MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e481c7f16652a25b6a13c8d1e1975a06d8029b9a49238fa4833bd4fb25bec738. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e481c7f16652a25b6a13c8d1e1975a06d8029b9a49238fa4833bd4fb25bec738
SHA3-384 hash: d446f5229c56d35bb000616533fbbefd68c50f69b691971c9efb4b10966a35520eedfb9bb370eebb87cde52f67229689
SHA1 hash: 8e1b5f54228c29a1914fb1d264a044c3e18255e4
MD5 hash: fbbd8fa745a4efb592932f75386f14ae
humanhash: north-florida-nevada-whiskey
File name:b24ee01804b7014bf78f5744b849f573473013443ca1d1b409491cb7
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:8'341'760 bytes
First seen:2023-10-19 14:56:44 UTC
Last seen:2023-10-24 12:56:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 85cddd6092e65c1a58dd1e6e9ab9fc63 (18 x RedLineStealer, 9 x LummaStealer, 2 x AsyncRAT)
ssdeep 49152:TbB7etnD667rb/TdvO90d7HjmAFd4A64nsfJeJtzK2h7ymUO+JZiZ7S+UqT6gXed:i66zK25j6guuREIetXa+
Threatray 305 similar samples on MalwareBazaar
TLSH T15E867BC7F89050E4C0AEE37485668262BA713C985F3027D32A50FFB82E76BD49E76354
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 3032719696513230 (1 x AsyncRAT)
Reporter r3dbU7z
Tags:AsyncRAT exe signed

Code Signing Certificate

Organisation:AMCERT, LLC
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2022-11-22T00:00:00Z
Valid to:2023-11-22T23:59:59Z
Serial number: 41a800f99dbbcd41c11952d781688121
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 28da452c2d2576ebc958889bbb39c2d82cd7547639fda4fc2e4903e47f2e89af
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
374
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
b24ee01804b7014bf78f5744b849f573473013443ca1d1b409491cb7
Verdict:
Malicious activity
Analysis date:
2023-10-19 14:59:34 UTC
Tags:
remote rat asyncrat
Link:
https://app.any.run/tasks/c056bf72-6755-435f-866f-2a2455d0a946

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Generickdz-9879553-0
Create hunting rule

Win.Packed.Bulz-9892763-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Sending a custom TCP request
Launching a process
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
91%
Tags:
anti-debug greyware overlay packed stealer
Link:
https://www.filescan.io/uploads/653143c04e8eaf1eb5ffd9f2/reports/97d438fd-768a-4f56-85ae-846599a82337/overview
Verdict:
Suspicious
Labled as:
Trojan/Generic
Link:
https://www.hybrid-analysis.com/sample/e481c7f16652a25b6a13c8d1e1975a06d8029b9a49238fa4833bd4fb25bec738
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ede1909f-901c-4bef-8720-164fb7645957
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e481c7f16652a25b6a13c8d1e1975a06d8029b9a49238fa4833bd4fb25bec738
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e481c7f16652a25b6a13c8d1e1975a06d8029b9a49238fa4833bd4fb25bec738/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-19 14:57:06 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
8 of 21 (38.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4sa4p4lgkkrfw2qtzdi6df22a3mafg42jery7jedhpkpwjn6y44a._file
Verdict:
malicious
Similar samples:
132acdd518240ece3cb4da78c47bc7fc5ed8d55420084104cbc91e6022bdb833
AsyncRAT
188eced85124122e1465031e6536377b4283f00d24fa28626f71138a4dc06cfc
AsyncRAT
19ff6f8df881b811dc4719e6a8c2b91d94323f7f2b05cec93f5c11d0d8e61143
AsyncRAT
800d7d569bde7e5f450e1848e54aa47df0811d7dcb5c338c0cc311b8f55cb9c5
AsyncRAT
8a39fbbdc6242227e330edfb6a3916058c613b0535633ac1bbbc2b0d22647b5f
AsyncRAT
951dbdb3c729d3ea42bb5aa2d2ce9f265d7acb67b170e890365a783a99e24164
AsyncRAT
b62fc62a03e4d6c0eac25a8b104d8064288fdc5665ddc19ba55ed520ab9f2827
AsyncRAT
bc8b040947df20ec884ede4cc5ece724218056120ef75e54f581c594abbe2b92
AsyncRAT
cef2bd1b1b01dda513421bb2cee542c016b3d25103e4086f6c5684e687f48ae8
AsyncRAT
f52211f91feb402172b2353d628d74922ec8233bffe21cb504634be39560adaf
AsyncRAT
+ 295 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/231019-sbk3aaaa46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
127.0.0.1:4449
20.211.121.138:4449
Unpacked files
SH256 hash:
e481c7f16652a25b6a13c8d1e1975a06d8029b9a49238fa4833bd4fb25bec738
MD5 hash:
fbbd8fa745a4efb592932f75386f14ae
SHA1 hash:
8e1b5f54228c29a1914fb1d264a044c3e18255e4
Link:
https://www.unpac.me/results/bff7d18b-d383-4a7e-9c75-533211285fec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e481c7f16652/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe e481c7f16652a25b6a13c8d1e1975a06d8029b9a49238fa4833bd4fb25bec738

(this sample)

  
Delivery method
Distributed via web download

Comments