MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c65474ab1e1cf358b34fb782e40b9208d967624bb63d4f58a749d7b27c0aee71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c65474ab1e1cf358b34fb782e40b9208d967624bb63d4f58a749d7b27c0aee71
SHA3-384 hash: 93d362b439f75f90143fbe1f6ddc4379c12d8918b202491ef195516f600704c6e554027e476214f4322f1c466c121349
SHA1 hash: 653ec005de1c9eaa01d0caf97fd4a4c568263df1
MD5 hash: ba88096aed1d0887ac87096eb02f31d7
humanhash: two-romeo-asparagus-illinois
File name:AS-0987654567890-09654.pif.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:156'282 bytes
First seen:2022-12-05 13:00:20 UTC
Last seen:2022-12-05 14:29:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 3072:QEhKzShSycSMPJk+V42ma+9zxIT+DPjMBBYECSF:QBn1PJkS42mBITe+US
Threatray 3'189 similar samples on MalwareBazaar
TLSH T1EEE3022B3AE0C9F7E56743724E3697E9D7BAE2094171649353E60FBF68352C1C44B281
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
45.137.22.111:8787

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
AS-0987654567890-09654.pif.exe
Verdict:
Malicious activity
Analysis date:
2022-12-05 14:21:17 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/cf1d7841-452d-40e2-8f2d-72bbab3f81cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/342919/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.26690.26421.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/638deb8f0c6473d1671983e3/reports/f95f723e-015b-4ec3-a062-f088d87e34a4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LockBit Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb639f52-1daa-44ee-a334-bf56c8b8c410
Result
Threat name:
AsyncRAT, PhoenixRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1128043
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected PhoenixRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 760769 Sample: AS-0987654567890-09654.pif.exe Startdate: 05/12/2022 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 5 other signatures 2->44 7 AS-0987654567890-09654.pif.exe 19 2->7         started        10 ocwwiqlgifp.exe 2->10         started        13 ocwwiqlgifp.exe 2->13         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\sbuwe.exe, PE32 7->26 dropped 15 sbuwe.exe 1 2 7->15         started        46 Multi AV Scanner detection for dropped file 10->46 19 WerFault.exe 4 10 10->19         started        21 WerFault.exe 10 13->21         started        signatures5 process6 file7 28 C:\Users\user\AppData\...\ocwwiqlgifp.exe, PE32 15->28 dropped 34 Multi AV Scanner detection for dropped file 15->34 36 Maps a DLL or memory area into another process 15->36 23 sbuwe.exe 2 15->23         started        signatures8 process9 dnsIp10 30 45.137.22.111, 49713, 8787 ROOTLAYERNETNL Netherlands 23->30 32 192.168.2.1 unknown unknown 23->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c65474ab1e1cf358b34fb782e40b9208d967624bb63d4f58a749d7b27c0aee71/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2022-12-05 11:15:16 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzkhjky6dtzvrm2pw6boic4sbdmwoyslwy6u6wfhjhl3e7ak5zyq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
33e822406d5cea835a7a9bba3f0d82d9c4aef806c1dfeb8d332e5ee51e496780
AsyncRAT
4b0daee330f56dd0578f2a7fdd845e6d4cd51153af10c1495b371f6b1647410a
AsyncRAT
aa95fe913583ea0c39f73537e541bd08b873d67ec971a1736032ff3cf14959df
AsyncRAT
ae032c424848abf38b7ce6bbcb10d9abdec605cf01d1e0a067b2a1dce91df944
AsyncRAT
d7f9d9ab8843e314c4d4e370fc95dca66a1d558a71edb8d996ac415e4ff24efd
AsyncRAT
e2fceae16b2385a8e596aea841a593482101741ab8f1a3344b95d001dd9ea0e6
AsyncRAT
+ 3'179 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default persistence rat upx
Link:
https://tria.ge/reports/221205-p872jaff21/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
45.137.22.111:8787
Unpacked files
SH256 hash:
f8e7b4132350b81c29d250bfb65d2ba53fb848d932906a9860ebfd0c5cccd440
MD5 hash:
af57239524b71e44de3e1cac7dd330f6
SHA1 hash:
018206280a7363d990a8262554886896fd2f4d08
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/4986a8fd-84c1-4917-b9c8-2ab467407136/
SH256 hash:
68a046e415e053a2d08f25bf4bad843033d022972e4d540a5cee7c190d86c23b
MD5 hash:
5cfc7cc62290cdacd8514b4eaa87b727
SHA1 hash:
99fb90f5129a6c67523cec296067ca746b455cce
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/4986a8fd-84c1-4917-b9c8-2ab467407136/
SH256 hash:
a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f
MD5 hash:
51b1213e3b3ac55e28bdfb6ba8e68d65
SHA1 hash:
f7db5144b7510e4f47385d9e892ab0ec5e8b528c
Link:
https://www.unpac.me/results/4986a8fd-84c1-4917-b9c8-2ab467407136/
SH256 hash:
c65474ab1e1cf358b34fb782e40b9208d967624bb63d4f58a749d7b27c0aee71
MD5 hash:
ba88096aed1d0887ac87096eb02f31d7
SHA1 hash:
653ec005de1c9eaa01d0caf97fd4a4c568263df1
Link:
https://www.unpac.me/results/4986a8fd-84c1-4917-b9c8-2ab467407136/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c65474ab1e1c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c65474ab1e1cf358b34fb782e40b9208d967624bb63d4f58a749d7b27c0aee71

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/342919/

Comments