MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b65be0351a717f4440b29a61d206acf4457c4755693f5d68e8cb39948ec5c1cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b65be0351a717f4440b29a61d206acf4457c4755693f5d68e8cb39948ec5c1cf
SHA3-384 hash: 1f2cdb1f912a9c082e8ac67f86399bae677ffbce0aab7ea954b9975a7983eac8a5634503e9312fb83048769e43b804d1
SHA1 hash: f717c46bccc58f5a6b19083b6f00713cfce93b5d
MD5 hash: 02d2b7825e7e3014f8028ce7536474b6
humanhash: item-maryland-fix-snake
File name:usb.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:492'032 bytes
First seen:2023-04-20 15:23:25 UTC
Last seen:2023-04-28 04:42:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:eyaFTWoh1QNYGKvbkPsTpM+pt2S4t+m/0Y2Ya84lAy:3aNi1nPsvGS4d/tR74p
Threatray 113 similar samples on MalwareBazaar
TLSH T19FA4231322E97D32C1B377B61E6A13819AE3F0610D99065E385BD8B86F50A5C8B75FC3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter r3dbU7z
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
usb.exe
Verdict:
Malicious activity
Analysis date:
2023-04-20 15:26:31 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/5cfe7490-1972-415c-86c2-429e892644ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383796/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.26395.31544.13905.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Launching a service
Launching a process
Searching for the window
Searching for synchronization primitives
Creating a window
Creating a file
Changing a file
Modifying a system executable file
Reading critical registry keys
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/644159122efbb8b9c3f53e85/reports/d95242c5-062f-45b5-b2ce-bf52c38db8ac/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b65be0351a717f4440b29a61d206acf4457c4755693f5d68e8cb39948ec5c1cf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a720fd2d-043d-4a1d-9746-2c8417f9d6ab
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1218153
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b65be0351a717f4440b29a61d206acf4457c4755693f5d68e8cb39948ec5c1cf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-20 15:24:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzn6ani2of7uiqfstjq5ebvm6rcxyr2vne7v22hizm4zjdwfyhhq._file
Verdict:
malicious
Similar samples:
210f5a0beaff1d3d9464cd5dd312878692d7e2a752edc1c397eeed4051d8fb3b
AsyncRAT
43ef093bd74e97ee55e1026c5a5a18709f43d439a30ad54f779b70a280b8de3a
AsyncRAT
4c55fac9553b35c5e6e1079851747eb0166a6b370a81cdb835f4bdc285a78e0d
AsyncRAT
56ffd659d8921dab14dd3ea3e6d5702a13c02db0f9e81d343334914e10b1dfac
AsyncRAT
65dd55edad391fcbf7fbddfe26b3389b9c8a765cc22fd490e522a8cdc39314b3
AsyncRAT
8f4ccb41b24de4d077f55f9f33455424bafa4f7546bc4f55efb77c94f9877170
AsyncRAT
cb05606b742226130a4e421b47b04bee21b4da79bb883c15a3c6a9002d8dfa7d
AsyncRAT
f40dd6641748b834786cd41cbe281266218d3e5ff56257a30dcafc9c90cee1bf
AsyncRAT
f93a8bff8c23850428fccb9d7a85184c7279aab33364b88014e3372564cb9b00
AsyncRAT
+ 103 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230420-ss15tsaf93/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates connected drives
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
bd3af5a27e5dc4a06b81f715490a4b06af6422202377044598b78aedc618461f
MD5 hash:
30e4d33b9cc20530aa72140a59d0ca4f
SHA1 hash:
d38465335bbe28cb5636154b0ce350687939512c
Link:
https://www.unpac.me/results/9af5787d-e01e-457e-81aa-eab0362faa5c/
SH256 hash:
b65be0351a717f4440b29a61d206acf4457c4755693f5d68e8cb39948ec5c1cf
MD5 hash:
02d2b7825e7e3014f8028ce7536474b6
SHA1 hash:
f717c46bccc58f5a6b19083b6f00713cfce93b5d
Link:
https://www.unpac.me/results/9af5787d-e01e-457e-81aa-eab0362faa5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b65be0351a717f4440b29a61d206acf4457c4755693f5d68e8cb39948ec5c1cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe b65be0351a717f4440b29a61d206acf4457c4755693f5d68e8cb39948ec5c1cf

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/383796/
  
URLhaus
https://urlhaus.abuse.ch/url/2614697/

Comments