MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08
SHA3-384 hash: f3ebbcead69031c31f40ffa6d10921ef426356e5525fcc1e0f1fb919fb3c3e29b00ece30c33b3ec07974458fd1eae5f9
SHA1 hash: ee22f5b25185c5a6d37e16d3eb52f9515fd6964d
MD5 hash: 1f2ec9232f191e28fa8d5fbcbfad3a4f
humanhash: lion-alpha-sink-four
File name:1f2ec9232f191e28fa8d5fbcbfad3a4f
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:51'712 bytes
First seen:2024-03-28 14:27:29 UTC
Last seen:2024-03-28 16:16:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:Idzg+bioFSXbzMncp4t9vUEUL4NQ6lD1UPko94yQ1Jzra4o35PGCwWCDGD3fNmHz:2mkcpumcvQaB/EINnZD6nLsow
Threatray 152 similar samples on MalwareBazaar
TLSH T1DF331947F6DA85B1C68887FAF19BC8C41378E792B2A3D74E788E139519433EAC90544F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
341
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08.exe
Verdict:
Malicious activity
Analysis date:
2024-03-28 14:28:52 UTC
Tags:
opendir
Link:
https://app.any.run/tasks/0e1cdfa8-fd94-467f-9976-91c753476148

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Sending an HTTP GET request
Connection attempt to an infection source
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
net_reactor packed
Link:
https://www.filescan.io/uploads/66057e76f1c80c2d4d5b6fe8/reports/b9192743-922c-42d8-b272-c8abff30c4e6/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98947057-c8bb-4341-8ceb-b292b988815b
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1417077
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Drops executable to a common third party application directory
Drops large PE files
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417077 Sample: rU6YAgkoAw.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 78 leetboy.dynuddns.net 2->78 80 windowsupdatebg.s.llnwi.net 2->80 82 4 other IPs or domains 2->82 98 Multi AV Scanner detection for domain / URL 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 106 12 other signatures 2->106 10 rU6YAgkoAw.exe 15 6 2->10         started        14 svchos.exe 2->14         started        signatures3 104 Uses dynamic DNS services 78->104 process4 dnsIp5 84 93.123.39.68, 49699, 80 NET1-ASBG Bulgaria 10->84 72 C:\Users\user\AppData\...\tmpAADD.tmp.exe, PE32 10->72 dropped 16 tmpAADD.tmp.exe 4 10->16         started        file6 process7 file8 56 C:\Users\user\AppData\...\svchost (3).exe, PE32+ 16->56 dropped 58 C:\Users\user\AppData\Local\Temp\start.exe, PE32 16->58 dropped 60 C:\Users\user\AppData\Local\Temp\build.exe, PE32 16->60 dropped 94 Antivirus detection for dropped file 16->94 96 Machine Learning detection for dropped file 16->96 20 build.exe 179 16->20         started        24 start.exe 16->24         started        26 svchost (3).exe 2 16->26         started        signatures9 process10 file11 62 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 20->62 dropped 64 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 20->64 dropped 66 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 20->66 dropped 70 13 other files (8 malicious) 20->70 dropped 108 Multi AV Scanner detection for dropped file 20->108 110 Drops large PE files 20->110 28 main.exe 20->28         started        68 C:\Users\user\AppData\Roaming\svchos.exe, PE32 24->68 dropped 112 Antivirus detection for dropped file 24->112 114 Machine Learning detection for dropped file 24->114 116 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->116 33 cmd.exe 24->33         started        35 cmd.exe 24->35         started        118 Writes to foreign memory regions 26->118 120 Allocates memory in foreign processes 26->120 122 Sample uses process hollowing technique 26->122 124 Injects a PE file into a foreign processes 26->124 37 RegSvcs.exe 1 2 26->37         started        39 WerFault.exe 26->39         started        signatures12 process13 dnsIp14 86 cosmicdust.zip 192.236.232.25 HOSTWINDSUS United States 28->86 88 rentry.co 104.21.95.148 CLOUDFLARENETUS United States 28->88 90 cosmoplanets.net 172.67.142.111 CLOUDFLARENETUS United States 28->90 74 C:\Users\user\AppData\Roaming\...\Updater.exe, PE32 28->74 dropped 126 Drops executable to a common third party application directory 28->126 41 main.exe 28->41         started        43 main.exe 28->43         started        128 Uses schtasks.exe or at.exe to add and modify task schedules 33->128 45 conhost.exe 33->45         started        47 schtasks.exe 33->47         started        49 svchos.exe 35->49         started        52 conhost.exe 35->52         started        54 timeout.exe 35->54         started        92 blue.o7lab.me 94.156.66.112 TERASYST-ASBG Bulgaria 37->92 file15 signatures16 process17 dnsIp18 76 leetboy.dynuddns.net 185.196.11.223 SIMPLECARRIERCH Switzerland 49->76
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-03-28 14:28:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=woy2igidcfv3zh7n2zadzgwrs5xo7xgvbqzcqwpzsoucfm53vqea._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
32bdc05f94a1cd79e80677c623332a0eb1fe83163a62f235c8a50d44034fea41
AsyncRAT
35c73c6c8bed8697de74b1509caf030fae69fb856edefc47342adde573da928c
AsyncRAT
6bd3a9be98f3e06d4cefbc574149bd6f80e1bd96b6ac7131349313c2c9c19fae
AsyncRAT
88f4284bc8f0f23ab3b6c37b3c1ae3f04993af17c2b968900006960338898546
AsyncRAT
9c4382baca1a31a12c7e60bf324113f763e3d4e813ee518638a6f6f85aac3c70
AsyncRAT
b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08
AsyncRAT
e359c6277dcebf7b485dd5b3e54f25d60b4bbacf25f9818ac3f8604317136f4d
AsyncRAT
e3922972e0bf6c9b59bf0a4234818b92d9ccecda13d6ad729c86ab6143f79179
AsyncRAT
fb0cedd17622c47554bc9fada82b2135838059aae5fa17ead92ab3fd222cfab5
AsyncRAT
+ 142 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:exodus_market botnet:wdkiller rat
Link:
https://tria.ge/reports/240328-rszfkahe32/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Detects videocard installed
Enumerates processes with tasklist
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
leetboy.dynuddns.net:1339
blue.o7lab.me:4449
Unpacked files
SH256 hash:
b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08
MD5 hash:
1f2ec9232f191e28fa8d5fbcbfad3a4f
SHA1 hash:
ee22f5b25185c5a6d37e16d3eb52f9515fd6964d
Link:
https://www.unpac.me/results/3b9ae46d-d0c9-423c-b13d-749e6557f12d/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3b1a4190311/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AsyncRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2794896/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-03-28 14:27:30 UTC

url : hxxp://93.123.39.68/deepweb.exe