MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da25fa6c320d11fefa4fb2fb6550e53048b91660a616978067e1d10fd10bbf67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	da25fa6c320d11fefa4fb2fb6550e53048b91660a616978067e1d10fd10bbf67
SHA3-384 hash:	38916383c8ad8673b66b6df4ab406d9a4d74d16f07a2ed213505c9fa343ad287b3615f4920169206d554a03c15b03456
SHA1 hash:	248901667b4ce7a90e156ae51a3674dfed09d61b
MD5 hash:	0d4285c801baec1bbc17354f4914fc57
humanhash:	river-burger-cardinal-harry
File name:	IMG-203857623895728935728935872 CONFIRMACION DE CONSIGNACION EXITOSA EL DIA 25 DE NOVIEMBRE DEL 2022.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	317'952 bytes
First seen:	2022-11-25 20:33:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:MXoSLdXaeE8VljqIHW8e8S7znoD7FLHHsf3ACLF2qV018iAJZJqRadVAiWvc7:M7ae7bqWWVoDhjeACx2qq1V2MgQU7
Threatray	670 similar samples on MalwareBazaar
TLSH	T1E6642399F390423BF8B9963C5ACB6D94A771744E20D2F5A97DD800AD723E08077A583F
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	0xToxin
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

425

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7c37aec7-9184-4ff2-ade5-421d0a0a7aa3

Verdict:

No threats detected

Analysis date:

2022-11-25 20:36:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d54907d3-8a2c-4cdd-bbcc-988840d8012f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/338592/

Detection(s):

SecuriteInfo.com.Malware.PDB-51.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/638126bd9c57db591d88dcca/reports/2ce1a04a-40e0-468e-a4c5-54a5273d2711/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/f8cff6ca-c9a0-4ee0-bbaf-8b56855efb18

Result

Threat name:

AsyncRAT, DcRat

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1121355

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious names

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected DcRat

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da25fa6c320d11fefa4fb2fb6550e53048b91660a616978067e1d10fd10bbf67/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2022-11-25 20:34:09 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3is7u3bsbui756spwl5wkuhfgbelsftauyljpadh4hiq7uilx5tq._file

Verdict:

malicious

AsyncRAT

26e9c2f05c547a575d40b66a4feb317af53b65062611eea7ed6005e0ed88d1e9

AsyncRAT

3c4e99d0feb74839f278b7bdebfb6ab682d7eaa07072439b08d197ae8abd9600

AsyncRAT

3f2ed14209d2cd6eb55501035e8e826963552ea1bf144caf94fcfd68d1b50c61

AsyncRAT

6eec1a8da601b90f81fdb28221702581d5a1698201976958fb160b2d956edb19

AsyncRAT

7a3d9a2e7fbcdd35fa3c5c195892b4c7940c669cde48def4832aa7e91736d532

AsyncRAT

9b752fc57f6cd1b2f7869f232c6860adf24bcc3454d330e9f481671b27b7dc0c

AsyncRAT

a6f687d95308fd4d110ee7f8b07d3992e35802042f2d68c6216a5606b9ef8ab8

AsyncRAT

aa6572e96ced2adf1ad645b40e7c3d6ce3854e3f4b7b2255f5cf269be602c296

AsyncRAT

+ 660 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default persistence rat

Link:

https://tria.ge/reports/221125-zceefsdd67/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

roberurrutialora09.duckdns.org:1994

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/825c0cba-0df7-4690-a79c-1dfc5bb22a4c

Unpacked files

SH256 hash:

da25fa6c320d11fefa4fb2fb6550e53048b91660a616978067e1d10fd10bbf67

MD5 hash:

0d4285c801baec1bbc17354f4914fc57

SHA1 hash:

248901667b4ce7a90e156ae51a3674dfed09d61b

Link:

https://www.unpac.me/results/598dd704-1701-4242-bb46-0a6658b77ffd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/da25fa6c320d11fefa4fb2fb6550e53048b91660a616978067e1d10fd10bbf67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/338592/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample