MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac016f9b1592fb93fe1117f2a2e20b383944828d649f1ba33ecf831a78537b78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac016f9b1592fb93fe1117f2a2e20b383944828d649f1ba33ecf831a78537b78
SHA3-384 hash: 3991875d8a47adc7d0eb38bb8ea75ea434d5a3aa768957560aaac88a3890c7a9399fb638beb6a0536a5d05bbbf6bd695
SHA1 hash: 869a8a7ddbdef0840bbc44f5c6cc0cc043059731
MD5 hash: 8b0fb5064ee0361249dc6ff3aa94c584
humanhash: queen-lima-delaware-equal
File name:SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:411'136 bytes
First seen:2020-05-07 12:23:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:KhEPA2OKwFLLCVaEaI9+/6wY0O5pm1pDFzdCpgrMO+8zt7fEiJKXRDOkUKvOjh:Cf26ZCVMI9W6eO5pmvDTov0lfEm6Ok9
Threatray 501 similar samples on MalwareBazaar
TLSH 4D94CF483A2D71BED023D8319EE4EC65EA54BD36664A936BA423345E0EFCF85CE01D71
Reporter abuse_ch
Tags:AsyncRAT exe


Avatar
abuse_ch
Malspam distributing AsyncRAT:

Sending IP: 203.128.3.25
From: wonhar <wonhar@brain.net.pk>
Reply-To: <ayala22mark@gmail.com>
Reply-To: <ayala22mark@gmail.com>
Subject: ULTITEC COVID 19 PROTECTIVE CLOTHING
Subject: ULTITEC COVID 19 PROTECTIVE CLOTHING
Attachment: SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.7z (contains "SAFETYMATERIAL-COVERALL-MASKPPENh3nfndGkgptXUf.exe")

AsyncRAT C2:
185.165.153.215:6606

Hosted on nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacy-matters.co'

inetnum: 185.165.153.0 - 185.165.153.255
netname: PRIVACY_MATTERS
remarks: This prefix belongs to a VPN service provider.
remarks: For us the privacy of our customers matters, which means we store no logs
remarks: related to any IP addresses.
remarks: Spamhaus, please note that blacklisting the clean prefixes of our hosting
remarks: partners and upstream providers is an act of coercion and will no longer
remarks: be tolerated.
remarks: Coercion is punishable by a custodial sentence or by a monetary penalty.
remarks: If you continue such practice we will not only take legal actions against
remarks: your organization, but also make such blackmailing attempts public in the
remarks: media.
country: AT
admin-c: PMVS3-RIPE
tech-c: PMVS3-RIPE
org: ORG-PMVS1-RIPE
status: ASSIGNED PA
mnt-by: PM-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2019-10-18T13:31:16Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VUF.26020.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 10:00:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqaw7gyvsl5zh7qrc7zkfyqlha4ujaunmsprxiz6z6bru6ctpn4a._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0ed397f068e9ffac40486cc83ff5eeb06df0e2b504eb3e5bfdb2acc43c3c98f7
AsyncRAT
1d0d8c5370adf00c6dfcebcd398685e53871c2848d6241854cf338149c2bd7c3
AsyncRAT
243f707f1d8eabf197f836f4e87426bf3f2619ab74a089e15ed8182e74752dcd
AsyncRAT
2bb06f09556b4531015208c97a20dd3b56d6b82b2d3f49a353dc65be55da4623
AsyncRAT
5d3458557fbbbb90d173421d121a336cda9d4af770eddf393f7c3705fca4862a
AsyncRAT
6b09f1cfc05625cdd9c328e7ac8c67ade7fcc234cd0631999d8996b54c3da722
AsyncRAT
92bee9898c4a67a5fe3a209982221c240bc96627ee3fac96369eafa443bde986
AsyncRAT
bcf6e06fa10585d1f58a3f85a65840503b588cc7909732205b70f71fe9950def
AsyncRAT
c54b60f2101b09c68669821453bf68653d2bcc7b9030a13edd5486a387a11cab
AsyncRAT
e97971373153511aec33235be2a33ae65c3955851d8d0b5ffc1f3b75522e9c09
AsyncRAT
+ 491 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat coreentity rat rezer0
Link:
https://tria.ge/reports/201109-f2ewn4xnsn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Async RAT payload
rezer0
AsyncRat
CoreEntity .NET Packer
Malware Config
C2 Extraction:
185.165.153.215:6606
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

7z 13e3ccb2bb4cf21c36db84c59e867adbf603b4b011dc8eb4e55ff54291620bb1

AsyncRAT

Executable exe ac016f9b1592fb93fe1117f2a2e20b383944828d649f1ba33ecf831a78537b78

(this sample)

  
Dropped by
MD5 7cdbbb7f357bc8ff229fcda3709b3381
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 13e3ccb2bb4cf21c36db84c59e867adbf603b4b011dc8eb4e55ff54291620bb1

Comments