MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299
SHA3-384 hash: 773262928b081a409bdbaa6f868b33c020f0f38d274e76f91a6a7654fba5f2eade137b07b947d030ce7780e532c5f64a
SHA1 hash: abc7950d08edf60d26526f03521b4f34a5bfe811
MD5 hash: c8efdf607fd50fdefbc76a3cc6a080a7
humanhash: potato-kitten-michigan-aspen
File name:c8efdf607fd50fdefbc76a3cc6a080a7.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:931'328 bytes
First seen:2024-08-06 14:00:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:0K1e88CJPdUpyzrw2m93kKj8q3TsQ9Ud8x9x:V1ljJPdUpOw2+8WX9u8b
Threatray 5'460 similar samples on MalwareBazaar
TLSH T1391523E5BA8B27B3D2F2A67AD4E3F6C1C750E3F66A27CB1BB88451151531BB200056C3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
45.66.231.202:7777

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.66.231.202:7777 https://threatfox.abuse.ch/ioc/1307452/
154.216.20.242:5000 https://threatfox.abuse.ch/ioc/1307453/

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Packed.Msilheracles-10017859-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b22ca3aa5b40be0a9faeb7
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/66b22ca4e7dbbbdfcd09d9b4/reports/28ad1865-6cfc-47c6-9567-e4550e6d2a20/overview
Verdict:
Malicious
Labled as:
Bulz.Generic
Link:
https://www.hybrid-analysis.com/sample/ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/119960a1-d846-4475-9a2f-61879cb413f2
Result
Threat name:
AsyncRAT, Neshta, PureLog Stealer, RedLi
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1488811
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Neshta
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488811 Sample: 69qhUXs68m.exe Startdate: 06/08/2024 Architecture: WINDOWS Score: 100 187 server.underground-cheat.xyz 2->187 189 gia.o7lab.me 2->189 191 2 other IPs or domains 2->191 211 Found malware configuration 2->211 213 Malicious sample detected (through community Yara rule) 2->213 215 Antivirus detection for URL or domain 2->215 219 31 other signatures 2->219 15 69qhUXs68m.exe 1 6 2->15         started        19 powershell.exe 2->19         started        21 Bqoqoaflz.exe 2->21         started        23 2 other processes 2->23 signatures3 217 Performs DNS queries to domains with low reputation 187->217 process4 file5 181 C:\Users\user\AppData\Local\Temp\pop3.exe, PE32 15->181 dropped 183 C:\Users\user\AppData\Local\Bqoqoaflz.exe, PE32 15->183 dropped 185 C:\Users\...\Bqoqoaflz.exe:Zone.Identifier, ASCII 15->185 dropped 197 Found many strings related to Crypto-Wallets (likely being stolen) 15->197 199 Creates multiple autostart registry keys 15->199 201 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->201 25 InstallUtil.exe 3 6 15->25         started        29 pop3.exe 4 5 15->29         started        32 cmd.exe 1 15->32         started        34 cmd.exe 15->34         started        203 Writes to foreign memory regions 19->203 205 Modifies the context of a thread in another process (thread injection) 19->205 207 Found suspicious powershell code related to unpacking or dynamic code loading 19->207 36 conhost.exe 19->36         started        209 Injects a PE file into a foreign processes 21->209 38 svchost.com 21->38         started        40 svchost.com 21->40         started        42 InstallUtil.exe 21->42         started        44 Bqoqoaflz.exe 23->44         started        signatures6 process7 dnsIp8 193 gia.o7lab.me 154.216.20.242, 26644, 4449, 49705 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 25->193 169 C:\Users\user\AppData\Local\Temp\xxcjvf.exe, PE32 25->169 dropped 171 C:\Users\user\AppData\Local\Temp\wjnous.exe, PE32 25->171 dropped 173 C:\Users\user\AppData\Local\Temp\tqdxiz.exe, PE32 25->173 dropped 46 cmd.exe 25->46         started        49 svchost.com 25->49         started        195 blue.o7lab.me 45.66.231.202, 49704, 49717, 49719 CMCSUS Germany 29->195 175 C:\Users\user\AppData\Local\Temp\sicqtc.exe, PE32 29->175 dropped 177 C:\Users\user\AppData\Local\Temp\cbgkco.exe, PE32 29->177 dropped 241 Found many strings related to Crypto-Wallets (likely being stolen) 29->241 51 svchost.com 29->51         started        54 svchost.com 29->54         started        243 Suspicious powershell command line found 32->243 245 Bypasses PowerShell execution policy 32->245 247 Uses schtasks.exe or at.exe to add and modify task schedules 32->247 249 Uses ipconfig to lookup or modify the Windows network settings 32->249 56 conhost.exe 32->56         started        58 ipconfig.exe 1 32->58         started        64 2 other processes 34->64 60 cmd.exe 38->60         started        62 cmd.exe 40->62         started        251 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->251 253 Writes to foreign memory regions 44->253 255 Injects a PE file into a foreign processes 44->255 file9 signatures10 process11 file12 257 Suspicious powershell command line found 46->257 66 powershell.exe 46->66         started        68 conhost.exe 46->68         started        70 cmd.exe 49->70         started        73 Conhost.exe 49->73         started        149 C:\Program Files (x86)\...\Uninstall.exe, PE32 51->149 dropped 151 C:\...\MicrosoftEdgeUpdateSetup.exe, PE32 51->151 dropped 153 C:\...