MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abe7cc92554b2defc6c336d5cafabe798f1f6c75076ccce897d6337fdbc42fd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abe7cc92554b2defc6c336d5cafabe798f1f6c75076ccce897d6337fdbc42fd5
SHA3-384 hash: ecd66e0d23deb4dd95a0dc2f3008cbd6de5062afb84cb4c8198b804fb329174f0f80970706c0acfbb3e366f605f0b93c
SHA1 hash: 3732116b8ef5ee6094ea49a0658dcb7a7adb2634
MD5 hash: 467e95c9a46987552925c47bc7b38916
humanhash: solar-bakerloo-single-uranus
File name:abe7cc92554b2defc6c336d5cafabe798f1f6c75076ccce897d6337fdbc42fd5
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:11'140'776 bytes
First seen:2024-11-14 18:55:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 196608:FppMHcmWuVIdrgeXoNY9kRsYuXZx7bbWtKm2eRe2tfny7NY+Uvl7a9tJJwZ4OZ7c:Fppky+IJX9kIOATpYtl7a9ZwZBZY
Threatray 3 similar samples on MalwareBazaar
TLSH T1A9B63394B5E358F3C17521B0EC696C1222B7A32A45E14E0B8BC76F1946E37A7428F35F
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 78e4c0dc84f4f040 (1 x AsyncRAT)
Reporter JAMESWT_WT
Tags:AsyncRAT exe sirnisirlo-online

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
abe7cc92554b2defc6c336d5cafabe798f1f6c75076ccce897d6337fdbc42fd5
Verdict:
Malicious activity
Analysis date:
2024-11-14 19:05:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14b560bb-b4f8-4846-b28b-e607a9f3fb94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673647e84ca0f9db40c45ede
Tags:
virus gates
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Connection attempt
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint installer microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/673647c20448e79357517236/reports/e3e78d91-aaa3-40d3-869b-7b0b92210f2e/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/abe7cc92554b2defc6c336d5cafabe798f1f6c75076ccce897d6337fdbc42fd5
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2ae9002-db01-4aed-b586-85ff0b8b2aa1
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1556011
Signature
AI detected suspicious sample
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1556011 Sample: TVr2Z822J3.exe Startdate: 14/11/2024 Architecture: WINDOWS Score: 100 67 sirnisirlo.online 2->67 71 Suricata IDS alerts for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Yara detected UAC Bypass using CMSTP 2->75 77 2 other signatures 2->77 10 TVr2Z822J3.exe 14 2->10         started        14 ActiveISO.exe 1 2->14         started        16 ActiveISO.exe 1 2->16         started        signatures3 process4 file5 59 C:\Users\user\Qt5Widgets.dll, PE32+ 10->59 dropped 61 C:\Users\user\Qt5PrintSupport.dll, PE32+ 10->61 dropped 63 C:\Users\user\Qt5Network.dll, PE32+ 10->63 dropped 65 7 other files (3 malicious) 10->65 dropped 105 Drops PE files to the user root directory 10->105 18 ActiveISO.exe 13 10->18         started        107 Maps a DLL or memory area into another process 14->107 109 Found direct / indirect Syscall (likely to bypass EDR) 14->109 22 cmd.exe 2 14->22         started        24 cmd.exe 1 16->24         started        signatures6 process7 file8 45 C:\Users\user\AppData\...\Qt5Widgets.dll, PE32+ 18->45 dropped 47 C:\Users\user\AppData\...\Qt5PrintSupport.dll, PE32+ 18->47 dropped 49 C:\Users\user\AppData\...\Qt5Network.dll, PE32+ 18->49 dropped 53 7 other files (3 malicious) 18->53 dropped 79 Found direct / indirect Syscall (likely to bypass EDR) 18->79 26 ActiveISO.exe 1 18->26         started        51 C:\Users\user\AppData\Local\Temp\itpyyyx, PE32+ 22->51 dropped 81 Writes to foreign memory regions 22->81 83 Maps a DLL or memory area into another process 22->83 29 UploadAlt_Ti.exe 22->29         started        31 conhost.exe 22->31         started        33 conhost.exe 24->33         started        signatures9 process10 signatures11 101 Maps a DLL or memory area into another process 26->101 103 Found direct / indirect Syscall (likely to bypass EDR) 26->103 35 cmd.exe 5 26->35         started        process12 file13 55 C:\Users\user\AppData\Local\Temp\josveh, PE32+ 35->55 dropped 57 C:\Users\user\AppData\...\UploadAlt_Ti.exe, PE32+ 35->57 dropped 85 Writes to foreign memory regions 35->85 87 Found hidden mapped module (file has been removed from disk) 35->87 89 Maps a DLL or memory area into another process 35->89 91 Switches to a custom stack to bypass stack traces 35->91 39 UploadAlt_Ti.exe 35->39         started        43 conhost.exe 35->43         started        signatures14 process15 dnsIp16 69 sirnisirlo.online 188.114.97.3, 443, 49180, 49191 CLOUDFLARENETUS European Union 39->69 93 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->93 95 Tries to harvest and steal browser information (history, passwords, etc) 39->95 97 Tries to harvest and steal Bitcoin Wallet information 39->97 99 Found direct / indirect Syscall (likely to bypass EDR) 39->99 signatures17
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/abe7cc92554b2defc6c336d5cafabe798f1f6c75076ccce897d6337fdbc42fd5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abe7cc92554b2defc6c336d5cafabe798f1f6c75076ccce897d6337fdbc42fd5/
Threat name:
Win32.Dropper.HijackLoader
Create hunting rule
Status:
Malicious
First seen:
2024-11-14 18:53:12 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
14 of 24 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpt4zesvjmw67rwdg3k4v6v6pghr63dva5wmz2ex2yzx7w6ef7kq._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
finfisherrat
Create hunting rule
Similar samples:
3bf4932e6121846f3303818932219f7984ac60196b65e4f62a796156923d556a
AsyncRAT
error
AsyncRAT
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/241114-xktg8ssbjq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/742d6c5e-abda-4a4b-94fa-74d360a875f3
Unpacked files
SH256 hash:
588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd
MD5 hash:
b84dfabe933d1160f624693d94779ce5
SHA1 hash:
ac0133c09708fe4a3c626e3ba4cdf44d3a0e065f
Link:
https://www.unpac.me/results/f93fc440-9b99-48ad-8e1e-7827fda5d192/
SH256 hash:
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e
MD5 hash:
75e78e4bf561031d39f86143753400ff
SHA1 hash:
324c2a99e39f8992459495182677e91656a05206
Link:
https://www.unpac.me/results/f93fc440-9b99-48ad-8e1e-7827fda5d192/
SH256 hash:
abe7cc92554b2defc6c336d5cafabe798f1f6c75076ccce897d6337fdbc42fd5
MD5 hash:
467e95c9a46987552925c47bc7b38916
SHA1 hash:
3732116b8ef5ee6094ea49a0658dcb7a7adb2634
Link:
https://www.unpac.me/results/f93fc440-9b99-48ad-8e1e-7827fda5d192/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/abe7cc92554b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://x.com/malwrhunterteam/status/1857108083052257719

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments