MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e131bfc43b081cbd33cdf146fac1688b82cceecd32744b319183d7abdcd369ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e131bfc43b081cbd33cdf146fac1688b82cceecd32744b319183d7abdcd369ca
SHA3-384 hash: 8c1414bebf53344806b0e36333d88705bd0bf18f5c2685d7f035e2f898ff3dc3bcf1e0e3a594bfb98e047d85aa0c91c4
SHA1 hash: 5e37d133b6e03b0a174a751ea01b38f4d63df15c
MD5 hash: 2a43713db0fa5022c53c6cf097e8b281
humanhash: echo-monkey-fruit-seven
File name:2a43713db0fa5022c53c6cf097e8b281
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:140'800 bytes
First seen:2022-08-28 07:36:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:SgaFwlGXeKexkPJD4OLjz+sF9UrFEtDbFMQCmIFLrY:S7XsOrSFEBbOl
Threatray 6 similar samples on MalwareBazaar
TLSH T145D30818B7FE5911F1BF6B7EA8B652150B31F5679933E30F1A86649C0D327804E06BA3
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2a43713db0fa5022c53c6cf097e8b281
Verdict:
Suspicious activity
Analysis date:
2022-08-28 07:38:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5040ba3-b720-4afc-bd73-6d8bf1cf0474

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301820/
Detection(s):
Win.Packed.Razy-9784041-0
Create hunting rule

Win.Packed.Clipbanker-9792195-0
Create hunting rule

Win.Malware.Ursu-9794593-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd.exe evasive fingerprint packed schtasks.exe
Link:
https://www.filescan.io/uploads/630b1b7070b1f4ccb9148182/reports/c7addcad-e2f8-4778-9557-69daff62b04c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0843715b-24a8-4e12-9930-ef42e50a1b4d
Result
Threat name:
AsyncRAT, Clipboard Hijacker, ToxicEye
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059193
Signature
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected Telegram Recon
Yara detected ToxicEye
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e131bfc43b081cbd33cdf146fac1688b82cceecd32744b319183d7abdcd369ca/
Threat name:
ByteCode-MSIL.Infostealer.Telebot
Create hunting rule
Status:
Malicious
First seen:
2022-08-27 18:00:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ey37rb3baol2m6n6fdpvqlirobmz3wngj2ewmmrqpl2xxgtnhfa._file
Verdict:
malicious
Similar samples:
2daa785895f9ff331c64230e56ec68944bdf830fc3dcaf75520fb284e5464612
AsyncRAT
328c9268680943aba662719351dd6e257fbf1f7d73363d17c20652bc5f3d8d2b
AsyncRAT
728c4e3a68f1f55cbafffc315ace09d2dc21857964cc60389f1382fabecec70a
AsyncRAT
8d5183e16553bfad76d68b950d94144e5d57633c716074ca3d76cf6e6903918f
AsyncRAT
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220828-jftesafdd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Contains code to disable Windows Defender
Unpacked files
SH256 hash:
e131bfc43b081cbd33cdf146fac1688b82cceecd32744b319183d7abdcd369ca
MD5 hash:
2a43713db0fa5022c53c6cf097e8b281
SHA1 hash:
5e37d133b6e03b0a174a751ea01b38f4d63df15c
Link:
https://www.unpac.me/results/f17ff014-2b02-4991-b37e-71776bcae6c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/e131bfc43b081cbd33cdf146fac1688b82cceecd32744b319183d7abdcd369ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe e131bfc43b081cbd33cdf146fac1688b82cceecd32744b319183d7abdcd369ca

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2281770/
Cape
Cape
https://www.capesandbox.com/analysis/301820/

Comments


Avatar
zbet commented on 2022-08-28 07:36:27 UTC

url : hxxp://37.139.129.142/htdocs/yEGMAzpRQBJjDnY.exe