MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3f91c8552f371de2a6f4e60dbc45d639ad319e5ef67ebad80ba5676d93f3ae1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3f91c8552f371de2a6f4e60dbc45d639ad319e5ef67ebad80ba5676d93f3ae1
SHA3-384 hash: baddd2ab8d875306767b147c8ba7afc0c67edfe808212b00759103597d05d17a09d948bd0bb5a0798efcba057b401710
SHA1 hash: e392dd6234f31e09ec24f284e2017ce5956f33c7
MD5 hash: 3400b0a78512bddf4976ad50b48cba25
humanhash: texas-florida-lithium-coffee
File name:3400b0a78512bddf4976ad50b48cba25.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:53'760 bytes
First seen:2022-07-30 08:50:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:o8Kkq0i880k0PNCClrrUHsywy38P+bb35JhHDPnVKM6Skaynk9j801LAQPS/1:hiuilwysOb35jPnttyk9jHLAQa/1
Threatray 2'140 similar samples on MalwareBazaar
TLSH T1653309047BDCCD51E1AA9AB8A5E0A1F59679A173F7E2E3CB088401D38D172C98ED1DF4
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
2.58.56.41:1996

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
2.58.56.41:1996 https://threatfox.abuse.ch/ioc/840348/

Intelligence

File Origin
# of uploads :
1
# of downloads :
409
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295202/
Detection(s):
SecuriteInfo.com.BackDoor.AsyncRATNET.1.7408.15372.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Adding an access-denied ACE
Launching a process
Creating a process with a hidden window
Creating a file
Creating a file in the %temp% directory
Running batch commands
Sending a custom TCP request
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Launching a service
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62e4f0f7a9ecd5e3101c9ab2/reports/f666cc23-5408-4435-87c1-9f49d3963433/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4a69242-f83a-4fd4-89ec-d66d4930804d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043477
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 675971 Sample: hLJ9kIltBg.exe Startdate: 30/07/2022 Architecture: WINDOWS Score: 100 43 vbnuxy.hopto.org 2->43 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 6 other signatures 2->55 10 hLJ9kIltBg.exe 1 8 2->10         started        signatures3 process4 file5 39 C:\ProgramData\...\Win Defender.exe, PE32 10->39 dropped 41 C:\Users\user\AppData\...\hLJ9kIltBg.exe.log, ASCII 10->41 dropped 57 Detected unpacking (overwrites its own PE header) 10->57 59 Uses cmd line tools excessively to alter registry or file data 10->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 10->61 14 cmd.exe 1 10->14         started        16 schtasks.exe 1 10->16         started        18 attrib.exe 1 10->18         started        20 2 other processes 10->20 signatures6 process7 process8 22 Win Defender.exe 14 3 14->22         started        25 conhost.exe 14->25         started        27 timeout.exe 1 14->27         started        29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        dnsIp9 45 vbnuxy.hopto.org 2.58.56.41, 1996, 49750, 49755 SOFTNET-ASInternetServiceProviderinSloveniaandSouthE Netherlands 22->45 47 discord.com 162.159.138.232, 443, 49737 CLOUDFLARENETUS United States 22->47 35 powershell.exe 23 22->35         started        process10 process11 37 conhost.exe 35->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3f91c8552f371de2a6f4e60dbc45d639ad319e5ef67ebad80ba5676d93f3ae1/
Threat name:
ByteCode-MSIL.Trojan.Dnoper
Create hunting rule
Status:
Malicious
First seen:
2022-07-27 16:21:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wp4rzbks6ny54ktpjzqnxrc5monnggpf55t6xlmaxjlhnwj7hlqq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0bc34209adba693df004565db62ac2b8ac0a2fa249b89ca4f403479cd5bccbdf
AsyncRAT
2560cc6fef94164b1e60d22763fc15dfb84314b6b5f7f581b1ea3a09af2e3021
AsyncRAT
668c5486d1680bd9bb7f687ff7573b53d22d594937083fd8e752062f7f9fd6e7
AsyncRAT
8ccaed7c504359bba64e038edf5284fc059e34c7f57793b223b92704efe4d028
AsyncRAT
b0abb1e9b7f39644513bff297e18dbc7e8a6a1b00664110a9f8ddf92fa78eea1
AsyncRAT
b1d729ad290e65f3d5fabff4b60a38516ab97e85f49021af8911cd5e934169ef
AsyncRAT
b999ca69b211c89b669c18ec8543d34f203f73a1c793db6d481da5c917c3f116
AsyncRAT
b9e8d2ae255a3b585cd17cbfad39037f0bb9a7691b4977e08d248841017b1b2c
AsyncRAT
+ 2'130 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/220730-kr5smaachm/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Sets file to hidden
Unpacked files
SH256 hash:
b3f91c8552f371de2a6f4e60dbc45d639ad319e5ef67ebad80ba5676d93f3ae1
MD5 hash:
3400b0a78512bddf4976ad50b48cba25
SHA1 hash:
e392dd6234f31e09ec24f284e2017ce5956f33c7
Link:
https://www.unpac.me/results/d7a7f3d0-a501-4e9d-b9fe-b13ffcdb8db7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3f91c8552f371de2a6f4e60dbc45d639ad319e5ef67ebad80ba5676d93f3ae1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/295202/

Comments