MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5959f4f6d94ca394cb8cb672b9e3a777c069e45e168a0bee26bb2153b9d02f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5959f4f6d94ca394cb8cb672b9e3a777c069e45e168a0bee26bb2153b9d02f4
SHA3-384 hash: a260aba35e4300f0fcff06cbf2bec46d73b4ce99f44725bb2c14673ea5d9c411374f2572d63fe445738a62272e4ba470
SHA1 hash: 32b2ae9802a2c7abd7fde6722b6d32f6d544a251
MD5 hash: 9721a6312066160ccddcbff6a081d078
humanhash: vegan-nuts-early-low
File name:file
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'110'016 bytes
First seen:2023-01-29 11:45:38 UTC
Last seen:2023-01-29 19:30:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'835 x AgentTesla, 19'772 x Formbook, 12'296 x SnakeKeylogger)
ssdeep 24576:5/gg2FirvvWk0+qKbaFZsApB4f3l31cconBuOhjSX:brngnWO
Threatray 5'426 similar samples on MalwareBazaar
TLSH T1D735CF12B1F290A3F48745B69025BECD2C3C7113B6D5E61726793A9067068BBFBC4FA1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:AsyncRAT exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc712319849_660705441?hash=tTNTSy6VcyySxz7ZmODfUWu7Jo92gMcs1Rm0ZDgJnnH&dl=G4YTEMZRHE4DIOI:1674991597:MIW7Qf22MpwGUCwqS0lzIalCmLXEBsZxGPrF8TAIYKk&api=1&no_preview=1#cry1

Intelligence

File Origin
# of uploads :
160
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-29 11:47:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3bd81782-957f-4ebb-b99c-245e20dd1847

