MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef9fc6a8c60fe3f9e7f9b8c6c6e40f77f5ca38d55faf3f9262b7b5a8d6e5c86c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef9fc6a8c60fe3f9e7f9b8c6c6e40f77f5ca38d55faf3f9262b7b5a8d6e5c86c
SHA3-384 hash: 50f728f0dd91153ce5e8be5b74a3fc2ed34fcc138fa585c0311e076eb37882bbeefc73fb999be1a7154115a5be4628a2
SHA1 hash: 8d8cc9b6601d7de6163e8981766c773d5c16f605
MD5 hash: c606904e8b836a2a86f7834db7ffe50b
humanhash: sodium-edward-mobile-hotel
File name:Deepfake_Maker.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'345'536 bytes
First seen:2022-08-16 12:49:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'853 x AgentTesla, 19'779 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 24576:3wQ2gdkNGSiZEZb7CKZvIpO2AJs8crDAiXeQu7cT9+:gQzkNBOm7CivK74crDAQH
TLSH T16F559D2D25A97108DC363730DCAB50D056F6BD65BE04F66F28A7320D8A3269F871DF62
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JaffaCakes118
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/994725500935213056/1008743296534855861/Deepfake_Maker.exe
Verdict:
Malicious activity
Analysis date:
2022-08-16 11:35:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e0969dc4-a584-4b2d-95c4-c3bed3b02025

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299010/
Detection(s):
SecuriteInfo.com.BackDoor.RatNET.2.5777.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
83%
Tags:
explorer.exe packed xloader
Link:
https://www.filescan.io/uploads/62fb92bb9013ab2e3d04af70/reports/eba2aacf-5888-4a3e-b218-82e18da7b585/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44189d71-4cb8-455c-b689-2907d5eb95f2
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1052286
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Disables Windows Defender (via service or powershell)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 684802 Sample: Deepfake_Maker.exe Startdate: 16/08/2022 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 13 other signatures 2->57 8 Deepfake_Maker.exe 6 2->8         started        process3 file4 41 C:\Users\user\AppData\...rhaDFqvPGICl.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\...\tmp1B60.tmp, XML 8->43 dropped 45 C:\Users\user\...\Deepfake_Maker.exe.log, ASCII 8->45 dropped 61 Performs DNS queries to domains with low reputation 8->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 8->63 65 Disables Windows Defender (via service or powershell) 8->65 67 Injects a PE file into a foreign processes 8->67 12 Deepfake_Maker.exe 4 8->12         started        17 schtasks.exe 1 8->17         started        signatures5 process6 dnsIp7 49 fuckyoumonkey.xyz 172.67.193.42, 443, 49708 CLOUDFLARENETUS United States 12->49 47 C:\...\dYjwqwUMPyCnXnPwuHAEVjmJZMjDrl.exe, PE32+ 12->47 dropped 69 Disables Windows Defender (via service or powershell) 12->69 19 dYjwqwUMPyCnXnPwuHAEVjmJZMjDrl.exe 12->19         started        23 powershell.exe 23 12->23         started        25 powershell.exe 8 12->25         started        29 3 other processes 12->29 27 conhost.exe 17->27         started        file8 signatures9 process10 file11 39 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 19->39 dropped 59 Query firmware table information (likely to detect VMs) 19->59 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 29->35         started        37 conhost.exe 29->37         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef9fc6a8c60fe3f9e7f9b8c6c6e40f77f5ca38d55faf3f9262b7b5a8d6e5c86c/
Threat name:
ByteCode-MSIL.Trojan.Xloader
Create hunting rule
Status:
Malicious
First seen:
2022-08-15 20:44:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=56p4nkggb7r7tz7zxddmnzapo724uogvl6xt7etcw622rvxfzbwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/220816-p2xbfshbfm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UAC bypass
Unpacked files
SH256 hash:
de9aea105f31f3541cbc5c460b0160d0689a2872d80748ca1456e6e223f0a4aa
MD5 hash:
ea87f37e78fb9af4bf805f6e958f68f4
SHA1 hash:
89662fed195d7b9d65ab7ba8605a3cd953f2b06a
Link:
https://www.unpac.me/results/c9625021-c3fc-4fc5-8dd4-62a47620a576/
SH256 hash:
5e97ccd8dafcb36b3cb772f6a2fd425abcf221ab9ea1930e8c2618c95332f2c6
MD5 hash:
01800f6b045def8d90c649842f56d752
SHA1 hash:
f8434a4636d0772d01aac44bb3f9753a41f01d34
Link:
https://www.unpac.me/results/c9625021-c3fc-4fc5-8dd4-62a47620a576/
SH256 hash:
84c7cc457bac5102e8369b89c7aeb4796b4e6d05fd7da1b532405d4bd12de08b
MD5 hash:
98e7aa42dd38378b55d752cb04730841
SHA1 hash:
9a9199bc9a18d27b799589aef2b341e54ceaa2b5
Link:
https://www.unpac.me/results/c9625021-c3fc-4fc5-8dd4-62a47620a576/
SH256 hash:
77de7cabd36a7b5549083575b15370b04e55fc5df51a55bfdca3a8b646a41515
MD5 hash:
a7c086aa9978fa641868a6cb75eeacec
SHA1 hash:
8642ade8243275f185af310b3332afb8d6dd078b
Link:
https://www.unpac.me/results/c9625021-c3fc-4fc5-8dd4-62a47620a576/
SH256 hash:
ef9fc6a8c60fe3f9e7f9b8c6c6e40f77f5ca38d55faf3f9262b7b5a8d6e5c86c
MD5 hash:
c606904e8b836a2a86f7834db7ffe50b
SHA1 hash:
8d8cc9b6601d7de6163e8981766c773d5c16f605
Link:
https://www.unpac.me/results/c9625021-c3fc-4fc5-8dd4-62a47620a576/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef9fc6a8c60fe3f9e7f9b8c6c6e40f77f5ca38d55faf3f9262b7b5a8d6e5c86c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe ef9fc6a8c60fe3f9e7f9b8c6c6e40f77f5ca38d55faf3f9262b7b5a8d6e5c86c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/299010/

Comments