MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 14 File information Comments

SHA256 hash:	f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499
SHA3-384 hash:	6e6d5d3e64368d2805acb5c0a3021546787e267b448aff36006185f3ade4eb949b71550a4fa1178f252c423c83f45f83
SHA1 hash:	fef9e938027e649ebbcffb074c65d46b2d0a1621
MD5 hash:	d1b974d3816357532a0de6b388c5c361
humanhash:	california-georgia-jersey-floor
File name:	Eclipse.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	12'145'152 bytes
First seen:	2023-12-03 10:37:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep	196608:ik0gfc3haxZH+fiE1jlKkbSPSvFWuFBGFV42uL7L:ikhfcuZH+XKgHFW+BGFVE7L
TLSH	T14BC6BE137285DA25C43941F10852DAB453F1AD189A298BFA3AD83E7B3FF12C67B057D2
TrID	28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4) 25.9% (.SCR) Windows screen saver (13097/50/3) 20.8% (.EXE) Win64 Executable (generic) (10523/12/4) 8.9% (.EXE) Win32 Executable (generic) (4505/5/1) 4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	b070f0bc9cc0f030 (2 x AsyncRAT)
Reporter	ArmAUva
Tags:	AsyncRAT exe malware worm

Intelligence

File Origin

# of uploads :

# of downloads :

761

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/462075/

Detection(s):

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL

Win.Malware.Spygate-6855918-0

Win.Trojan.Injector-6297685-1

Win.Trojan.Agent-345883

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a window

Searching for synchronization primitives

Launching a process

Launching the default Windows debugger (dwwin.exe)

Using the Windows Management Instrumentation requests

Detecting VM

Sending a custom TCP request

Searching for the window

Unauthorized injection to a system process

Sending a TCP request to an infection source

Unauthorized injection to a recently created process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm anti-vm aspnet_compiler bitsadmin cmd cmstp control dllhost evasive explorer explorer fingerprint lolbin lolbin msbuild netsh packed packed regasm regedit regsvcs remote runonce schtasks shell32 stealer vbc

Link:

https://www.filescan.io/uploads/656c5aa1d1277c463a236ecd/reports/70ed6a44-8baf-4f56-9652-050dc7f4bfd2/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499

Result

Verdict:

MALICIOUS

Malware family:

KeyBase

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f86307c2-d8ea-43b3-92bc-425435819807

Result

Threat name:

AsyncRAT, XWorm

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1352525

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks if the current machine is a virtual machine (disk enumeration)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AsyncRAT

Yara detected Generic Downloader

Yara detected RUNPE

Yara detected UAC Bypass using CMSTP

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499/

Threat name:

Win32.Trojan.XWormRAT

Status:

Malicious

First seen:

2023-12-03 12:20:44 UTC

File Type:

PE (Exe)

Extracted files:

403

AV detection:

22 of 23 (95.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6yl34jolnoeu356bqdykyswjhkrgxaemfrvwtaqvi2zjcwg4esmq._file

Verdict:

malicious

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys stealer

Link:

https://tria.ge/reports/231203-mpkqsabd73/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306

MD5 hash:

e1e28c3acf184aa364c9ed9a30ab7289

SHA1 hash:

1a173a6f4ec39fe467f1b4b91c9fad794167ac1c

Link:

https://www.unpac.me/results/c2a5932b-a1e0-4546-9b1c-55e16642e3b6/

SH256 hash:

a5f5d652e2682b0162924b23b509bace21566526b6ac0d44e2a273e3a77440f4

MD5 hash:

e1990fe52ec2c952b28350a8f1c1689e

SHA1 hash:

2fd088c787de7573337cb533d275d8d9fb56c644

Detections:

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

MALWARE_Win_AsyncRAT

Link:

https://www.unpac.me/results/c2a5932b-a1e0-4546-9b1c-55e16642e3b6/

Parent samples :

f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499
c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606

SH256 hash:

f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499

MD5 hash:

d1b974d3816357532a0de6b388c5c361

SHA1 hash:

fef9e938027e649ebbcffb074c65d46b2d0a1621

Detections:

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

MALWARE_Win_AsyncRAT

Link:

https://www.unpac.me/results/c2a5932b-a1e0-4546-9b1c-55e16642e3b6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f617be25cb6b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_decoding Create hunting rule
Author:	iam-py-test
Description:	Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	SUSP_OneNote Create hunting rule
Author:	spatronn
Description:	Hard-Detect One

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_Xworm_732e6c12 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Multiple

Cape

https://www.capesandbox.com/analysis/462075/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample