MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 39 File information Comments

SHA256 hash:	e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480
SHA3-384 hash:	9c31cf040146c10a6197c531465a216eac52a80da485c91710fa75a445ce2ce996108bd5ab101c62caa7771e988ffb4e
SHA1 hash:	30f6fa21f06d99b0254fa1ff387c45921317eda7
MD5 hash:	d2b8506820fe3c39b6b5e891170f3451
humanhash:	echo-stairway-robert-kilo
File name:	e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	778'752 bytes
First seen:	2025-01-10 14:47:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	12288:YjlIpHtMPku+l0CPPoJts5Pic17D44ehsA4iFMZUiqrbA8yJNB:YjlIhSPd+pWtAPic17Dehx442B
TLSH	T1BCF4BFC07B26B701CD6CB570852AEEB8625C2F68700879F27EEE374775B9152AA1CF05
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	863b292b234d2b96 (7 x RedLineStealer, 3 x AsyncRAT, 1 x Formbook)
Reporter	adrian__luca
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480

Verdict:

Malicious activity

Analysis date:

2025-01-10 22:10:45 UTC

Tags:

stealer evasion telegram stormkitty xor-url ims-api generic

Link:

https://app.any.run/tasks/a124e2f7-9037-4b47-a8d3-4e00254ca431

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Jalapeno-10038995-0

Win.Packed.Generic-10039123-0

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6781332b2c8240e189bb9473

Tags:

asyncrat shell virus sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %temp% directory

Running batch commands

Launching a process

Launching the process to change network settings

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Enabling the 'hidden' option for recently created files

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/67813325d0ec437b47a70c4e/reports/f775afc2-33af-4e31-a740-10b2425e47c5/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6aeced85-48df-4143-a823-30541999394c

Result

Threat name:

AsyncRAT, StormKitty, WorldWind Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1588087

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480/

Threat name:

ByteCode-MSIL.Infostealer.StormKitty

Status:

Malicious

First seen:

2024-12-12 08:50:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4htkke5l6vkygrmm3chmrn5pttrkmdiwsutlbzvdcgb2o2elqsaa._file

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:asyncrat family:stormkitty botnet:default discovery persistence privilege_escalation rat spyware stealer

Link:

https://tria.ge/reports/250110-r6gsnsxmd1/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Suspicious use of SetThreadContext

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Reads user/profile data of web browsers

AsyncRat

Asyncrat family

StormKitty

StormKitty payload

Stormkitty family

Malware Config

C2 Extraction:

127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069

Verdict:

Malicious

Tags:

Win.Packed.Jalapeno-10038995-0

YARA:

n/a

Link:

https://app.threat.zone/submission/10398b9d-3485-4441-9ef5-0641b2fa71a6

Unpacked files

SH256 hash:

117c984a4b6c0bc0d29ee3bee08babe51bf8e5e9288726974c200fd5ca58ed10

MD5 hash:

bc07fcf586482a89d878684072409c5a

SHA1 hash:

ca195505dd9659666eb029983f6e189ce316ae9e

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/847b6e8c-0eac-4004-80b6-038390eefcdf/

Parent samples :

cc48dc4257bbcfcc07212d548808d7958be2e6e7db936ea8c255624ad5e47f82
fe1ea0347bf6d718b99d5f38c272ee7c44099185319df916ff44ff8ae1e139c3
168f3f67fdf19ef0a0afabb378ee803fb3cf1f822ad37ba51772bc96a58a83d0
7f3a6082c0ab2b881863c4dfe7328ef497155d2d962fa4a1976a5c26ec1d4e66
9ba87d90f707c080cc4833ab960ff76301f1615d19271d5f2749a2594eec7d12
36389326c697d43ecf27b181b4ec997ffc45aa8b1cdca0cca34db3d43075cccd
557e744afea416d8f74e7a997bcf0ce5acd0d86ef6b6f7c8b16e0d9f338d786d
4733c3841f338c4b95b5226678de7358eaf8604750ee3aa3c3d55ce829db11b3
525248e53005e0ec5a39b4aa00c2323e9f5be5a256ddd944707aba1b3dedba58
be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df
63ff1a1be734e83c37ff7039e8b7a2b303a5e2df7b53ce2158a75c2e26d6906a
c01469ec1500b5bbb7ace40f1823b41e0965607d4fa54497f3dff82712c8070a
34ec90ccd81677a867a00f697ece5799cdbbfaf76556701353fe8fcdc3c674c1
80d7f00f11c5bb9b582383d9359d29f3fd77b83df68a4a56b813bd76aa08295a
e6e77931c83b25ca5e349b0c3a2ae39cab402ecfdde8a8507e10966da107f3b3
969b59611c12796080c4742d484f3a11a78c40ca44bccc4691cbe2bb8458c73b
d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6
e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480
2cf5186fed58526d250443fecf2cbdfdc51f53797a944ffa586ea56d6b547b58
80639535a88aa7662bb05425e5c1c3520c7642da20a0feaed308fec754661e89
d5b6f53a68279ba7bd78158a4003e1ccb9b70cd4681627e34a1c4ec228c9f485
130c869f7ce90b4dd45a1192c8cb13aa8e3f986ab29fb9f446475e2030a2d2ec
2e31bfbc51607f142e0413db74ced776bb207448c052b9363250d2b93e718431

SH256 hash:

153a321e178bc28e0f2c6432763bb44fc47b573596387ec241ca45d8775e12af

MD5 hash:

f69889d705f5d72d65661b48535ae1b3

SHA1 hash:

4c8f3cf14130e6519339a370bba4527ecb012cde

Detections:

WorldWindStealer

win_asyncrat_w0

cn_utf8_windows_terminal

SUSP_NET_Msil_Suspicious_Use_StrReverse

asyncrat

win_asyncrat_bytecodes

win_asyncrat_unobfuscated

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_CC_Regex

INDICATOR_SUSPICIOUS_EXE_Discord_Regex

INDICATOR_SUSPICIOUS_EXE_References_VPN

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon

MALWARE_Win_StormKitty

MALWARE_Win_Multi_Family_InfoStealer

MALWARE_Win_WorldWind

Link:

https://www.unpac.me/results/847b6e8c-0eac-4004-80b6-038390eefcdf/

Parent samples :

53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
5fe6e19d2d832aa15fbad4b015f118e0915ee904c4c0db8f58b9af90ce011513
153a321e178bc28e0f2c6432763bb44fc47b573596387ec241ca45d8775e12af
e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480

SH256 hash:

522f0a2b395c5d7d26143280fe0c0b337e882a0466be7ae7ae1f98aafa6873c9

MD5 hash:

95a1a5a78c20c53e5446c05534bfca9f

SHA1 hash:

199e8d35d325632cc6442ccc9c395ad8989ea5f4

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/847b6e8c-0eac-4004-80b6-038390eefcdf/

SH256 hash:

6513b2b4397b6510b14012333cfa1b6a8cf41320650d06bc63b834357a6f5289

MD5 hash:

21c4ad9efb599cebcee2fb5d378600c5

SHA1 hash:

867bcb868dbdd7feb3e57e396a7aced0338b5c6a

Link:

https://www.unpac.me/results/847b6e8c-0eac-4004-80b6-038390eefcdf/

SH256 hash:

e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480

MD5 hash:

d2b8506820fe3c39b6b5e891170f3451

SHA1 hash:

30f6fa21f06d99b0254fa1ff387c45921317eda7

Link:

https://www.unpac.me/results/847b6e8c-0eac-4004-80b6-038390eefcdf/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	AsyncRAT_kingrat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse Create hunting rule
Author:	ditekSHen
Description:	Detects file containing reversed ASEP Autorun registry keys

Rule name:	INDICATOR_SUSPICIOUS_EXE_CC_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing credit card regular expressions

Rule name:	INDICATOR_SUSPICIOUS_EXE_Discord_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Discord tokens regular expressions

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_VPN Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many VPN software clients. Observed in infosteslers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon Create hunting rule
Author:	ditekSHen
Description:	Detects executables with interest in wireless interface using netsh

Rule name:	malware_asyncrat Create hunting rule
Description:	detect AsyncRat in memory
Reference:	https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp

Rule name:	MALWARE_Win_Multi_Family_InfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects Prynt, WorldWind, DarkEye, Stealerium and ToxicEye / TelegramRAT infostealers

Rule name:	MALWARE_Win_StormKitty Create hunting rule
Author:	ditekSHen
Description:	Detects StormKitty infostealer

Rule name:	MALWARE_Win_WorldWind Create hunting rule
Author:	ditekSHen
Description:	Detects WorldWind infostealer

Rule name:	MAL_AsnycRAT Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects AsnycRAT based on it's config decryption routine

Rule name:	MAL_AsyncRAT_Config_Decryption Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects AsnycRAT based on it's config decryption routine

Rule name:	msil_suspicious_use_of_strreverse Create hunting rule
Author:	dr4k0nia
Description:	Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	prynt_stealer Create hunting rule
Author:	Nikos 'n0t' Totosis
Description:	Prynt Stealer Payload

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	SUSP_NET_Msil_Suspicious_Use_StrReverse Create hunting rule
Author:	dr4k0nia, modified by Florian Roth
Description:	Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Generic_Threat_2bb6f41d Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Generic_Threat_62e1f5fc Create hunting rule
Author:	Elastic Security

Rule name:	win_asyncrat_bytecodes Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)

Rule name:	win_asyncrat_unobfuscated Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)

Rule name:	win_asyncrat_w0 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample