MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 16 File information Comments

SHA256 hash:	c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606
SHA3-384 hash:	e01957c893e33c87577b10dd68e79d737cf433c1a0e038262f0b4d71e17ed760ec788fbb3ad0f13e9c1e3fbfe2bec205
SHA1 hash:	27770fa35ea2ca6e1cd87f669e21f5e29cfaa381
MD5 hash:	e94abe514202de0a3e24c0f45ccea8a6
humanhash:	blossom-two-tennessee-steak
File name:	Eclipse.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	12'683'776 bytes
First seen:	2024-02-06 21:32:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep	196608:bI14Cek0gfc3haxZH+fiE1jlKkbSPSvFWuFBGFV42uL7e:bKekhfcuZH+XKgHFW+BGFVE7e
TLSH	T1F1D6BE137285D925CC3541F104A2D7B05EB19C18A9298BB73AD8BE7BFBF12C67A053D2
TrID	53.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 13.1% (.EXE) Win32 Executable Delphi generic (14182/79/4) 12.1% (.SCR) Windows screen saver (13097/50/3) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	b070f0bc9cc0f030 (2 x AsyncRAT)
Reporter	bobross_malware2
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

348

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

Eclipse RAT.rar

Verdict:

Malicious activity

Analysis date:

2024-01-15 15:20:08 UTC

Tags:

stealer redline

Link:

https://app.any.run/tasks/0587fef1-2560-4822-938a-6a550f2bf601

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/474948/

Detection(s):

Win.Malware.Fragtor-10016610-0

Win.Trojan.Generic-10019170-0

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL

Win.Malware.Spygate-6855918-0

Win.Trojan.Injector-6297685-1

Win.Trojan.Agent-345883

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm anti-vm aspnet_compiler cmd cmstp darkkomet dllhost explorer fingerprint lolbin lolbin msbuild netsh packed packed redline regasm regedit regsvcs remote runonce schtasks shell32 stealer vbc

Link:

https://www.filescan.io/uploads/65c2a5a004c91578faadbaf5/reports/582e2b09-664f-45b6-8434-e9e8ffd6949c/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606

Result

Verdict:

MALICIOUS

Malware family:

FlashDevelop

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20257a5a-bbf6-4d35-8366-f4c035ce7c24

Result

Threat name:

AsyncRAT, PureLog Stealer, RHADAMANTHYS,

Detection:

malicious

Classification:

troj.adwa.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1387875

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Drops PE files to the startup folder

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected RHADAMANTHYS Stealer

Yara detected RUNPE

Yara detected UAC Bypass using CMSTP

Yara detected XWorm

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606/

Threat name:

Win32.Trojan.XWormRAT

Status:

Malicious

First seen:

2024-01-13 23:40:32 UTC

File Type:

PE (Exe)

Extracted files:

413

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yejriucnas4xcta4hgjmuzzuq2s4rlewwyh3zcjlf6kcaquwwyda._file

Verdict:

malicious

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:redline family:zgrat discovery infostealer rat spyware stealer

Link:

https://tria.ge/reports/240206-1d7ytsggb7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Detect ZGRat V1

RedLine

RedLine payload

ZGRat

Unpacked files

SH256 hash:

eece4a517158baafc941a212f76737046bcaad254910d864446173e735279c2e

MD5 hash:

b220ad1800a1ef06b230895be473c923

SHA1 hash:

cb8136873064ee344098b8bc4173d81abc8c9e09

Detections:

redline

MALWARE_Win_zgRAT

Link:

https://www.unpac.me/results/8870127f-49a1-4c0a-b07c-803fe7c3f00d/

Parent samples :

c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606
e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

SH256 hash:

a5f5d652e2682b0162924b23b509bace21566526b6ac0d44e2a273e3a77440f4

MD5 hash:

e1990fe52ec2c952b28350a8f1c1689e

SHA1 hash:

2fd088c787de7573337cb533d275d8d9fb56c644

Detections:

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

MALWARE_Win_AsyncRAT

Link:

https://www.unpac.me/results/8870127f-49a1-4c0a-b07c-803fe7c3f00d/

Parent samples :

f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499
c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606

SH256 hash:

03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306

MD5 hash:

e1e28c3acf184aa364c9ed9a30ab7289

SHA1 hash:

1a173a6f4ec39fe467f1b4b91c9fad794167ac1c

Link:

https://www.unpac.me/results/8870127f-49a1-4c0a-b07c-803fe7c3f00d/

SH256 hash:

03b982f0558cd6c3c3a48697f7ad6a5a938410545f60e63be67c03a74619ba70

MD5 hash:

35c6f3397cace892a6be7c8ca42a6232

SHA1 hash:

8e4756fa78c686e300b0a633582a90613c80104e

Link:

https://www.unpac.me/results/8870127f-49a1-4c0a-b07c-803fe7c3f00d/

SH256 hash:

c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606

MD5 hash:

e94abe514202de0a3e24c0f45ccea8a6

SHA1 hash:

27770fa35ea2ca6e1cd87f669e21f5e29cfaa381

Detections:

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

MALWARE_Win_AsyncRAT

Link:

https://www.unpac.me/results/8870127f-49a1-4c0a-b07c-803fe7c3f00d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c11314504d04/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_decoding Create hunting rule
Author:	iam-py-test
Description:	Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	SUSP_OneNote Create hunting rule
Author:	spatronn
Description:	Hard-Detect One

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_Xworm_732e6c12 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/474948/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample