MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffe2e43e59074cf27875cc31e8be84503b1a6854dd3f2480b5aff7b6b220a416. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffe2e43e59074cf27875cc31e8be84503b1a6854dd3f2480b5aff7b6b220a416
SHA3-384 hash: 536147275db84e58d0d23a9d373f84ff0d636ef98b0e2aa070e5efc368b680c76939429ebed89848b7487908d183d5d6
SHA1 hash: 14eca3b683575f026c105f7b4afc81204323868f
MD5 hash: 96a0822a132f93f3ee12b8a85284516a
humanhash: coffee-king-hawaii-lithium
File name:96a0822a132f93f3ee12b8a85284516a
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:2'787'328 bytes
First seen:2023-01-25 07:55:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:FkkR95Qht1hYZ6t+HFzed7/x5rmsxftZ:A
Threatray 2'947 similar samples on MalwareBazaar
TLSH T109D5E1320B5AFF97E6AB0F7484C53A107D390843AF5BD294F9C8156B95C8B64F988E70
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 3c696de440808480 (3 x CoinMiner, 2 x PureCrypter, 2 x AsyncRAT)
Reporter zbetcheckin
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
96a0822a132f93f3ee12b8a85284516a
Verdict:
Malicious activity
Analysis date:
2023-01-25 07:58:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a112ce20-1aaa-4ad5-82cd-5414ba78641c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356644/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Running batch commands
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/63d0e094447edb203a00de76/reports/7a305a37-e7ec-4d17-9aa0-32a0a09918ed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/990148ef-3c68-4ade-847a-ea533647ea9c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1158534
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 791271 Sample: PhhLBPpV5a.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 92 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 .NET source code contains potential unpacker 2->36 38 2 other signatures 2->38 7 PhhLBPpV5a.exe 3 2->7         started        10 PhhLBPpV5a.exe 7 2->10         started        process3 file4 40 Antivirus detection for dropped file 7->40 42 Multi AV Scanner detection for dropped file 7->42 44 Machine Learning detection for dropped file 7->44 13 powershell.exe 11 7->13         started        28 C:\Users\user\AppData\...\PhhLBPpV5a.exe, PE32+ 10->28 dropped 30 C:\Users\user\AppData\...\PhhLBPpV5a.exe.log, CSV 10->30 dropped 46 Encrypted powershell cmdline option found 10->46 15 cmd.exe 1 10->15         started        18 powershell.exe 16 10->18         started        signatures5 process6 signatures7 20 conhost.exe 13->20         started        48 Encrypted powershell cmdline option found 15->48 22 powershell.exe 17 15->22         started        24 conhost.exe 15->24         started        26 conhost.exe 18->26         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffe2e43e59074cf27875cc31e8be84503b1a6854dd3f2480b5aff7b6b220a416/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 10:13:57 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
22
AV detection:
17 of 39 (43.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=77roipsza5gpe6dvzqy6rpueka5ru2cu3u7sjafvv733nmrauqla._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
5e6776ba02afa4c03138edcdf1e10dabee3efd6afd1620dcdb3138e7632bcb79
AsyncRAT
668eb4590a79e6a228f5048fe1736e40dce34034398cf762e6c6ba42599cb8e7
AsyncRAT
685be88c62e8025eeb310af5914b20fcc25ce633e9b04d2112e9386968cf802f
AsyncRAT
a3375e8060a51acf467e9659bc9d73ead727bb7cdf0258c0d8d5fa19887658aa
AsyncRAT
c4de1d4e7c0f10aebb929a4c6719a6b6b61b2a7f5a56a85507c5f37cab250b3a
AsyncRAT
e018b6d0caaca2f69ba2e35ca7b984a23f9a575f66dd56f586d9aabd4af5c837
AsyncRAT
ec4b8c7407dce9428bfe6752b90cfd9dafe91d83e238102bf310c6deaeb21a01
AsyncRAT
f552aa73f8676e36d8a3c31cae3a875f39e50cb4ee332b4349e8cb39ea55cf31
AsyncRAT
fac7c67b12417b1434baa368422d9f167d2c4473edc2c63921e4b2ee5588b4cc
AsyncRAT
+ 2'937 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230125-jspmcsha4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
ffe2e43e59074cf27875cc31e8be84503b1a6854dd3f2480b5aff7b6b220a416
MD5 hash:
96a0822a132f93f3ee12b8a85284516a
SHA1 hash:
14eca3b683575f026c105f7b4afc81204323868f
Link:
https://www.unpac.me/results/f839cd5d-5788-456a-abb7-1a10c8076214/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ffe2e43e59074cf27875cc31e8be84503b1a6854dd3f2480b5aff7b6b220a416

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe ffe2e43e59074cf27875cc31e8be84503b1a6854dd3f2480b5aff7b6b220a416

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2517888/
Cape
Cape
https://www.capesandbox.com/analysis/356644/

Comments


Avatar
zbet commented on 2023-01-25 07:56:04 UTC

url : hxxp://185.106.94.146/deliver2.exe