MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 de22cc3be940674331be243141c5b3e99c375bef12b433c93c17785710647a51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AsyncRAT
Vendor detections: 16
| SHA256 hash: | de22cc3be940674331be243141c5b3e99c375bef12b433c93c17785710647a51 |
|---|---|
| SHA3-384 hash: | 3b6b83bb13622ea0cbcc370b14a68a3f354ffc1bde0b23021603f20c6b0f3ca537e6de03f86ba1dabab778f12624861c |
| SHA1 hash: | e14a108cf8c21698ce1dbc1d66d1f703e1d5f3e4 |
| MD5 hash: | f7760f591f251625e206de38bdcb0346 |
| humanhash: | massachusetts-fillet-fifteen-hawaii |
| File name: | Unforgettable Wonderful Experience and Adventure Claremont Travel Group of 5 pax starting December 12 2025.scr |
| Download: | download sample |
| Signature | AsyncRAT |
| File size: | 3'981'832 bytes |
| First seen: | 2025-07-28 07:48:01 UTC |
| Last seen: | 2025-08-03 20:32:20 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger) |
| ssdeep | 98304:SDE01b8mDnGPbhdiG6WXpEAzUcU/fBSSU80JnS:So01bbnG76wp+k80k |
| Threatray | 42 similar samples on MalwareBazaar |
| TLSH | T19A0622B031ADA923DAA551F00191D83537B36ECF6818E2D94DD6BDEB7CE4BC40B41987 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Magika | pebin |
| dhash icon | 00e425252425e400 (12 x SnakeKeylogger, 9 x Formbook, 2 x DCRat) |
| Reporter |  adrian__luca |
| Tags: | AsyncRAT exe |
Intelligence
File Origin
# of uploads :
2
# of downloads :
57
Origin country :
HUVendor Threat Intelligence
Malware family:
asyncrat
ID:
1
File name:
afb1c0ab-ec13-4978-8a2d-fa3233a08145
Verdict:
Malicious activity
Analysis date:
2025-07-28 07:54:09 UTC
Tags:
auto-sch-xml rat asyncrat remote netreactor stealer generic stormkitty
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
VenomRAT
Verdict:
Malicious
Score:
94.9%
Tags:
micro spawn shell
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Forced shutdown of a system process
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
MSIL/GenKryptik_AGeneric.BIM trojan
Verdict:
Suspicious
Score:
78%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.16 Win 32 Exe x86
Verdict:
Malicious
Threat:
VHO:Trojan-Spy.MSIL.Noon
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Status:
Malicious
First seen:
2025-07-28 07:15:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
18 of 38 (47.37%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
stormkitty
unc_loader_037
asyncrat
Similar samples:
+ 32 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Score:
10/10
Tags:
family:asyncrat family:stormkitty discovery execution persistence rat stealer
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
de22cc3be940674331be243141c5b3e99c375bef12b433c93c17785710647a51
MD5 hash:
f7760f591f251625e206de38bdcb0346
SHA1 hash:
e14a108cf8c21698ce1dbc1d66d1f703e1d5f3e4
SH256 hash:
a315b99015421ad7da5b1e8c2095ade245620865a7aa4b4d602e531c2d5f6e0e
MD5 hash:
38fd63635c0e212bd0234c8828b5ce36
SHA1 hash:
815695eb230d867706d79de2c043fca4cdc2e4ad
Detections:
AsyncRAT
DiscordRatWebcamGrabber
cn_utf8_windows_terminal
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_References_SecTools
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
INDICATOR_SUSPICIOUS_EXE_CC_Regex
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
INDICATOR_SUSPICIOUS_EXE_References_VPN
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
MALWARE_Win_StormKitty
MALWARE_Win_AsyncRAT
MALWARE_Win_DLAgent10
MALWARE_Win_ArrowRAT
MALWARE_Win_VenomRAT
SH256 hash:
1d6c89b37943a7e65041b4e4a465acb39f13d2c50c2fd1264989fd7f68395c05
MD5 hash:
016280a11dd551e6f7a864d9c0780746
SHA1 hash:
e0b20c026b1f18e959ba065af30945c893a0b99d
Detections:
DiscordRatWebcamGrabber
cn_utf8_windows_terminal
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_References_SecTools
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
INDICATOR_SUSPICIOUS_EXE_CC_Regex
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
INDICATOR_SUSPICIOUS_EXE_References_VPN
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
MALWARE_Win_StormKitty
MALWARE_Win_AsyncRAT
MALWARE_Win_DLAgent10
MALWARE_Win_ArrowRAT
MALWARE_Win_VenomRAT
SH256 hash:
e0bef7f04afe55b8d90261f6e64a6f7874dccf9f901080bd0c540e637c80f6dc
MD5 hash:
c58663d4b31ad34bbaa5f377b2ed27de
SHA1 hash:
a29976bcdc7366b1f30afc7280bbea05e42796c1
Detections:
MALWARE_Win_DLAgent10
Parent samples :
e33b8b32bccfb50f604f06a306d1af89ae7b0d583bca20c41fa5811f526aa420
eb2b61a5f15b19bf7dd0ff3914d3019c26499dd693647b00c1b073037db72e35
7c3a49906e67a1928113554ff75f684ee54ab74abcf26ac1211d0cd8726cb086
72b7856f3c6851a36642e952b4fb772b9ea0a6a4075c2ed4b59e60cb922f82e3
6cf0d4b7fd3371e339d9e52aa97cf50c9f2d0e662329507579f645e83e7285fe
c5731cdbb8604adea26e561124d3feb93d600d6062357a7fd3231478a370390d
de22cc3be940674331be243141c5b3e99c375bef12b433c93c17785710647a51
29a8e6a6d00c902fb249248cd1094e22b3041a87b8b60d8e2cb01d738f4931ca
7b544ccaa0faa1e36c64b6fe56829bbdf428fbe5758361e93fad6c1a87679cf7
cc5f0d88e7a634abbfec245547371894e7a617187bb62086d6a7d2fde41982d4
7859144f1586edb705317225bc448262aee1b6a5dd33a17a75338d2458473bd2
bd6ca74d6dc83d0ddf0caa8084facfc3c8dc2bc0882388ba4cf4884a61289524
9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
ff37506f2c1d82d61f2eadefe66a685d1142d29b7790d90b76c5969a282cc752
16a1317ad2b3a3464c1c97066ce8329a96b226607760393c29eb145e8c7c666c
eb2b61a5f15b19bf7dd0ff3914d3019c26499dd693647b00c1b073037db72e35
7c3a49906e67a1928113554ff75f684ee54ab74abcf26ac1211d0cd8726cb086
72b7856f3c6851a36642e952b4fb772b9ea0a6a4075c2ed4b59e60cb922f82e3
6cf0d4b7fd3371e339d9e52aa97cf50c9f2d0e662329507579f645e83e7285fe
c5731cdbb8604adea26e561124d3feb93d600d6062357a7fd3231478a370390d
de22cc3be940674331be243141c5b3e99c375bef12b433c93c17785710647a51
29a8e6a6d00c902fb249248cd1094e22b3041a87b8b60d8e2cb01d738f4931ca
7b544ccaa0faa1e36c64b6fe56829bbdf428fbe5758361e93fad6c1a87679cf7
cc5f0d88e7a634abbfec245547371894e7a617187bb62086d6a7d2fde41982d4
7859144f1586edb705317225bc448262aee1b6a5dd33a17a75338d2458473bd2
bd6ca74d6dc83d0ddf0caa8084facfc3c8dc2bc0882388ba4cf4884a61289524
9a657f8a9e75786f58aa9775b5b403544fc15249a22bc13165472f4ec7c20b6b
53ab4a93b93223968cf2e71ea8070ba2d7e1a9010d21d41e25100e2b6ab516d9
ff37506f2c1d82d61f2eadefe66a685d1142d29b7790d90b76c5969a282cc752
16a1317ad2b3a3464c1c97066ce8329a96b226607760393c29eb145e8c7c666c
SH256 hash:
5acdaecac52372249b1b43375d920df1b5f17aecb6cdb5afbeaf26aacd01fc02
MD5 hash:
b79e0511462bf5a6001d0494bd62ec6e
SHA1 hash:
35ac727c5f3966135653db3820152f3ef4fce53f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
SUSP_OBF_NET_Reactor_Indicators_Jan24
SH256 hash:
ae1fde70461732cb60cba56eb52f8d994a141885c6e0b42cd4f8aa12ffbd575d
MD5 hash:
fafe704da4a186372f43d985051cb179
SHA1 hash:
e03fef11d0d38d856bbc278c343c5a7276c96847
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
INDICATOR_EXE_Packed_SmartAssembly
Parent samples :
44ae98fe4b0b4bd2000ed7ec88e9b7458e04c1abbe64102142c1686ac4ac494b
60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
c3781a6a49bcffd2b8368caf5de812e0c87a13409b9365cb007f974e0534f5fc
bedc22afe7af1a669be2b39bde9200bef6e90d97e41a172cc326813cf1fc7f25
1bfbdb647f4ddac6b2bd3bf51f2dd64b5cd7c46a3ae6c0fabfaa348852337b14
de22cc3be940674331be243141c5b3e99c375bef12b433c93c17785710647a51
1a9fc74a62360452410deb7b3949e3e1b85a31e2bab04799c3a915cc44762495
955e5034dd0af183bc13ab91e360af48c8872f014c8866c395efaf5726da582a
cd6ead626c8b5df6f95887fba78fd19cd506716eff119c050f8083bb8b7efe87
b3a0bb7276b0ecf1e99aa164ebafa0b9aaa7aa3c4db93f83b255e91f7d273dd9
5edd2f77052549775838fba8e2ae75d7a3e31a5d33861aab3df909d17ab3d45f
2a457ceff9290140853127bd459791a5a17603c116a513da8a499aae112346d5
6d794b8750f424796094f629c8cd1413d7f57b4c15c3d6d32e4865dffe2a7d37
29eeed93c836f8c75b109eae3ed94bd49fc2a7ea73928eb54bc3b296b6839f4f
1df3a2d85ac9bdbfbfae21c062956d5500ae4270bddf5233e72db71527a21585
54f0ad3a45963863d0fac39e1b6028ed64d2a05910dfa68e6a7f2a2dfed0bb72
e6a6e94af36a3ea70e21983ed3fc74131dbc63e26f0ea666346088815da0b14b
502c63a3d257cf149fee7c436b9824c8e347f6a6e0c8a5cda3d73f248d72843e
e8f21c243240c7e4a2c610d72900d48ada2beb65bd4e773a1b595c92213c4275
e5878bccd94a741e99440f14dd526680c2338e9fae4fa56d2a833b9a6d415e56
7702bb9529ed01be7712e195a6a55727e737db57426598d5bd67afe678ce5471
f162e1f50c40cb2fb7be4c5d6f086b11ceffed8e8929497723facad1005ad9b9
744f85439548730d894e2a64557333b4cdbdb6bc3f53c6b3518578ecf8e77406
1ed599fb38456bf745d482dbf044f9ecebca2ee2cc3c10fd66a09af3e5f934a4
caa56d33ca9d08ee531040d6e591b20a8f7bc671a02622ad6fa5f609af5f5a32
dab09542d6d7e13c72380e07671b13d36ae1387a072627e31d874786d05984a1
2c07c563674007a6019abf91469fc308482465c562cf3e19d46db259188a3901
5e46156c4e7a6e522230ebc9fe0d49beae8735286fc528cc70eba453200d88c6
4691b43609f2c69677c8f31d090c9be823f36f28805294b8d5a2f7536eb397c4
60682c9e70f15ee5e31dc5c054417386098c475be469994ea54b5c56847d4aaf
c3781a6a49bcffd2b8368caf5de812e0c87a13409b9365cb007f974e0534f5fc
bedc22afe7af1a669be2b39bde9200bef6e90d97e41a172cc326813cf1fc7f25
1bfbdb647f4ddac6b2bd3bf51f2dd64b5cd7c46a3ae6c0fabfaa348852337b14
de22cc3be940674331be243141c5b3e99c375bef12b433c93c17785710647a51
1a9fc74a62360452410deb7b3949e3e1b85a31e2bab04799c3a915cc44762495
955e5034dd0af183bc13ab91e360af48c8872f014c8866c395efaf5726da582a
cd6ead626c8b5df6f95887fba78fd19cd506716eff119c050f8083bb8b7efe87
b3a0bb7276b0ecf1e99aa164ebafa0b9aaa7aa3c4db93f83b255e91f7d273dd9
5edd2f77052549775838fba8e2ae75d7a3e31a5d33861aab3df909d17ab3d45f
2a457ceff9290140853127bd459791a5a17603c116a513da8a499aae112346d5
6d794b8750f424796094f629c8cd1413d7f57b4c15c3d6d32e4865dffe2a7d37
29eeed93c836f8c75b109eae3ed94bd49fc2a7ea73928eb54bc3b296b6839f4f
1df3a2d85ac9bdbfbfae21c062956d5500ae4270bddf5233e72db71527a21585
54f0ad3a45963863d0fac39e1b6028ed64d2a05910dfa68e6a7f2a2dfed0bb72
e6a6e94af36a3ea70e21983ed3fc74131dbc63e26f0ea666346088815da0b14b
502c63a3d257cf149fee7c436b9824c8e347f6a6e0c8a5cda3d73f248d72843e
e8f21c243240c7e4a2c610d72900d48ada2beb65bd4e773a1b595c92213c4275
e5878bccd94a741e99440f14dd526680c2338e9fae4fa56d2a833b9a6d415e56
7702bb9529ed01be7712e195a6a55727e737db57426598d5bd67afe678ce5471
f162e1f50c40cb2fb7be4c5d6f086b11ceffed8e8929497723facad1005ad9b9
744f85439548730d894e2a64557333b4cdbdb6bc3f53c6b3518578ecf8e77406
1ed599fb38456bf745d482dbf044f9ecebca2ee2cc3c10fd66a09af3e5f934a4
caa56d33ca9d08ee531040d6e591b20a8f7bc671a02622ad6fa5f609af5f5a32
dab09542d6d7e13c72380e07671b13d36ae1387a072627e31d874786d05984a1
2c07c563674007a6019abf91469fc308482465c562cf3e19d46db259188a3901
5e46156c4e7a6e522230ebc9fe0d49beae8735286fc528cc70eba453200d88c6
4691b43609f2c69677c8f31d090c9be823f36f28805294b8d5a2f7536eb397c4
SH256 hash:
ddc3abc70c35b9561a094a1a0b60d7ce71890ee2475dcacdfa607a52f805ee95
MD5 hash:
c8417e698c5d329c567f2832c983cf26
SHA1 hash:
f79c471a675d4316f4f88ac1afd9987d1462e742
Detections:
AsyncRAT
DiscordRatWebcamGrabber
cn_utf8_windows_terminal
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_References_SecTools
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
INDICATOR_SUSPICIOUS_EXE_CC_Regex
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
INDICATOR_SUSPICIOUS_EXE_References_VPN
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
MALWARE_Win_StormKitty
MALWARE_Win_AsyncRAT
MALWARE_Win_DLAgent10
MALWARE_Win_ArrowRAT
MALWARE_Win_VenomRAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AcRat |
|---|---|
| Author: | Nikos 'n0t' Totosis |
| Description: | AcRat Payload (based on AsyncRat) |
| Rule name: | botnet_plaintext_c2 |
|---|---|
| Author: | cip |
| Description: | Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols. |
| Rule name: | DebuggerCheck__RemoteAPI |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | detect_powershell |
|---|---|
| Author: | daniyyell |
| Description: | Detects suspicious PowerShell activity related to malware execution |
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| Rule name: | Disable_Defender |
|---|---|
| Author: | iam-py-test |
| Description: | Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen |
| Rule name: | ffdroider |
|---|---|
| Author: | Michelle Khalil |
| Description: | This rule detects unpacked ffdroider stealer malware samples. |
| Rule name: | grakate_stealer_nov_2021 |
|---|
| Rule name: | INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables signed with stolen, revoked or invalid certificates |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs |
|---|---|
| Author: | ditekSHen |
| Description: | Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_B64_Artifacts |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_CC_Regex |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing credit card regular expressions |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Discord_Regex |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing Discord tokens regular expressions |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows executables referencing non-Windows User-Agents |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_VPN |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many VPN software clients. Observed in infosteslers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables embedding registry key / value combination indicative of disabling Windows Defender features |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing Windows vault credential objects. Observed in infostealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables with interest in wireless interface using netsh |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables attemping to enumerate video devices using WMI |
| Rule name: | INDICATOR_SUSPICIOUS_References_SecTools |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many IR and analysis tools |
| Rule name: | Lumma_Stealer_Detection |
|---|---|
| Author: | ashizZz |
| Description: | Detects a specific Lumma Stealer malware sample using unique strings and behaviors |
| Reference: | https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/ |
| Rule name: | Macos_Infostealer_Wallets_8e469ea0 |
|---|---|
| Author: | Elastic Security |
| Rule name: | MALWARE_Win_ArrowRAT |
|---|---|
| Author: | ditekSHen |
| Description: | Detects ArrowRAT |
| Rule name: | MALWARE_Win_AsyncRAT |
|---|---|
| Author: | ditekSHen |
| Description: | Detects AsyncRAT |
| Rule name: | MALWARE_Win_DLAgent10 |
|---|---|
| Author: | ditekSHen |
| Description: | Detects known downloader agent |
| Rule name: | MALWARE_Win_StormKitty |
|---|---|
| Author: | ditekSHen |
| Description: | Detects StormKitty infostealer |
| Rule name: | MALWARE_Win_VenomRAT |
|---|---|
| Author: | ditekSHen |
| Description: | Detects VenomRAT |
| Rule name: | Mal_WIN_AsyncRat_RAT_PE |
|---|---|
| Author: | Phatcharadol Thangplub |
| Description: | Use to detect AsyncRAT implant. |
| Rule name: | Multifamily_RAT_Detection |
|---|---|
| Author: | Lucas Acha (http://www.lukeacha.com) |
| Description: | Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | Njrat |
|---|---|
| Author: | botherder https://github.com/botherder |
| Description: | Njrat |
| Rule name: | PE_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | pe_imphash |
|---|
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | ThreadControl__Context |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | venomrat |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | Windows_Generic_Threat_21253888 |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Generic_Threat_2bb6f41d |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Generic_Threat_ce98c4bc |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_DCRat_1aeea1ac |
|---|---|
| Author: | Elastic Security |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (GUARD_CF) | high |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.