MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8eb456776edf06cd08eac96aaedd5108737a563c6441e0dd61759631d567271. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash: f8eb456776edf06cd08eac96aaedd5108737a563c6441e0dd61759631d567271
SHA3-384 hash: f3d0cccf4a8ab43a5eb40a957bbb0df335e49126e2923fe9924918199503872d454c0ae14d9f7d55514cd78cb7281708
SHA1 hash: afa8dc5f9d9a9cc9685513facb68ba29f62b9df6
MD5 hash: 51584394f75ed4494c7bfabe52820d42
humanhash: early-undress-uniform-princess
File name:SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536
Download: download sample
Signature AsyncRAT
File size:58'456 bytes
First seen:2023-12-08 11:24:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'081 x AgentTesla, 20'056 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 384:WI9PW37/X/BbZekHSFhunTzJhfHt4W7XzuHRN7rpb045DNR9zO0q:WIVW3T/Bb6FhAz/lVza1b9z
Threatray 1 similar samples on MalwareBazaar
TLSH T1EB430E5A6AE44836DCB7A9BE67B7B3F11BAC5B92280DD41517807339653D2C2BD00F38
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8213013131341131 (10 x AsyncRAT, 4 x zgRAT, 1 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:AsyncRAT exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
315
Origin country :
FR FR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending an HTTP GET request
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file
Creating a window
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Result
Threat name:
AsyncRAT, Clipboard Hijacker
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates executable files without a name
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Powershell download payload from hardcoded c2 list
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356151 Sample: SecuriteInfo.com.HEUR.Troja... Startdate: 08/12/2023 Architecture: WINDOWS Score: 100 107 textbin.net 2->107 109 rentry.co 2->109 111 3 other IPs or domains 2->111 121 Multi AV Scanner detection for domain / URL 2->121 123 Found malware configuration 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 7 other signatures 2->127 12 SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exe 3 2->12         started        15 RgPFGxFfKq.exe 2->15         started        17 RgPFGxFfKq.exe 2->17         started        signatures3 process4 signatures5 153 Suspicious powershell command line found 12->153 155 Obfuscated command line found 12->155 19 powershell.exe 15 28 12->19         started        157 Multi AV Scanner detection for dropped file 15->157 159 Machine Learning detection for dropped file 15->159 24 RgPFGxFfKq.exe 15->24         started        26 RgPFGxFfKq.exe 17->26         started        process6 dnsIp7 113 rentry.co 164.132.58.105, 443, 49731 OVHFR France 19->113 115 textbin.net 148.72.177.212, 443, 49729 AS-30083-GO-DADDY-COM-LLCUS United States 19->115 117 2 other IPs or domains 19->117 99 C:\Users\user\AppData\Local\Temp\.exe, PE32 19->99 dropped 145 Creates executable files without a name 19->145 147 Potential dropper URLs found in powershell memory 19->147 149 Powershell drops PE file 19->149 28 cmd.exe 19->28         started        30 cmd.exe 1 19->30         started        32 cmd.exe 19->32         started        34 7 other processes 19->34 file8 signatures9 process10 process11 36 .exe 28->36         started        39 conhost.exe 28->39         started        41 .exe 2 30->41         started        43 conhost.exe 30->43         started        45 .exe 32->45         started        47 conhost.exe 32->47         started        49 .exe 34->49         started        51 .exe 1 34->51         started        53 10 other processes 34->53 signatures12 129 Encrypted powershell cmdline option found 36->129 55 powershell.exe 36->55         started        131 Antivirus detection for dropped file 41->131 133 Multi AV Scanner detection for dropped file 41->133 135 Machine Learning detection for dropped file 41->135 57 powershell.exe 16 41->57         started        137 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->137 139 Writes to foreign memory regions 45->139 141 Allocates memory in foreign processes 45->141 143 Injects a PE file into a foreign processes 45->143 60 RegAsm.exe 45->60         started        63 powershell.exe 49->63         started        66 powershell.exe 51->66         started        68 powershell.exe 53->68         started        70 powershell.exe 53->70         started        72 powershell.exe 53->72         started        74 powershell.exe 53->74         started        process13 dnsIp14 76 1GGHJGRT.exe 55->76         started        80 conhost.exe 55->80         started        151 Powershell drops PE file 57->151 82 conhost.exe 57->82         started        119 88.248.18.120, 33918 TTNETTR Turkey 60->119 103 C:\Users\user\AppData\Local\...\1GGHJGRT.exe, PE32 63->103 dropped 84 conhost.exe 63->84         started        86 conhost.exe 66->86         started        88 conhost.exe 68->88         started        90 conhost.exe 70->90         started        92 conhost.exe 72->92         started        94 conhost.exe 74->94         started        file15 signatures16 process17 file18 101 C:\Users\user\AppData\...\RgPFGxFfKq.exe, PE32 76->101 dropped 161 Multi AV Scanner detection for dropped file 76->161 163 Machine Learning detection for dropped file 76->163 165 Injects a PE file into a foreign processes 76->165 96 1GGHJGRT.exe 76->96         started        signatures19 process20 dnsIp21 105 46.1.103.124, 2341 MILLENICOM-ASDE Turkey 96->105
Threat name:
Win32.Trojan.Nekark
Status:
Malicious
First seen:
2023-12-08 09:35:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
f8eb456776edf06cd08eac96aaedd5108737a563c6441e0dd61759631d567271
MD5 hash:
51584394f75ed4494c7bfabe52820d42
SHA1 hash:
afa8dc5f9d9a9cc9685513facb68ba29f62b9df6
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe f8eb456776edf06cd08eac96aaedd5108737a563c6441e0dd61759631d567271

(this sample)

  
Delivery method
Distributed via web download

Comments