MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d066780ee2f1d0639f3e2a6dd5107fe2a194cf43fd2d4a46a4f9e0809d378dd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d066780ee2f1d0639f3e2a6dd5107fe2a194cf43fd2d4a46a4f9e0809d378dd2
SHA3-384 hash: 6594e126d709af59ed1f52973c99ba1d0d896ffc0dab345b2a100b535eccc3cf05fb78709c7bcaa8583f7a2e1afd8633
SHA1 hash: 8e1296c7474c42a0df4dbe2ca81104c3660b9966
MD5 hash: c97d9719e8be9e521c3c0f87114aeb56
humanhash: hydrogen-sad-ink-six
File name:c97d9719e8be9e521c3c0f87114aeb56
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:309'760 bytes
First seen:2023-11-27 11:56:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:31YpY0J/eRzIFDYeXvRaujbQ4cvDkLrJxjDcKeGjeVihk+ZEDAI:31EJ/eRzADfXJa2Q18jDDeGjeVihk+Zu
Threatray 17 similar samples on MalwareBazaar
TLSH T13A64499C7624F2DEC857C472DAA81CF4AA507D6AC31B521394173EADBA3D987CF140B2
TrID 28.5% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460660/
Detection(s):
PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/d066780ee2f1d0639f3e2a6dd5107fe2a194cf43fd2d4a46a4f9e0809d378dd2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b12d35bb-be4e-483a-b6db-a941e44e6d8b
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1348510
Signature
.NET source code contains potential unpacker
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d066780ee2f1d0639f3e2a6dd5107fe2a194cf43fd2d4a46a4f9e0809d378dd2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d066780ee2f1d0639f3e2a6dd5107fe2a194cf43fd2d4a46a4f9e0809d378dd2/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 11:57:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2bthqdxc6highhz6fjw5ked74kqzjt2d7uwuurve7hqibhjxrxja._file
Verdict:
malicious
Similar samples:
035bcae10783495f0728eed772825acdd656acf71d7132927c54e2f6100aaf4d
AsyncRAT
09d9bb25f1d1bd6f7c3e3aa64df49eaa398e9f26b198ef9b92b6c18c804f0bc1
AsyncRAT
37e5285ef075235abeed2a5bfbf0398cd49945e77842a8e45fba2e4dcf0c819e
AsyncRAT
49e60ea90cc69fcb424f82db5dc51788c0d578c3cc6ba2db75323d751f4e6b03
AsyncRAT
6de8655482872ddd47b7a3515d3b58861dbaefa931ed9643f9a8218e43bbd1d3
AsyncRAT
7d5af6633800f3b722cbd548dccca5eac7be087faed0c750b8e293ff4d3f4c89
AsyncRAT
bbf215e331700f99a98b7624d050b43ca49c0465a1949fe63b9db8d0c12e62ee
AsyncRAT
cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a
AsyncRAT
d066780ee2f1d0639f3e2a6dd5107fe2a194cf43fd2d4a46a4f9e0809d378dd2
AsyncRAT
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231127-n4mz5agc84/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
66427976ae9a6e56c55480c6cdf9ff5683286f5c8eec7fc0e8e51bbaa61a0157
MD5 hash:
d1e46158ecb555da5c237fb06b341922
SHA1 hash:
4ee3f347225249467734d04043807de01532d9c1
Link:
https://www.unpac.me/results/cfae860e-ee0b-4ac7-b8a7-fb242d4891f1/
SH256 hash:
a953a77f5c96c44eb4eed27283e73a98ca0d70b51fbe89018880dddce969e7ef
MD5 hash:
e5d2035e1a2567e33beb70f4534a4dea
SHA1 hash:
1fef072cbab531d9668171f2c58e1e6f02fe3d54
Link:
https://www.unpac.me/results/cfae860e-ee0b-4ac7-b8a7-fb242d4891f1/
SH256 hash:
d066780ee2f1d0639f3e2a6dd5107fe2a194cf43fd2d4a46a4f9e0809d378dd2
MD5 hash:
c97d9719e8be9e521c3c0f87114aeb56
SHA1 hash:
8e1296c7474c42a0df4dbe2ca81104c3660b9966
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/cfae860e-ee0b-4ac7-b8a7-fb242d4891f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/d066780ee2f1d0639f3e2a6dd5107fe2a194cf43fd2d4a46a4f9e0809d378dd2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe d066780ee2f1d0639f3e2a6dd5107fe2a194cf43fd2d4a46a4f9e0809d378dd2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2735532/
Cape
Cape
https://www.capesandbox.com/analysis/460660/

Comments


Avatar
zbet commented on 2023-11-27 11:56:47 UTC

url : hxxp://www.transportesevaristomadero.com/jbzscontent/xfzbhjbzbfubtegjhbkjdf/server1.exe