MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA3-384 hash: 9a1b1ea3267315dd44c99cac89eb8d554a6520e3d942d4a74f69d68c946f94bdb190a54f6f4e37444eb5c382414c3eac
SHA1 hash: e54b697cf11d1478c9647794d1573800faa27109
MD5 hash: c00bb4f6743b66f820229cb1e7f366ea
humanhash: monkey-butter-sink-tango
File name:file
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:575'488 bytes
First seen:2023-09-26 18:29:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:b8fDjmNbowoN2tXXk6bEBuav0vBgWHfW+Ew+FKcmzaNlfUGv20:b8OdowCKqzwhWvczK+
Threatray 1 similar samples on MalwareBazaar
TLSH T1DCC44951AEB152CAE3EEC7758A2C62E06272EC733616D61BCC40B1757C1C6D78DF06A2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter jstrosch
Tags:.NET AsyncRAT exe MSIL

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-26 08:43:04 UTC
Tags:
loader smoke stealer redline opendir fabookie ransomware stop vidar trojan arkei
Link:
https://app.any.run/tasks/ed795272-993e-43ab-9561-091b78e0aa34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451333/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12265.30340.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Blocking the User Account Control
Forced shutdown of a system process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed stealer
Link:
https://www.filescan.io/uploads/6513232d33582f234e03d98e/reports/b8dc89ff-debc-4f7c-8f8b-a4688c615143/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4be006b7-31ca-4a16-b249-ad6ce8f8bcb2
Result
Threat name:
AsyncRAT, Fabookie, Glupteba, SmokeLoade
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314766
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected onlyLogger
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1314766 Sample: file.exe Startdate: 26/09/2023 Architecture: WINDOWS Score: 100 153 Found malware configuration 2->153 155 Malicious sample detected (through community Yara rule) 2->155 157 Antivirus detection for URL or domain 2->157 159 18 other signatures 2->159 10 file.exe 2 4 2->10         started        13 svchost.exe 2->13         started        16 DigitalPulseUpdate.exe 2->16         started        18 2 other processes 2->18 process3 dnsIp4 179 Writes to foreign memory regions 10->179 181 Allocates memory in foreign processes 10->181 183 Adds a directory exclusion to Windows Defender 10->183 185 2 other signatures 10->185 20 ngentask.exe 15 447 10->20         started        25 powershell.exe 23 10->25         started        27 Conhost.exe 10->27         started        29 2 other processes 10->29 137 51.104.167.186 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 13->137 139 35.182.67.195 AMAZON-02US United States 16->139 signatures5 process6 dnsIp7 123 85.217.144.143 WS171-ASRU Bulgaria 20->123 125 5.42.64.10 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 20->125 127 23 other IPs or domains 20->127 85 C:\Users\...\zQx50LTMLOcw0gWuCyMLoPvY.exe, PE32 20->85 dropped 87 C:\Users\...\zBUTR1x8YJVaKQg2xwUibF2L.exe, PE32 20->87 dropped 89 C:\Users\...\yrDuotDS2RvxJGuOOMAEAvxJ.exe, PE32 20->89 dropped 91 365 other malicious files 20->91 dropped 175 Drops script or batch files to the startup folder 20->175 177 Writes many files with high entropy 20->177 31 PEAMV3DMMMi43mQ2zaqV9I9P.exe 20->31         started        34 r8rSlBCfslOeuzPiDmUGMfPW.exe 20->34         started        36 JpHyXLidpN9zQC76dfLcKLqx.exe 20->36         started        43 14 other processes 20->43 39 conhost.exe 25->39         started        41 Conhost.exe 27->41         started        file8 signatures9 process10 dnsIp11 111 C:\Users\user\AppData\Local\...\is-2C1AE.tmp, PE32 31->111 dropped 46 is-2C1AE.tmp 31->46         started        113 C:\Users\...\r8rSlBCfslOeuzPiDmUGMfPW.tmp, PE32 34->113 dropped 49 r8rSlBCfslOeuzPiDmUGMfPW.tmp 34->49         started        161 Detected unpacking (changes PE section rights) 36->161 163 Sample uses process hollowing technique 36->163 165 Injects a PE file into a foreign processes 36->165 52 JpHyXLidpN9zQC76dfLcKLqx.exe 36->52         started        131 154.221.26.108 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 43->131 133 156.236.72.121 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 43->133 135 14 other IPs or domains 43->135 115 C:\Users\user\Pictures\360TS_Setup.exe.P2P, PE32 43->115 dropped 117 C:\Users\user\...\360TS_Setup.exe (copy), PE32 43->117 dropped 119 C:\Users\user\AppData\Roaming\...\IfumU2.exe, PE32 43->119 dropped 121 9 other malicious files 43->121 dropped 167 Detected unpacking (overwrites its own PE header) 43->167 169 Found Tor onion address 43->169 171 Contains functionality to infect the boot sector 43->171 173 4 other signatures 43->173 54 is-C78JR.tmp 43->54         started        56 q9jV6jXjJt5HTksGsq29YSlK.tmp 43->56         started        58 IfumU2.exe 43->58         started        60 4 other processes 43->60 file12 signatures13 process14 file15 105 13 other files (11 malicious) 46->105 dropped 93 C:\Users\user\AppData\...\unins000.exe (copy), PE32 49->93 dropped 95 C:\Users\user\AppData\...\is-BSDP3.tmp, PE32+ 49->95 dropped 97 C:\Users\user\AppData\...\is-BGOE6.tmp, PE32 49->97 dropped 107 4 other files (3 malicious) 49->107 dropped 141 Multi AV Scanner detection for dropped file 49->141 143 Uses schtasks.exe or at.exe to add and modify task schedules 49->143 62 _setup64.tmp 49->62         started        64 schtasks.exe 49->64         started        66 schtasks.exe 49->66         started        68 DigitalPulseService.exe 49->68         started        145 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 52->145 147 Maps a DLL or memory area into another process 52->147 149 Checks if the current machine is a virtual machine (disk enumeration) 52->149 151 Creates a thread in another existing process (thread injection) 52->151 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 54->99 dropped 101 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 54->101 dropped 109 6 other files (4 malicious) 54->109 dropped 103 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->103 dropped 71 conhost.exe 58->71         started        73 conhost.exe 60->73         started        75 conhost.exe 60->75         started        77 conhost.exe 60->77         started        signatures16 process17 dnsIp18 79 conhost.exe 62->79         started        81 conhost.exe 64->81         started        83 conhost.exe 66->83         started        129 3.98.219.138 AMAZON-02US United States 68->129 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-26 04:28:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wi6itxey7m3b7afoexa5hyrpzeee7bnvyvtmzx5dfqwkbnmzb74q._file
Verdict:
malicious
Similar samples:
c60dcba82bf60752e7a1b23c5f25c92b60304bc8bf7d617824611b900850950f
AsyncRAT
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/230926-w5fw7scf6s/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Windows security modification
Downloads MZ/PE file
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
dbecd50730378b1f1e13606cf85ee947a4ae54eed3e6eab7f1602e76c9826022
MD5 hash:
1c674f94cbc1bc5b4b109d4cc25cb848
SHA1 hash:
2600a1941a23d39ab9e6a6826096b6328217c2a2
Link:
https://www.unpac.me/results/e75b6b1c-f3b1-4c64-801d-2e31250023e9/
SH256 hash:
b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
MD5 hash:
c00bb4f6743b66f820229cb1e7f366ea
SHA1 hash:
e54b697cf11d1478c9647794d1573800faa27109
Link:
https://www.unpac.me/results/e75b6b1c-f3b1-4c64-801d-2e31250023e9/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b23c89dc98fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/451333/
  
URLhaus
https://urlhaus.abuse.ch/url/2713195/

Comments