MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487
SHA3-384 hash: bdb0e5e608b81541050552b176aedb5d707abfdfa20837ddea18ff613289024cbac42e36ae98ec3861be0d5f7d9636ba
SHA1 hash: 5c5121725c037601de85a17c6fc5a9c5e63a73ae
MD5 hash: 4a508c2b7ecc58143b347ad184bf47cf
humanhash: pip-nebraska-aspen-beryllium
File name:bPzi.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:48'640 bytes
First seen:2023-09-04 16:07:26 UTC
Last seen:2023-09-06 14:13:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:0q+s3pUtDILNCCa+Di2G7AXPwxa/P14c9nP5i49Ybigentz1l2zoEOvEgK/JTZVS:0q+AGtQO2GUXoa/P/HGbF0Z1l2UEOnkI
Threatray 44 similar samples on MalwareBazaar
TLSH T1F9236C003798C13AE2FD8BB5A8F2A2458675D25B6903CB597CC815EA2F13FC596036FD
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter pmelson
Tags:AsyncRAT DCRat exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
304
Origin country :
US US
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
bPzi.exe
Verdict:
Malicious activity
Analysis date:
2023-09-04 16:08:36 UTC
Tags:
rat asyncrat remote
Link:
https://app.any.run/tasks/e0a0246b-0c83-4016-a401-749d9dc9974a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446124/
Detection(s):
Sanesecurity.Malware.29669.UNOFFICIAL
Create hunting rule

Win.Malware.Generickdz-9865912-0
Create hunting rule

Win.Malware.Enigmaprotector-9874743-0
Create hunting rule

Win.Malware.Enigmaprotector-9881027-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm configsecuritypolicy evasive hacktool lolbin mpcmdrun msconfig njrat packed rat regedit replace
Link:
https://www.filescan.io/uploads/64f600e326412fcb9d98ed9f/reports/5eb20f58-b423-4535-a6d7-64bdb3d09eeb/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5c49c58-e547-42cd-8ca0-2ad9cac43a50
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303056
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Uses dynamic DNS services
Yara detected AsyncRAT
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303056 Sample: bPzi.exe Startdate: 04/09/2023 Architecture: WINDOWS Score: 100 20 Snort IDS alert for network traffic 2->20 22 Found malware configuration 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 9 other signatures 2->26 7 bPzi.exe 2 5 2->7         started        process3 dnsIp4 16 16agostok.duckdns.org 172.94.40.145, 49722, 49724, 8004 M247GB United States 7->16 18 windowsupdatebg.s.llnwi.net 7->18 10 cmd.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started        14 timeout.exe 1 10->14         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-09-04 16:08:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zerypde4k7nf6ywyo34yvw2ew7olfcnj65c2yxhjpn5mggavwsdq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1dac278c05c70bc6df9e9eff71a38932549c61f51e1fed6239420a3c542c0476
AsyncRAT
5ca36203dcf4de2fb898308d50cb01aa4bbe3810a398a1f5e14b3aff1de16f65
AsyncRAT
5d7c4fd868e99334df95874c2c97f7e4ec2899e50fc482e637f5540d63032087
AsyncRAT
682d0715a72ba27e0b0fe217b30adb446500758b97dc8fa603727b490f6fb60f
AsyncRAT
76ded83d3b20de4cab65576d0e4c5adcd5b8ebb76e064ef4c2d3449ebdd25cac
AsyncRAT
77898019737298221ba5939c18ee8e0f7c22e9a7272bf7b42e70c09054dbb559
AsyncRAT
992dffa683d5a6e02b1bc40a2447a7cbfa03eab11adf8f9a5ff2b1d18cec7c93
AsyncRAT
a16465e149e3d655f042fe17721a93f54c9db0ce45cc09b7152fbd4710f71b78
AsyncRAT
aa44b193e2eb0046c55dc1a78fed298c361f06835256504ff42db39c5692df10
AsyncRAT
db56ca34b934ee56d33478d16413a49d78a7671fd92c9a7a9444c48469030520
AsyncRAT
+ 34 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:pijao 4 sept rat
Link:
https://tria.ge/reports/230904-tk74vahb2w/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Deletes itself
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
16agostok.duckdns.org:8004
Unpacked files
SH256 hash:
c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487
MD5 hash:
4a508c2b7ecc58143b347ad184bf47cf
SHA1 hash:
5c5121725c037601de85a17c6fc5a9c5e63a73ae
Detections:
DCRat
Create hunting rule
Link:
https://www.unpac.me/results/9de2bbcd-7dc8-4b1c-8e84-034f338d3172/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Windows_Trojan_DCRat_1aeea1ac
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_unobfuscated
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487

(this sample)

  
Link
https://www.virustotal.com/gui/file/c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487/detection
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/446124/

Comments