfde6d2f1d19a371be49f86cb8baf750f3678fdeea5803dea510a0d2

AsyncRAT

d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f

AsyncRAT

e03d591a93de843040bb2f66df84bea9d5c69b6a3037cee6034da6df6bf9d17a

AsyncRAT

+ 8'381 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/221015-g52rcafcd8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c1abae9a-78aa-4dd8-9a93-45bdcca6d25f

Unpacked files

SH256 hash:

a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af

MD5 hash:

f9482bb02601f897d980e64e4b54fe3c

SHA1 hash:

bbaf763d8b26f468f6d4fb5cb631e3fedb3c965b

Link:

https://www.unpac.me/results/e2b38913-6b09-47ca-a22b-8f12bc64d287/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a20d62110e3e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.