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357915/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d65c7c447edb203a01d38c/reports/b7ddfb8a-c56f-474b-a71e-5b9eb23f87fd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a45f4df-8591-4a2f-9d3e-a21f4424cf5c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161013
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected MSILDownloaderGeneric
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 793750 Sample: file.exe Startdate: 29/01/2023 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected MSILDownloaderGeneric 2->43 45 Yara detected AntiVM3 2->45 47 6 other signatures 2->47 8 njkvd.exe 4 2->8         started        11 file.exe 4 2->11         started        process3 file4 49 Multi AV Scanner detection for dropped file 8->49 51 Machine Learning detection for dropped file 8->51 53 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->53 55 Encrypted powershell cmdline option found 8->55 14 njkvd.exe 8->14         started        18 powershell.exe 21 8->18         started        37 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 11->37 dropped 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->57 59 Adds a directory exclusion to Windows Defender 11->59 61 Injects a PE file into a foreign processes 11->61 20 file.exe 5 11->20         started        23 powershell.exe 21 11->23         started        signatures5 process6 dnsIp7 39 helloworld123.zapto.org 79.134.225.99, 44820, 49705 FINK-TELECOM-SERVICESCH Switzerland 14->39 63 Encrypted powershell cmdline option found 14->63 25 powershell.exe 14->25         started        27 conhost.exe 18->27         started        33 C:\Users\user\AppData\Local\zsngs\njkvd.exe, PE32 20->33 dropped 35 C:\Users\user\...\njkvd.exe:Zone.Identifier, ASCII 20->35 dropped 29 conhost.exe 23->29         started        file8 signatures9 process10 process11 31 conhost.exe 25->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5959f4f6d94ca394cb8cb672b9e3a777c069e45e168a0bee26bb2153b9d02f4/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-28 19:42:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwkz6t3nstfdstfyzntsxhr2o56anhsf4fukbpxcnozbko45al2a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0b9c9b54d5549d7336f31646826215d69c4252486aefde1846bcbe369629844f
AsyncRAT
1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7
AsyncRAT
261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0
AsyncRAT
45bb069a3ebb02281ce014ef985f3c31f1186c086d331adbe3f07950aaa5ed8f
AsyncRAT
5d8e70acefcbcc2eff05078efbea2c82d7a051edaabfa4caaf6d48fc9d6644e3
AsyncRAT
5e6776ba02afa4c03138edcdf1e10dabee3efd6afd1620dcdb3138e7632bcb79
AsyncRAT
7efc5412627522e01e6be72ff0d8528c7cb140cf741e61458d50b653242e2b76
AsyncRAT
97ced07bdc4f3aa27a05afd76de293eccc176c133626da95cabee1c25de17867
AsyncRAT
b2e31ed9833299ec3c166877db92ff5d477858f5867ca5494b26a82558e4616e
AsyncRAT
+ 5'416 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230129-nxa2zsde95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
6b77e2bfff019609c509c3e559c6870dbb7e8d8b9979affb98440e079c99e354
MD5 hash:
958e4d62824c29a594256646c3d6bbf9
SHA1 hash:
e2f2004a3932381c8e70ecde39a129f0f6add9b0
Link:
https://www.unpac.me/results/fd36b282-505d-452a-981f-d2ffd1275ff4/
SH256 hash:
8c2004715d2eaa9500451a2c1458c2ebd3face3aeb6b50bb3d701ec673c3fda6
MD5 hash:
62d8cf9b6d9928ce73dbcaf2a43587b1
SHA1 hash:
2ce302b0ee989551ccf1a4a08a87787371cd6ab8
Link:
https://www.unpac.me/results/fd36b282-505d-452a-981f-d2ffd1275ff4/
SH256 hash:
9757c550df3adc8e0e8872ece866c1cc7a9f7f6fdb310d7bb2493c0f474d46ce
MD5 hash:
6a3ef90f389db5a9588dfa58c70e3f88
SHA1 hash:
1a930abd46b8fd3686456b6fb80668df7750c2f2
Link:
https://www.unpac.me/results/fd36b282-505d-452a-981f-d2ffd1275ff4/
SH256 hash:
5a82485cd83ce358eefb2f20e0294b40d2efa67262669ac3c8377c71c46f37a4
MD5 hash:
3e6a042dd583369c31785d215eebac14
SHA1 hash:
182134d60decc115df8f105246153edd7ca4eeda
Link:
https://www.unpac.me/results/fd36b282-505d-452a-981f-d2ffd1275ff4/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/fd36b282-505d-452a-981f-d2ffd1275ff4/
SH256 hash:
7e870e6fd0d9b5b37b90e67bbe560828e0334ebe069a346ec8efd1be62153948
MD5 hash:
babb7f06af7268915291ea0d6f29f2ee
SHA1 hash:
8a79d2303ff25dd3970831260a9a3d9c46f1d8b4
Link:
https://www.unpac.me/results/fd36b282-505d-452a-981f-d2ffd1275ff4/
SH256 hash:
39ee02fbe7475f49dfa5ab838e7851d0afb243cd2c9335c4de7310eb77250a77
MD5 hash:
c93e0be1c633b4cca05a40c1e4364077
SHA1 hash:
5224313dc94075f021e92899296c1fe585a1d6e8
Link:
https://www.unpac.me/results/fd36b282-505d-452a-981f-d2ffd1275ff4/
SH256 hash:
c4a03988e232311406ea842df30e5c1f2ce9a32bf7892b3ba44b829572ba7188
MD5 hash:
1bda66b65cb25fcb98fe3ec2d1458c9b
SHA1 hash:
50615ed4340d5389ec33794c6d5f9da7a658ac88
Link:
https://www.unpac.me/results/fd36b282-505d-452a-981f-d2ffd1275ff4/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/fd36b282-505d-452a-981f-d2ffd1275ff4/
SH256 hash:
a5959f4f6d94ca394cb8cb672b9e3a777c069e45e168a0bee26bb2153b9d02f4
MD5 hash:
9721a6312066160ccddcbff6a081d078
SHA1 hash:
32b2ae9802a2c7abd7fde6722b6d32f6d544a251
Link:
https://www.unpac.me/results/fd36b282-505d-452a-981f-d2ffd1275ff4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5959f4f6d94ca394cb8cb672b9e3a777c069e45e168a0bee26bb2153b9d02f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/357915/

Comments