MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2cb01768dbbcaee4de2957e7f60bbc9b801f4f821224f89ef87948fd7c14bd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2cb01768dbbcaee4de2957e7f60bbc9b801f4f821224f89ef87948fd7c14bd4
SHA3-384 hash: d48a8bc4412595a969f9710e139e7930fe48976393c31b307e7b62ac68442340e81549a95b2013c4537376e418b42af9
SHA1 hash: 2d3f85f45e4483f8d6a39a614d415110e574c6d2
MD5 hash: 2a62bfcb257bc494d0d0da94c9e08b38
humanhash: burger-cold-kentucky-wyoming
File name:file
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'762'216 bytes
First seen:2022-08-30 18:47:27 UTC
Last seen:2022-08-31 05:37:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b56becd743da900a4c9b850754b1a3a (1 x AsyncRAT)
ssdeep 49152:XM0jPObj7t1/znzLqlpWsUYZjHYqb01M0fg:XM0qTt5znzLMJzZjH2m
TLSH T12E85125B2EECD7A1EAC325F6E454C3121B93AB7F697EC64CB7F041801E22B6D041E51A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0cc8e9696cce8f0 (1 x AsyncRAT)
Reporter andretavare5
Tags:AsyncRAT exe signed

Code Signing Certificate

Organisation:shoprollick.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-07T22:53:36Z
Valid to:2022-11-05T22:53:35Z
Serial number: 04c6a4371df4bbb40e1515638163bfcf3e7c
Thumbprint Algorithm:SHA256
Thumbprint: 61c803ee8c4dc2b08f01d86e791a59f8dcfada2c3395cc779e3c686741b779d4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc572676066_643739007?hash=zlkPT5qsW9n7PFPyNj8bUZgqmNZI2wwQnT3YKRQtrXD&dl=GU3TENRXGYYDMNQ:1661884368:i6aLskvHQK3AQDyO8iXulvZSdRZru4ZSv5fCAfYx1WP&api=1&no_preview=1#wnww14

Intelligence

File Origin
# of uploads :
7
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-08-31 05:56:53 UTC
Tags:
opendir evasion trojan socelars stealer loader rat redline arkei asyncrat
Link:
https://app.any.run/tasks/41850a87-dedc-4c5e-bfd7-5a011ab54814

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/303434/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the system32 subdirectories
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/31371/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/630e5ca05b45ec20ccda0036/reports/b5974b72-9ac3-4d10-b23c-fb2dd49b1ae0/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2cb01768dbbcaee4de2957e7f60bbc9b801f4f821224f89ef87948fd7c14bd4/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2022-08-30 18:48:18 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wlfqc5unxpfo4tpcsv7h6yf3zg4ad5hyeere7cppq6ki7v6bjpka._file
Verdict:
malicious
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:smart audio rat
Link:
https://tria.ge/reports/220830-xftx7sfbf3/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
acronispandora.ddns.net:1604
Unpacked files
SH256 hash:
53ac1ef528a0f03c8ebf57b0727b83a18ddd99b32edad54a703ab9df6cc734f0
MD5 hash:
1fbef5258753561ae1bc8639649e6d65
SHA1 hash:
58aa9b17caa2dea988a7f4d93f21961dc7d1d475
Link:
https://www.unpac.me/results/1d6158ad-48df-42ec-9a2d-58da39435171/
SH256 hash:
b2cb01768dbbcaee4de2957e7f60bbc9b801f4f821224f89ef87948fd7c14bd4
MD5 hash:
2a62bfcb257bc494d0d0da94c9e08b38
SHA1 hash:
2d3f85f45e4483f8d6a39a614d415110e574c6d2
Link:
https://www.unpac.me/results/1d6158ad-48df-42ec-9a2d-58da39435171/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2cb01768dbbcaee4de2957e7f60bbc9b801f4f821224f89ef87948fd7c14bd4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/303434/

Comments