MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4
SHA3-384 hash: 9e1ae8eb0139ac4390f21556798f18bd1cba0c02943e71c43ea0e5e8d4e674397ca593b183a7e0f827b68382f07402e4
SHA1 hash: 594fb8d239a5ffaa654a13415fa95965ba47d2a8
MD5 hash: 2d25ca067a272bd8542cabe1ff9985d1
humanhash: alanine-connecticut-angel-monkey
File name:2d25ca067a272bd8542cabe1ff9985d1.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:19'303'424 bytes
First seen:2024-04-29 08:20:49 UTC
Last seen:2024-04-29 09:19:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 17 x AsyncRAT, 17 x BlankGrabber)
ssdeep 393216:ozIk5m3MgwV+WN+9vnd578wO+h39L8ArcD/i3vZNb63gH4R6Z4GQSWQmrxaf:oP43wz/mtYzinb6f3GQPc
Threatray 1 similar samples on MalwareBazaar
TLSH T1F917B1CE5AD12C4AFE51796E1DFE81CBD7210A3319F99E2B7C6C5928409AC8D0C5783E
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.4% (.EXE) Win32 Executable (generic) (4504/4/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 70e4868e8ee6f870 (3 x RustyStealer, 1 x AsyncRAT, 1 x SVCStealer)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
95.211.208.153:8808

Intelligence

File Origin
# of uploads :
2
# of downloads :
388
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4.exe
Verdict:
Malicious activity
Analysis date:
2024-04-29 08:21:59 UTC
Tags:
rat asyncrat remote
Link:
https://app.any.run/tasks/3b179355-9918-45e6-829e-908545a7b5bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Downloading the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/662f5870bf71946384917a51/reports/dd5da7c4-d92e-4e79-8dfd-5fcc8136b18b/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e34d0a60-5ccb-4d4f-8400-a80aba0a8329
Result
Threat name:
AsyncRAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433165
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1433165 Sample: Gm602axA2d.exe Startdate: 29/04/2024 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 17 other signatures 2->75 8 Gm602axA2d.exe 3 2->8         started        12 Lxfrfbi.exe 2->12         started        14 Lxfrfbi.exe 2->14         started        process3 file4 47 C:\Users\user\AppData\Local\Vulvvmkewji.exe, PE32 8->47 dropped 49 C:\Users\user\...\Office Installer.exe, PE32+ 8->49 dropped 77 Encrypted powershell cmdline option found 8->77 16 Vulvvmkewji.exe 1 2 8->16         started        20 Office Installer.exe 3 8->20         started        22 powershell.exe 23 8->22         started        79 Multi AV Scanner detection for dropped file 12->79 81 Machine Learning detection for dropped file 12->81 24 AppLaunch.exe 12->24         started        83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->83 26 AppLaunch.exe 14->26         started        signatures5 process6 file7 45 C:\Users\user\AppData\Roaming\Lxfrfbi.exe, PE32 16->45 dropped 57 Multi AV Scanner detection for dropped file 16->57 59 Machine Learning detection for dropped file 16->59 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->61 28 AppLaunch.exe 2 16->28         started        63 Suspicious powershell command line found 20->63 65 Tries to download and execute files (via powershell) 20->65 31 powershell.exe 14 16 20->31         started        35 reg.exe 1 1 20->35         started        67 Loading BitLocker PowerShell Module 22->67 37 WmiPrvSE.exe 22->37         started        39 conhost.exe 22->39         started        signatures8 process9 dnsIp10 53 95.211.208.153, 49731, 7707 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 28->53 51 C:\Users\user\AppData\Local\Temp\...\ver.txt, JSON 31->51 dropped 55 Installs new ROOT certificates 31->55 41 conhost.exe 31->41         started        43 conhost.exe 35->43         started        file11 signatures12 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2024-04-24 21:32:57 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
29 of 38 (76.32%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3i5ft7nz6fau63lsmqu4mcpklnrxpsoznurp7mj7ou2s53dl4osa._file
Verdict:
malicious
Similar samples:
da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4
AsyncRAT
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:zgrat botnet:default persistence rat
Link:
https://tria.ge/reports/240429-j81dssee9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
AsyncRat
Detect ZGRat V1
ZGRat
Malware Config
C2 Extraction:
5512.sytes.net:6606
5512.sytes.net:7707
5512.sytes.net:8808
95.211.208.153:6606
95.211.208.153:7707
95.211.208.153:8808
Dropper Extraction:
https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData
http://officecdn.microsoft.com/db/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab
http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab
Unpacked files
SH256 hash:
c26ab0b0232c8bb0878fd6a06eb168f5fd99c9e6a5dcd3e48af5a449da10d4ff
MD5 hash:
939bef6d5f8da5a8762f6500598788c4
SHA1 hash:
341fe91b1e283493f8c35277add9c8e76d8b9875
Link:
https://www.unpac.me/results/f6862c1a-dabf-4417-9852-5035e80a14d9/
SH256 hash:
ad1f922b6f3f7c7d8c134007c60b14f391ff396bf81da22bd4cf3801523c88f9
MD5 hash:
e351290adeca87bbc122b5880eac7130
SHA1 hash:
f898b8e1f3f3cc396c83fa8a3a509d6d81136045
Link:
https://www.unpac.me/results/f6862c1a-dabf-4417-9852-5035e80a14d9/
SH256 hash:
63e18ea0955385a775b9ec01eae796ec079a4e9ce84e96d2251eb204e821d5c5
MD5 hash:
95352bce7bccd9de87fa0a7efbaebeab
SHA1 hash:
b4e1a64afd51746430f6a4117da8da9175cf5c22
Link:
https://www.unpac.me/results/f6862c1a-dabf-4417-9852-5035e80a14d9/
SH256 hash:
0d9c95a567b68aea53a66b961220a6d5ff14134a91a7ee3b31dec8a9ec74fafa
MD5 hash:
55b293f5bc4f0a9ca106b3adc2af7f79
SHA1 hash:
91b91815aa36d66a775790404111a2a2759bab74
Link:
https://www.unpac.me/results/f6862c1a-dabf-4417-9852-5035e80a14d9/
SH256 hash:
6548d3dc39db175d042269478fdede520e386d9ea6c7b4b633e6a7f34be92388
MD5 hash:
b460c9e00bf6eed8633a5d3c61887e35
SHA1 hash:
8af44646b9fe5101f86c7fc8e0cba2e3dddead7c
Link:
https://www.unpac.me/results/f6862c1a-dabf-4417-9852-5035e80a14d9/
SH256 hash:
35e17503b717357e5cbcef75e8588763cdee7b1dffec49310dfee1118d2b2cd1
MD5 hash:
fdf96573415edc5a59670285e4e9501e
SHA1 hash:
4430dc2d858558b03aec6e2cf6de50dbcc43a9aa
Link:
https://www.unpac.me/results/f6862c1a-dabf-4417-9852-5035e80a14d9/
SH256 hash:
da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4
MD5 hash:
2d25ca067a272bd8542cabe1ff9985d1
SHA1 hash:
594fb8d239a5ffaa654a13415fa95965ba47d2a8
Link:
https://www.unpac.me/results/f6862c1a-dabf-4417-9852-5035e80a14d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da3a59fdb9f1414f6d726429c609ea5b6377c9d96d22ffb13f75352eec6be3a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:malware_asyncrat
Create hunting rule
Description:detect AsyncRat in memory
Reference:https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Asyncrat_11a11ba1
Create hunting rule
Author:Elastic Security
Rule name:win_asyncrat_bytecodes
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments