MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e24757ef4e0d360786ce860c7aa4713f7958333b7a1afb60b9404c02c61ea7c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e24757ef4e0d360786ce860c7aa4713f7958333b7a1afb60b9404c02c61ea7c4
SHA3-384 hash: 566463b5f25c450b02061c0305d59e962d5c3f47e99c23e9751b97b20dd142476df3de3ef8461a6edd371cfbd282387c
SHA1 hash: 3cc28b7bed906567c7b3667d0f3f45dbd30ffdac
MD5 hash: 4000ab469a0c647a9f7c6fc792b0ea6b
humanhash: kansas-gee-spring-aspen
File name:4000ab469a0c647a9f7c6fc792b0ea6b.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'498'624 bytes
First seen:2022-04-11 21:16:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:TvAz/iO9Hcw+cTcqkzzX1W8rpTpiWOXR2k:8zNQPzzX1W8rpTpiWOXR2k
Threatray 2'743 similar samples on MalwareBazaar
TLSH T11D653A5D36A9A842FD959774E87B2BA017A08E7E4C899303A3B4353DD83B3F91F01716
File icon (PE):PE icon
dhash icon b0824781910101ba (2 x AsyncRAT, 1 x Rhadamanthys)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
179.13.1.226:8042

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
179.13.1.226:8042 https://threatfox.abuse.ch/ioc/518738/

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4000ab469a0c647a9f7c6fc792b0ea6b.exe
Verdict:
Suspicious activity
Analysis date:
2022-04-11 21:24:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/01fae7a9-78d0-4bd8-acd0-41053652cbcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262811/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot obfuscated packed
Link:
https://www.filescan.io/uploads/62549ad0ffe27d5119ad5536/reports/7f918ec9-2f4f-4d24-8eca-eabd8b1578cb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16ff35ff-873d-400a-b810-5331647d2892
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/974942
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Encoded PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607429 Sample: 63hR5SEIkW.exe Startdate: 11/04/2022 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 10 other signatures 2->62 7 63hR5SEIkW.exe 1 4 2->7         started        11 Chrome.exe 2->11         started        13 Chrome.exe 2->13         started        process3 file4 48 C:\Users\user\AppData\Roaming\Chrome.exe, PE32 7->48 dropped 50 C:\Users\user\...\Chrome.exe:Zone.Identifier, ASCII 7->50 dropped 52 C:\Users\user\AppData\...\63hR5SEIkW.exe.log, ASCII 7->52 dropped 64 Encrypted powershell cmdline option found 7->64 15 InstallUtil.exe 1 2 7->15         started        18 cmd.exe 1 7->18         started        20 powershell.exe 25 7->20         started        22 InstallUtil.exe 7->22         started        66 Multi AV Scanner detection for dropped file 11->66 68 Machine Learning detection for dropped file 11->68 24 cmd.exe 11->24         started        26 InstallUtil.exe 11->26         started        28 cmd.exe 13->28         started        30 InstallUtil.exe 13->30         started        32 InstallUtil.exe 13->32         started        signatures5 process6 dnsIp7 54 gfhdjksjd.duckdns.org 179.13.1.226, 49769, 8045 ColombiaMovilCO Colombia 15->54 34 conhost.exe 18->34         started        36 timeout.exe 1 18->36         started        38 conhost.exe 20->38         started        40 conhost.exe 24->40         started        42 timeout.exe 24->42         started        44 conhost.exe 28->44         started        46 timeout.exe 28->46         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e24757ef4e0d360786ce860c7aa4713f7958333b7a1afb60b9404c02c61ea7c4/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-10 23:10:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
22 of 42 (52.38%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jdvp32obu3apbwoqyghvjdrh54vqmz3pinpwyfzibgafrq6u7ca._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
25e21f55b7fbffe0d90e6845044e3e907964a5c278f29fcd1cf0fff9916a2ac3
AsyncRAT
4d5367bf571dfd7837563c0b9d58f5557cc251ba6fafdd26dd07bb3646b3bd1b
AsyncRAT
7da096df4561ecc9169365841e2f024e40165377384e25e82922b2d1f16b8aa0
AsyncRAT
97f116891027a9cb8a2c59d5a0de5bd169ae05829b9b4e034bdb9326a54c8dd6
AsyncRAT
a61198f59a97cca6bece077d2f227f203d46b0e2d2998ed12343a0c743dd3a89
AsyncRAT
e19812727031bef0368880c6734ea4309368302e8fb5c6c3dea1dfa4821b26f7
AsyncRAT
ec1773386924814a953850ec438551a133c27541b156e6d685d9eda1477a65b4
AsyncRAT
fe154355036477bd31cfddcfe4f12d1d8a8baad12f088a6abf5836071509c50e
AsyncRAT
+ 2'733 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default persistence rat suricata
Link:
https://tria.ge/reports/220411-z41f1aadaq/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Async RAT payload
AsyncRat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
Malware Config
C2 Extraction:
gfhdjksjd.duckdns.org:8045
Unpacked files
SH256 hash:
036de7be3842e12d9217f90559453ef60e8e8dbb158cc1f7eec89915134fd74d
MD5 hash:
faa747a16f96df78200619317c8f0b65
SHA1 hash:
e0ffd4befb343b784934b909d76298f7c3833996
Link:
https://www.unpac.me/results/81c1ba5b-674b-4c1f-b50f-0b8caf9d5155/
SH256 hash:
c948d313bf95fd6c9f370c9e96bd68008facabd59baa9b00e7913b560437aa6b
MD5 hash:
159535fe7dc14ee00a508b54cb18e709
SHA1 hash:
cbd9968c5b874e5ec5ae18c7e10e8b070f7a4d87
Link:
https://www.unpac.me/results/81c1ba5b-674b-4c1f-b50f-0b8caf9d5155/
SH256 hash:
ce6d980de2518511489d59f3e76394c9d881f5e44b972963750e287dcf3ba9b9
MD5 hash:
2eb3ac7acdd9b83bf1f70d6bcb369c4c
SHA1 hash:
aa9e010f5d10bce257f916d9e60d47f2bcc0990c
Link:
https://www.unpac.me/results/81c1ba5b-674b-4c1f-b50f-0b8caf9d5155/
SH256 hash:
e24757ef4e0d360786ce860c7aa4713f7958333b7a1afb60b9404c02c61ea7c4
MD5 hash:
4000ab469a0c647a9f7c6fc792b0ea6b
SHA1 hash:
3cc28b7bed906567c7b3667d0f3f45dbd30ffdac
Link:
https://www.unpac.me/results/81c1ba5b-674b-4c1f-b50f-0b8caf9d5155/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e24757ef4e0d360786ce860c7aa4713f7958333b7a1afb60b9404c02c61ea7c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262811/

Comments