MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c
SHA3-384 hash: ba33a495b2f320763f24e287c6c0a901ff3663cb21fbe7768aee7fe52d6ce1dcba8b1586c8c6d5954b69e5664e0e86ea
SHA1 hash: d82919e11eeaa23997e5047d2041c5acb8c3bab5
MD5 hash: ce6f5ba448e5b85d0410c70eb68b8b7b
humanhash: winter-oranges-wisconsin-india
File name:fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c(1)
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:100'089'608 bytes
First seen:2024-11-14 11:24:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 1536:srae78zjORCDGwfdCSog01313zAYs5gczGNuKTFP76k:0ahKyd2n31UR5MTFPJ
Threatray 66 similar samples on MalwareBazaar
TLSH T1D9282A0A57F420BAE4B65774A9F201539A32B8A15B7996FF22C8C1BD4F137C0B931B17
TrID 58.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10522/11/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter JAMESWT_WT
Tags:AsyncRAT exe openaisoralab-com repostebhu-sbs StormKitty

Intelligence

File Origin
# of uploads :
1
# of downloads :
946
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c(1)
Verdict:
Malicious activity
Analysis date:
2024-11-14 15:59:40 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/052b89c4-f906-422c-9a06-89783a785bfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6735de816bc7caf979b2a6c6
Tags:
emotet gumen
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Searching for the window
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
W64/ABRisk.BNYJ
Link:
https://www.hybrid-analysis.com/sample/fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c
Result
Threat name:
AsyncRAT, AveMaria, StormKitty, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1555761
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected AveMaria stealer
Yara detected BrowserPasswordDump
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected StormKitty Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555761 Sample: o885M9rc16.exe Startdate: 14/11/2024 Architecture: WINDOWS Score: 100 68 openaisoralab.com 2->68 88 Suricata IDS alerts for network traffic 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Yara detected BrowserPasswordDump 2->92 94 13 other signatures 2->94 10 o885M9rc16.exe 1 4 2->10         started        13 cmd.exe 1 2->13         started        15 cmd.exe 2->15         started        17 rundll32.exe 2->17         started        signatures3 process4 signatures5 112 Creates multiple autostart registry keys 10->112 19 cmd.exe 1 10->19         started        22 cmd.exe 10->22         started        24 Edgeservices.exe 13->24         started        26 conhost.exe 13->26         started        28 Edgeservices.exe 15->28         started        30 conhost.exe 15->30         started        process6 signatures7 96 Suspicious powershell command line found 19->96 98 Encrypted powershell cmdline option found 19->98 32 powershell.exe 15 49 19->32         started        37 conhost.exe 19->37         started        39 conhost.exe 22->39         started        100 Writes to foreign memory regions 24->100 102 Allocates memory in foreign processes 24->102 104 Injects a PE file into a foreign processes 24->104 41 AddInProcess32.exe 3 24->41         started        43 WerFault.exe 21 24->43         started        45 AddInProcess32.exe 28->45         started        47 WerFault.exe 28->47         started        process8 dnsIp9 66 openaisoralab.com 104.21.37.69, 443, 49730 CLOUDFLARENETUS United States 32->66 58 C:\Users\Public\...\vcruntime140_1.dll, PE32+ 32->58 dropped 60 C:\Users\Public\...\vcruntime140.dll, PE32+ 32->60 dropped 62 C:\Users\Public\Downloads\...\vcomp140.dll, PE32+ 32->62 dropped 64 25 other files (9 malicious) 32->64 dropped 80 Found many strings related to Crypto-Wallets (likely being stolen) 32->80 82 Creates multiple autostart registry keys 32->82 84 Found suspicious powershell code related to unpacking or dynamic code loading 32->84 86 Powershell drops PE file 32->86 49 Edgeservices.exe 32->49         started        file10 signatures11 process12 signatures13 72 Found many strings related to Crypto-Wallets (likely being stolen) 49->72 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 49->74 76 Writes to foreign memory regions 49->76 78 2 other signatures 49->78 52 AddInProcess32.exe 1 4 49->52         started        56 WerFault.exe 19 16 49->56         started        process14 dnsIp15 70 139.99.85.8, 4449, 50026 OVHFR Canada 52->70 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->106 108 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 52->108 110 Queries memory information (via WMI often done to detect virtual machines) 52->110 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c
Gathering data
Threat name:
Win64.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2024-11-10 13:33:28 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
3 of 38 (7.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7o5v5ju4tmde4otqc73yji37ksjxqjx6swfqhvsulc2mpzesgzoa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
stormkitty
Create hunting rule
Similar samples:
00e0fe1229850e182f0b32dc45c1c6515694b655e8d39d9777beb35e30bf4f20
AsyncRAT
0371d6e1e7638e52af5cdef7265500ebd3426a0e3754afcf0b4f431d30f2025c
AsyncRAT
08b07b63633d2eba94040bd8e878525018fba9c354cfece62bd750e0ad7cc4a9
AsyncRAT
40e5c3102df147519bff640e1323515666765321079f4094210a6f28bb88af0b
AsyncRAT
d183ff97ac5c70dbbabbc93155f02398dd1ad1bc5dbe9d3f72722bd6d0c189da
AsyncRAT
error
AsyncRAT
+ 56 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty discovery execution persistence rat stealer
Link:
https://tria.ge/reports/241114-njat3axqas/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Stormkitty family
Verdict:
Malicious
Tags:
stealer redline
YARA:
detect_Redline_Stealer
Link:
https://app.threat.zone/submission/0a359876-855a-4eeb-9f6a-fb8ff7013773
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments