MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e21f7f70d7f4328f3d27e4b040ead9ffa6bab8f91dbb1fb9cb211058a4ea961. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e21f7f70d7f4328f3d27e4b040ead9ffa6bab8f91dbb1fb9cb211058a4ea961
SHA3-384 hash: 2ada08b851fc22f1e4d09b2da8e37b91dcaacb6b0e9339fb8e6f57a4f03cf79ec0dd95ac166bb2ad407a17c461a64a45
SHA1 hash: 2954262f91a7c6949e5126ac0c254ca0e19fef68
MD5 hash: 7c904990e9592b2b8c460ea929a39b69
humanhash: iowa-connecticut-quebec-early
File name:PO Tlc 80998767768989757895757899.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:588'800 bytes
First seen:2020-06-30 09:02:52 UTC
Last seen:2020-06-30 09:59:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 3072:dTwfF9opCeXJQbvdCMc/h85e4MDgFcEYk:mfFoN5QbVCN8roscE
Threatray 542 similar samples on MalwareBazaar
TLSH 84C4315936D9D228EFF2AF3BC0D50404A3A0ECD3E5976B15B5BAB30616B7F810823756
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: WIN-KP3NFSDUTC3
Sending IP: 172.93.187.166
From: Sales <Eric@smileton.com>
Reply-To: Eric@smileton.com
Subject: Customers urgent Order
Attachment: PO Tlc 80998767768989757895757899.arj (contains "PO Tlc 80998767768989757895757899.exe")

AsyncRAT C2:
olodofries888.ddns.net:1515 (79.134.225.125)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17066/
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.ENHH.3939.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e21f7f70d7f4328f3d27e4b040ead9ffa6bab8f91dbb1fb9cb211058a4ea961/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 09:04:07 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyq7p5ynp5bsr46spzfqidvnt75gxk4pshn3d644wiiqlcsovfqq._file
Verdict:
malicious
Similar samples:
0e7c56b00281e18e385042a28f0e6202fbe39f3cdb219d17489799fca09b6550
AsyncRAT
0eeb561ea16bf80e301847add0363445976f5ab518d23e499cbf1f7ce9e6fc59
AsyncRAT
5515739bd8752264b7ee2a2c9b957d36af9fb16b19d7dd1aef4139f2fe74af47
AsyncRAT
758c2192e60534c48145e7704dc3d810b8de899bb36a756fdfa1d34c5971ff45
AsyncRAT
9b471c2935fdd01c7e9d57e78f91d213e6d1b5a44ac1719048d92d02d1976422
AsyncRAT
a6604aebaa716ddce1cc646eb63b3ddcdc7aaa59efe4e10bcd1650dee815ea03
AsyncRAT
a86751d7ee905499b6e324dc5175e287a20d34cde78cbe35a290523dea9d1cd0
AsyncRAT
abf3559102f105717f176c7929b5994a35686be15d37fb91d19d885f79cc1310
AsyncRAT
b05af3b65673a21e658075117c050ce9ebdf47634b64e354a6abf241fc8e8a9e
AsyncRAT
f019485de1ca48a37011e7df076b8e7105e928d4b2695caa1a6780a2a30f45cb
AsyncRAT
+ 532 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:asyncrat
Link:
https://tria.ge/reports/200630-y32l4d8pss/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run entry to start application
Loads dropped DLL
Executes dropped EXE
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

arj 78a1bdc4bd8f2edcb48c0f3e0f62173e3db48de28ff025864ca844e3cd067aca

AsyncRAT

Executable exe 5e21f7f70d7f4328f3d27e4b040ead9ffa6bab8f91dbb1fb9cb211058a4ea961

(this sample)

  
Dropped by
MD5 42760ae87fbd8868d1425d6a81e3b0f7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 78a1bdc4bd8f2edcb48c0f3e0f62173e3db48de28ff025864ca844e3cd067aca
Cape
Cape
https://www.capesandbox.com/analysis/17066/

Comments