MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a58ee92cdb05c92453c009c0792676ce815af1298cbbe9f36407d4933b8b942e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a58ee92cdb05c92453c009c0792676ce815af1298cbbe9f36407d4933b8b942e
SHA3-384 hash: 4de27ef7ae57fea5e6ec86c962cb3e6cfab085d31971ca5def1fd1a7a41dbe2cdc4706b6b6052f98fc611c58d322177d
SHA1 hash: 93d0094038126ec31a5f0a9251318cdfb163cade
MD5 hash: 749fdef07e576ac40e42568780bd26bd
humanhash: texas-rugby-cup-cup
File name:1wwyaeeCYc.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:98'304 bytes
First seen:2023-06-01 06:16:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:H0l3SSJshJixmFLZbIUfyVAEfUtweBXDMKrxWGHXKBJNfGtLF9pZO:9dhJVZbIUqVAbFDM0c7JNfAJ9pZO
Threatray 1'469 similar samples on MalwareBazaar
TLSH T1F8A32AAC67A86602C31D863683F08250533A96771B57E74B0AC721ED0F677C6A44EFDB
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter koluke
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1wwyaeeCYc.exe
Verdict:
Malicious activity
Analysis date:
2023-06-01 06:17:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d78ad67b-88a1-41f6-914f-4963d0a42fe6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/394307/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.25394.17279.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/647837df0a98d88b592ab1ea/reports/d3f905da-cab8-4f5f-aafa-5d4a9de6b948/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a58ee92cdb05c92453c009c0792676ce815af1298cbbe9f36407d4933b8b942e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b7be23bb-48bc-4203-b333-d75d19440a18
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1246596
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 879617 Sample: 1wwyaeeCYc.exe Startdate: 01/06/2023 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 11 other signatures 2->75 8 1wwyaeeCYc.exe 15 7 2->8         started        13 svchost.exe 2 2->13         started        15 svchost.exe 2->15         started        17 svchost.exe 2 2->17         started        process3 dnsIp4 67 5.42.94.169, 49718, 49719, 49720 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 8->67 59 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 8->59 dropped 61 C:\Users\user\AppData\...\1wwyaeeCYc.exe.log, ASCII 8->61 dropped 85 Drops PE files with benign system names 8->85 19 cmd.exe 1 8->19         started        21 cmd.exe 1 8->21         started        87 Machine Learning detection for dropped file 13->87 89 Writes to foreign memory regions 13->89 91 Injects a PE file into a foreign processes 13->91 24 aspnet_state.exe 13->24         started        32 3 other processes 13->32 93 System process connects to network (likely due to code injection or exploit) 15->93 34 4 other processes 15->34 26 ilasm.exe 17->26         started        28 WsatConfig.exe 17->28         started        30 AddInProcess32.exe 17->30         started        36 11 other processes 17->36 file5 signatures6 process7 signatures8 38 svchost.exe 3 19->38         started        41 conhost.exe 19->41         started        43 timeout.exe 1 19->43         started        79 Uses schtasks.exe or at.exe to add and modify task schedules 21->79 45 conhost.exe 21->45         started        47 schtasks.exe 1 21->47         started        process9 signatures10 81 Writes to foreign memory regions 38->81 83 Injects a PE file into a foreign processes 38->83 49 jsc.exe 38->49         started        53 ServiceModelReg.exe 38->53         started        55 aspnet_regiis.exe 38->55         started        57 7 other processes 38->57 process11 dnsIp12 63 192.3.101.190, 2015, 49723, 49726 AS-COLOCROSSINGUS United States 49->63 65 192.168.2.1 unknown unknown 49->65 77 Tries to harvest and steal browser information (history, passwords, etc) 49->77 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a58ee92cdb05c92453c009c0792676ce815af1298cbbe9f36407d4933b8b942e/
Threat name:
Win64.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-06-01 06:00:44 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwhoslg3axesiu6abhahsjtwz2avv4jjrs56t43ea7kjgo4lsqxa._file
Verdict:
malicious
Similar samples:
0118ff85ec2075d5a4f006c5baec65212ae5b921ca00fdb66859687836b8efef
AsyncRAT
584c7bd597822f806b5fd30ee9c07a9d09f2fd1d9195e462a33656f3778ef1f4
AsyncRAT
64c33ae79784c3af1e39f89e4bbb1754b1b683c56b53a02ffead97315a173fcc
AsyncRAT
682f46b161401fb00f263cb29ec705cde9ab8de124ea372800b841e9b36349fd
AsyncRAT
726e443731f4005814fed05263c664cf47c64eaf2135a192fe1771e03ef42341
AsyncRAT
a38ee725e23f1acc01722da5a54cbf1cd76937271509f08a9c795fc3a0301f2b
AsyncRAT
b7ab877e18717c49a98531ba38f4a885384ac7432e74250b888ec436a4b91549
AsyncRAT
c615b57a74eefbaa313b34fcd75289db5d298d50640f242200044f4a9e7bbe80
AsyncRAT
de80076c4c1d002abd45622a0e79f3f823560d66ef4ef66055ab1a88341d16a7
AsyncRAT
+ 1'459 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default persistence rat
Link:
https://tria.ge/reports/230601-g1g65sdd7t/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
192.3.101.190:2015
Unpacked files
SH256 hash:
a58ee92cdb05c92453c009c0792676ce815af1298cbbe9f36407d4933b8b942e
MD5 hash:
749fdef07e576ac40e42568780bd26bd
SHA1 hash:
93d0094038126ec31a5f0a9251318cdfb163cade
Link:
https://www.unpac.me/results/c63e9976-25da-4421-b01c-be8d80b849ae/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a58ee92cdb05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a58ee92cdb05c92453c009c0792676ce815af1298cbbe9f36407d4933b8b942e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe a58ee92cdb05c92453c009c0792676ce815af1298cbbe9f36407d4933b8b942e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/394307/

Comments