\MicrosoftEdgeUpdateCore.exe, PE32 51->153 dropped 155 72 other malicious files 51->155 dropped 259 Sample is not signed and drops a device driver 51->259 261 Drops executable to a common third party application directory 51->261 263 Infects executable files (exe, dll, sys, html) 51->263 75 cmd.exe 51->75         started        77 cmd.exe 54->77         started        79 conhost.exe 60->79         started        81 ipconfig.exe 60->81         started        83 2 other processes 62->83 signatures13 process14 signatures15 85 xxcjvf.exe 66->85         started        89 powershell.exe 70->89         started        91 conhost.exe 70->91         started        93 Conhost.exe 70->93         started        229 Suspicious powershell command line found 75->229 95 powershell.exe 75->95         started        97 conhost.exe 75->97         started        99 powershell.exe 77->99         started        101 conhost.exe 77->101         started        process16 file17 157 C:\Windows\svchost.com, PE32 85->157 dropped 159 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 85->159 dropped 161 C:\Users\user\AppData\Local\...\xxcjvf.exe, PE32 85->161 dropped 163 76 other malicious files 85->163 dropped 231 Creates an undocumented autostart registry key 85->231 233 Drops PE files with a suspicious file extension 85->233 235 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 85->235 239 2 other signatures 85->239 103 xxcjvf.exe 85->103         started        106 svchost.com 89->106         started        108 svchost.com 95->108         started        237 Drops executables to the windows directory (C:\Windows) and starts them 99->237 110 svchost.com 99->110         started        signatures18 process19 file20 165 C:\Users\user\AppData\Local\...\Install.exe, PE32 103->165 dropped 167 C:\Users\user\AppData\...\$77svchost.exe, PE32 103->167 dropped 112 svchost.com 103->112         started        114 Install.exe 103->114         started        117 tqdxiz.exe 106->117         started        120 sicqtc.exe 108->120         started        122 cbgkco.exe 110->122         started        process21 file22 124 $77svchost.exe 112->124         started        143 C:\Users\user\AppData\Local\...\Install.exe, PE32 114->143 dropped 127 svchost.com 114->127         started        145 C:\Users\user\AppData\Roaming\$77pop2.exe, PE32 117->145 dropped 221 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 117->221 147 C:\Users\user\AppData\Local\Twhyp.exe, PE32 120->147 dropped 223 Creates multiple autostart registry keys 120->223 225 Writes to foreign memory regions 120->225 227 Injects a PE file into a foreign processes 120->227 129 svchost.com 120->129         started        131 conhost.exe 122->131         started        signatures23 process24 file25 179 C:\Users\user\AppData\Roaming\WinUpdate.exe, PE32 124->179 dropped 133 svchost.com 124->133         started        135 cmd.exe 124->135         started        137 Install.exe 127->137         started        139 cmd.exe 129->139         started        process26 process27 141 conhost.exe 139->141         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-08-06 14:01:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vngyr2kuqc5vvnqpvnv76fwrgkzzbqo5oi6zqylnid7sh65ngkmq._file
Verdict:
malicious
Similar samples:
6686076964fe6e1599981d06c4c4ced9040a49332bec22ca86b6047ed5e168b4
AsyncRAT
6ae6030e6222a1400ce938e2ad2086253f1ff6d9d07b0be35fee6853e87bedc6
AsyncRAT
7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62
AsyncRAT
98bd4ef353739dc8198b8c460c5bfb82b412e57d3db1f3180f8f5bf6d3b4a197
AsyncRAT
ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299
AsyncRAT
ed04d8ebbc30c39278f1e22d2442853ff704f97f0e494d069034dee2239bc43a
AsyncRAT
+ 5'450 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:neshta family:redline family:sectoprat botnet:default botnet:gia.o7lab.me:26644 botnet:o7lab credential_access defense_evasion discovery evasion execution infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240806-rbjnsa1cmj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Async RAT payload
Credentials from Password Stores: Credentials from Web Browsers
AsyncRat
Detect Neshta payload
Modifies security service
Neshta
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
blue.o7lab.me:7777
server.underground-cheat.xyz:7777
154.216.20.242:5000
gia.o7lab.me:5000
154.216.20.242:4449
gia.o7lab.me:26644
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c4edd773-0738-41f4-a79c-c3d81400ad92
Unpacked files
SH256 hash:
6d0522c16ae4f167af1558be9bcd645fafca919ca21411feb5bd690d3f53ee7f
MD5 hash:
a7c49c8bfa310d284d82c0874be44f8c
SHA1 hash:
c62fa2193a2c1378efeba38253a473bda371e218
Link:
https://www.unpac.me/results/676509a3-68ba-42de-84e1-8fcf094e52c7/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/676509a3-68ba-42de-84e1-8fcf094e52c7/
SH256 hash:
9a14caeb20fabf441fc62761fbd414bc7276e8614746eb278311cde0ebcbea5a
MD5 hash:
bc46b95a07fd5db06716e91efd317dab
SHA1 hash:
19395ccc3ddfcf5c850a3c7cadde486de128f6f1
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/676509a3-68ba-42de-84e1-8fcf094e52c7/
SH256 hash:
ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299
MD5 hash:
c8efdf607fd50fdefbc76a3cc6a080a7
SHA1 hash:
abc7950d08edf60d26526f03521b4f34a5bfe811
Link:
https://www.unpac.me/results/676509a3-68ba-42de-84e1-8fcf094e52c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3092476/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3092499/
  
URLhaus
https://urlhaus.abuse.ch/url/3092500/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments