MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686
SHA3-384 hash: 88ea998f8fc9fc8aa866eba1d77bf9b25aa6c60ffcb767ea02a65d56689fb80371317ec93c3901a6e53e48f7fd6812e1
SHA1 hash: a62a3f5531a425f17d8112534ccf69882609e5b6
MD5 hash: 79d9abdf646c50d31dd5f3903ab0c824
humanhash: saturn-helium-lion-football
File name:SmartBox.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:675'328 bytes
First seen:2025-02-13 08:42:22 UTC
Last seen:2025-02-13 09:37:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:c8rOI0I5wPOp6bTGfijBozZVmPNZCbjukLjkex8ZYCPQFcxlQg:0Ipp6bguWZymPukLweeZYxcxlL
Threatray 1'294 similar samples on MalwareBazaar
TLSH T1E9E4E07861BB55A7D11BC6705BF8BC73167070E7B8C9A9B40BAD03498BA6F003E8561F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 1044f2b0e0c1f200 (2 x AsyncRAT, 1 x njrat, 1 x Formbook)
Reporter Anonymous
Tags:Async AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
510
Origin country :
NP NP
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SmartBox.exe
Verdict:
No threats detected
Analysis date:
2025-02-13 08:33:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c893659b-e6fb-4f4f-9a34-771ddff36bc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.24347.21690.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67adb0a0a0fd713c335aaa17
Tags:
agenttesla virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67adb09e991985e0a9580d57/reports/bf315a81-d4fe-4ba1-a582-4d2ad2bc3d17/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2e567c13-f056-43cd-96ce-e72367040923
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614090
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614090 Sample: SmartBox.exe Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 48 lastofdr51.mywire.org 2->48 50 Nightmare15.strangled.net 2->50 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 11 other signatures 2->60 8 SmartBox.exe 7 2->8         started        12 coLdxBlgl.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\coLdxBlgl.exe, PE32 8->40 dropped 42 C:\Users\...\coLdxBlgl.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp8D2C.tmp, XML 8->44 dropped 46 C:\Users\user\AppData\...\SmartBox.exe.log, ASCII 8->46 dropped 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Writes to foreign memory regions 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 RegSvcs.exe 2 8->19         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Allocates memory in foreign processes 12->72 74 Injects a PE file into a foreign processes 12->74 24 schtasks.exe 12->24         started        26 RegSvcs.exe 12->26         started        28 RegSvcs.exe 12->28         started        signatures6 process7 dnsIp8 76 Loading BitLocker PowerShell Module 14->76 30 conhost.exe 14->30         started        32 WmiPrvSE.exe 14->32         started        34 conhost.exe 17->34         started        52 Nightmare15.strangled.net 34.70.24.145, 49704, 49732, 49782 GOOGLEUS United States 19->52 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-11-12 06:02:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7x2y5wh5vub425kba6d6lq6gbca53itbjjxwfixfbmne5vbfq2da._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d
AsyncRAT
46bcdad83987e1387a004286f7d130d90ba48d850b695c93e9ac1c6c1575ec64
AsyncRAT
4eedc7ed6ade620eef8eb160d18518afc9c59eb262baf8a9fdbe758fb611b6f0
AsyncRAT
66f3abf06c96c938894a2d721331e7dec08154d681bfae6f2db4dbc35a995e46
AsyncRAT
b5a23389aae665609477ed5bc161a049ff4532684dbd52217f252a01fca830cd
AsyncRAT
error
AsyncRAT
fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686
AsyncRAT
+ 1'284 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250213-kml5qavrep/
Behaviour
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6bbd5efc-f217-4081-8a9a-f16769bcf0db
Unpacked files
SH256 hash:
fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686
MD5 hash:
79d9abdf646c50d31dd5f3903ab0c824
SHA1 hash:
a62a3f5531a425f17d8112534ccf69882609e5b6
Link:
https://www.unpac.me/results/fd4bf005-b6f6-4148-a96b-912bd6435d56/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686/behavior
  
Delivery method
Distributed via e-mail link
  
URLhaus
https://urlhaus.abuse.ch/url/3280718/
  
URLhaus
https://urlhaus.abuse.ch/url/3280770/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments