YARAify Task Results

YARAify scan results for task ID 46ef9b0b-e03f-11f0-9df4-42010aa4000b.

Scan Results

Task ID:46ef9b0b-e03f-11f0-9df4-42010aa4000b
Task parameters:clamav_scan:True
unpack:True
share_file:True
Submission time:2025-12-23 20:38:02 UTC
Scan time:Scan took 6 seconds
File name:WINWORD.exe
File size:46'592 bytes
File download: Original Unpacked
MIME type:application/x-dosexec
SHA256 hash: 7a501da3320e35dfb71f3600431cf10dc273bde57d1538e0333981837f5b6b6e
MD5 hash: 17c87af9841e46ddf9eb386c8077c6f0
SHA1 hash: 5a94b45d4f1efd730c01e877ac6ba4439fa4dd00
SHA3-384 hash: cf15cffba1944df1ad58ceb0a4278e3189fbdf749504b15a42535bd4aa920c8cc4af29445c5fecb9be4099e07b7c421e
First seen:2025-12-23 20:38:02 UTC
Last seen:2025-12-24 07:22:43 UTC
Sightings:3
imphash : f34d5f2d4577ed6d9ceec516c1f5a744
Create hunting rule
ssdeep : 768:7uKjXdT9IQzpWUBj2Tmo2qLizqvyvaiPIc5jbqgX3iLscrU3croBDZV3:7uaXdT93O2r25c5b9XSLvYdV3
TLSH :n/a
telfhash :n/a
dhash icon :n/a

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
TLP:TLP:WHITE
Repository:CAPE
Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
TLP:TLP:WHITE
Repository:CAPE
Rule name:asyncrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
TLP:TLP:WHITE
Repository:CAPE
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
TLP:TLP:WHITE
Rule name:Mal_WIN_AsyncRat_RAT_PE
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect AsyncRAT implant.
TLP:TLP:WHITE
Repository:YARAify
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
TLP:TLP:WHITE
Repository:JPCERTCC
Rule name:malware_asyncrat
Create hunting rule
Description:detect AsyncRat in memory
Reference:https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
TLP:TLP:WHITE
Repository:JPCERTCC
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
TLP:TLP:WHITE
Repository:
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
TLP:TLP:WHITE
Repository:
Rule name:NET
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
TLP:TLP:WHITE
Repository:
Rule name:pe_imphash
Create hunting rule
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
TLP:TLP:WHITE
Repository:YARAify
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
TLP:TLP:WHITE
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
TLP:TLP:WHITE
Repository:SIFalcon
Rule name:win_asyncrat_bytecodes
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
TLP:TLP:WHITE
Repository:embee-research
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
TLP:TLP:WHITE
Repository:Sandnet
Rule name:win_asyncrat_unobfuscated
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
TLP:TLP:WHITE
Repository:YARAify
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
TLP:TLP:WHITE
Repository:Malpedia
Rule name:classified
Author:classified
Description:classified
TLP :TLP:AMBER
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
TLP:TLP:WHITE
Repository:elastic

Unpacker

The following YARA rules matched on the unpacked file.

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:Win.Packed.AsyncRAT-9856570-1
Create hunting rule
Signature:Win.Packed.Razy-9625918-0
Create hunting rule