MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a364ac3a85646140bf43748f643c2172b42dd4dfc6b66030db2ed5f93abc7f7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a364ac3a85646140bf43748f643c2172b42dd4dfc6b66030db2ed5f93abc7f7e
SHA3-384 hash: 66e1d1c5f6b8a9e612e3a524102e7d8d9f3a7a4d9009e34bbe6e0c5a551ae49121d9e9d65a892e2916c8bc90bd119e5d
SHA1 hash: 74631e45551ba8720b245cf7be037ee323d1fd2c
MD5 hash: f9de1fb675449b43c81b123ba98af6ad
humanhash: monkey-aspen-potato-hot
File name:16746864.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:3'443'776 bytes
First seen:2022-03-18 05:10:34 UTC
Last seen:2022-03-18 06:36:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 864b130d9dff73c4008a50bc627cf3cc (1 x AsyncRAT)
ssdeep 98304:nVI+ZymhJC+/SbtF5Bt7HYryiDj9v0d/i5ZkVEJW2He:V1ymhwDpHYryccdzEJWx
Threatray 10'190 similar samples on MalwareBazaar
TLSH T10BF533E0FC4CE9E7E4790A778111E452E5606897DA60116E3CBBBBFB857FB0222170D6
File icon (PE):PE icon
dhash icon f9d9d8d8d8dacccc (1 x AsyncRAT)
Reporter adm1n_usa32
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252256/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39129851.2729.135.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/623414690cd58dbd92b3fa45/reports/ee28b42d-9242-4f1f-8d44-ae5be4320cb8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4345686-b5f2-4c19-a5c8-c956a0741917
Result
Threat name:
AsyncRAT RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959226
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a364ac3a85646140bf43748f643c2172b42dd4dfc6b66030db2ed5f93abc7f7e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-03 14:47:36 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
018f2af002d120d8f1008f4050a4f25762812a8e24f9cf8c506eff6009546dc8
AsyncRAT
057e92d5cb962f0860f3f59f767645350a870c5a884afe1a2806509954036633
AsyncRAT
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
AsyncRAT
415cef68482c74fcfff231fafc63bf9835c72da00e826e753aac86f704db7ac8
AsyncRAT
4c6db804a366a11a3321f87543f03c45e1785fed75a1c5e21ce39b658f6bb5bd
AsyncRAT
5013372389580672743ad71d9ec522caa057a4f7863ae8fc460ebba005121fd8
AsyncRAT
5a37e85ddf1b693cb2e938710a4fc0cea30062eb784ad5b8cecd0d1170d5da6f
AsyncRAT
b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9
AsyncRAT
de1ae614a8a926b44989594d2bd4615c14700e575662d7c4689789d6b228f79e
AsyncRAT
+ 10'180 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:salee discovery rat spyware stealer
Link:
https://tria.ge/reports/220318-fvadnsgag8/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
RedLine
RedLine Payload
Malware Config
C2 Extraction:
tradigview.xyz:12777
Unpacked files
SH256 hash:
47cdabc378e3e79f35f69b3fb51facde6f1a86878414fcf95b9d658f81f14483
MD5 hash:
4b2daa1c7052e7b052c8bc29b9dd08c0
SHA1 hash:
97fb8f9b3f0fc03c2d00370eb427608a7e84bdda
Link:
https://www.unpac.me/results/0d4de61d-97f4-404e-ad44-2527cdb8eda5/
SH256 hash:
a364ac3a85646140bf43748f643c2172b42dd4dfc6b66030db2ed5f93abc7f7e
MD5 hash:
f9de1fb675449b43c81b123ba98af6ad
SHA1 hash:
74631e45551ba8720b245cf7be037ee323d1fd2c
Link:
https://www.unpac.me/results/0d4de61d-97f4-404e-ad44-2527cdb8eda5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/a364ac3a85646140bf43748f643c2172b42dd4dfc6b66030db2ed5f93abc7f7e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe a364ac3a85646140bf43748f643c2172b42dd4dfc6b66030db2ed5f93abc7f7e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072433/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2073051/
Cape
Cape
https://www.capesandbox.com/analysis/252256/

Comments