YARAify Task Results

YARAify scan results for task ID ee02426b-e011-11f0-9df4-42010aa4000b.

Scan Results

Task ID:ee02426b-e011-11f0-9df4-42010aa4000b
Task parameters:clamav_scan:True
unpack:True
share_file:True
Submission time:2025-12-23 15:13:26 UTC
Scan time:Scan took 5 seconds
File name:firefox.exe
File size:46'592 bytes
File download: Original Unpacked
MIME type:application/x-dosexec
SHA256 hash: d66af8fb064d5606405675e1f610ebf62bf3caefed5347e1a6b24cfd0faac7dd
MD5 hash: efb464936649cf2066718807f1121e3f
SHA1 hash: e3a826ded224f617be08ee0a0ae64ca20b89cdce
SHA3-384 hash: 0dbc15353593134d33915c498195d8d64d76783cf8161aeb530d2f4eb4f30542072cf0d01503eeb137203a27ed60e058
First seen:2025-12-23 15:13:25 UTC
Last seen:2025-12-23 16:19:16 UTC
Sightings:4
imphash : f34d5f2d4577ed6d9ceec516c1f5a744
Create hunting rule
ssdeep : 768:ru66dT9slTJWUhDuzmo2qLFO5QSCBzHSNjPI7zjbDgX3iHcPsOXSVuHZ3DBDZKw:ru66dT9We2WO59ESK73bcXSHcPsm5HZ9
TLSH :n/a
telfhash :n/a
dhash icon :n/a

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
TLP:TLP:WHITE
Repository:CAPE
Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
TLP:TLP:WHITE
Repository:CAPE
Rule name:asyncrat_kingrat
Create hunting rule
Author:jeFF0Falltrades
TLP:TLP:WHITE
Repository:CAPE
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
TLP:TLP:WHITE
Rule name:Mal_WIN_AsyncRat_RAT_PE
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect AsyncRAT implant.
TLP:TLP:WHITE
Repository:YARAify
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
TLP:TLP:WHITE
Repository:JPCERTCC
Rule name:malware_asyncrat
Create hunting rule
Description:detect AsyncRat in memory
Reference:https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
TLP:TLP:WHITE
Repository:JPCERTCC
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
TLP:TLP:WHITE
Repository:
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
TLP:TLP:WHITE
Repository:
Rule name:NET
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
TLP:TLP:WHITE
Repository:
Rule name:pe_imphash
Create hunting rule
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
TLP:TLP:WHITE
Repository:YARAify
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
TLP:TLP:WHITE
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
TLP:TLP:WHITE
Repository:SIFalcon
Rule name:win_asyncrat_bytecodes
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytecodes present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
TLP:TLP:WHITE
Repository:embee-research
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
TLP:TLP:WHITE
Repository:Sandnet
Rule name:win_asyncrat_unobfuscated
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in unobfuscated AsyncRat Samples. Rule may also pick up on other Asyncrat-derived malware (Dcrat/venom etc)
TLP:TLP:WHITE
Repository:YARAify
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
TLP:TLP:WHITE
Repository:Malpedia
Rule name:classified
Author:classified
Description:classified
TLP :TLP:AMBER
Rule name:Windows_Generic_Threat_ce98c4bc
Create hunting rule
Author:Elastic Security
TLP:TLP:WHITE
Repository:elastic

Unpacker

The following YARA rules matched on the unpacked file.

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:Win.Packed.AsyncRAT-9856570-1
Create hunting rule
Signature:Win.Packed.Razy-9625918-0
Create hunting rule