MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c93e522b96dfd6244f2e82bc06b8b14a8a2505bc05eff035d6acf3e50f69e07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c93e522b96dfd6244f2e82bc06b8b14a8a2505bc05eff035d6acf3e50f69e07
SHA3-384 hash: 1e10e2efde7feddbb99aeb98984284fcceccc158ebc8b88a3915cd2b1049e2db4bf5868ac2d3954883af4fbca23c153e
SHA1 hash: cabf280acaf6b7c5717b5847a3ae68763d8039b4
MD5 hash: 86677577a8796c97d8e0b71b1d4204d1
humanhash: fifteen-failed-india-wolfram
File name:RFQ 2020071Kloepfel Consulting.scr
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:690'176 bytes
First seen:2020-07-17 15:44:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 80dec23b55a2406ea6b64743296c2829 (1 x AZORult, 1 x AsyncRAT, 1 x FormBook)
ssdeep 12288:7qdyUBuSUJH8YSTZaF4xtO6xbeOwhHLU+O6MOWrcgF7:edvUR/4y6hgrJBK1t
Threatray 2'502 similar samples on MalwareBazaar
TLSH 11E4F47E93600477E0321975C85F7A6809217E3C3D62DBA6FEA4B947BA317C0647327A
Reporter abuse_ch
Tags:AsyncRAT RAT scr


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: host.itamarket.cl
Sending IP: 199.167.202.17
From: Sabrina Bachhuber <info@kloepfel-consulting.com>
Subject: RFQ 2020071Kloepfel Consulting
Attachment: RFQ 2020071Kloepfel Consulting.img (contains "RFQ 2020071Kloepfel Consulting.scr")

AsyncRAT C2:
jeremymass01-46300.portmap.host:46300 (193.161.193.99)

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27444/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.1667.10910.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389118
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 246753 Sample: RFQ 2020071Kloepfel Consult... Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 34 jeremymass01-46300.portmap.host 2->34 36 cdn.onenote.net 2->36 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 8 other signatures 2->46 9 RFQ 2020071Kloepfel Consulting.exe 2->9         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 50 Writes to foreign memory regions 9->50 52 Allocates memory in foreign processes 9->52 54 Queues an APC in another process (thread injection) 9->54 14 notepad.exe 5 9->14         started        18 winds.exe 12->18         started        process6 file7 28 C:\Users\user\AppData\Roaming\...\winds.exe, PE32 14->28 dropped 30 C:\Users\user\...\winds.exe:Zone.Identifier, ASCII 14->30 dropped 32 C:\Users\user\AppData\...\winds update.vbs, ASCII 14->32 dropped 56 Creates files in alternative data streams (ADS) 14->56 58 Drops VBS files to the startup folder 14->58 20 winds.exe 14->20         started        60 Maps a DLL or memory area into another process 18->60 23 winds.exe 3 18->23         started        signatures8 process9 signatures10 48 Maps a DLL or memory area into another process 20->48 25 winds.exe 1 2 20->25         started        process11 dnsIp12 38 jeremymass01-46300.portmap.host 25->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c93e522b96dfd6244f2e82bc06b8b14a8a2505bc05eff035d6acf3e50f69e07/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 13:06:56 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lsj6kivznx6werhs5av4a24lcsukeuc3ybpp6a25nlht4uhwtydq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0b84a62fb1d8d120b92b316c02bdf18af2de5c0c5cd09f55b66e24899a4a6360
AsyncRAT
4075e5cedf262f587538979cd6d62ff4b0fc5bdf7f9a4b770ae9e297ea7c9fcc
AsyncRAT
4457d49095a509a84ce5c9796b7470c03a95638e1f628882cb8f6331b0153efb
AsyncRAT
59ae70d9d29e851c8564e7974ac853daa40d6ab9adb6fccf1b990042c8b2be03
AsyncRAT
59e39b6123ed1218d7ae3b4406b3e06c1fc84ecb8fafad05e762b9867c77248b
AsyncRAT
83a9482f5fb2807da38f62dce5a40bdf154d2c26f7a3080982efa30491bb66c4
AsyncRAT
b9fd1f91754ef3bdf7b66bd7138b2d1a5c9453b07bbdc515d582adfe7890d589
AsyncRAT
d402ac5a98fe1a739abee82fb4aa5264a03347b24f93812f808e645b809c36db
AsyncRAT
e45aa38e4f734a6b5e9d8e55d3b71b16e4ae389eb7c857bbdaa98fb47e1d9ef3
AsyncRAT
e678a72b6f30f69daafd945543d4bb3e58152c37f8a7b883ce96b9ddf1c1c482
AsyncRAT
+ 2'492 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
upx rat family:asyncrat
Link:
https://tria.ge/reports/200717-vq8c7jqq96/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c93e522b96dfd6244f2e82bc06b8b14a8a2505bc05eff035d6acf3e50f69e07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

img 691995e7f98bc15cf7573a544020fa598eb6bd2b15ad2d4b612acae0f985a02d

AsyncRAT

Executable exe 5c93e522b96dfd6244f2e82bc06b8b14a8a2505bc05eff035d6acf3e50f69e07

(this sample)

  
Dropped by
MD5 fcaffa90af497ea94f9031e571bc9a6d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 691995e7f98bc15cf7573a544020fa598eb6bd2b15ad2d4b612acae0f985a02d
Cape
Cape
https://www.capesandbox.com/analysis/27444/

Comments