MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db914bd57e726ca85a49a1747e81e86c89c3548ad941727a8d6c7d8b5eafa04f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db914bd57e726ca85a49a1747e81e86c89c3548ad941727a8d6c7d8b5eafa04f
SHA3-384 hash: a9e283ca75f14ab9b1bfbaad8bc72e7c089cb46d7ad2b312ac97634613d974b6e45321d89b65c45f9022070cb73a88b3
SHA1 hash: 96cb3bdf0318a4aa63462b0a56126109be6fc6ba
MD5 hash: 1da23540408db1cbe7d2ce55b590492c
humanhash: burger-rugby-alpha-arkansas
File name:BL-040820.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:971'264 bytes
First seen:2020-08-04 09:29:42 UTC
Last seen:2020-08-12 07:54:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:bytD8HOJrTGBuMq1V5p4wJ8hkdTq8HFKERhtLvclpP9IF:bY8H2GBuJVJZ9FKERhtDkpP6F
Threatray 332 similar samples on MalwareBazaar
TLSH 5125D883B41C8571CE355B3D48128DD453F23C5D9F8AB20627A4BD3EE4BE4525E2FA4A
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

From: Michela Luriani <michela.lurianl@bleuline.it >
Subject: Richiesta urgente per i prodotti allegati
Attachment: BL-040820.iso (contains "BL-040820.exe")

AsyncRAT C2s:
194.5.97.4:8824

Hosted on nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@kgb-vpn.org'

inetnum: 194.5.97.0 - 194.5.97.255
netname: NET-NINAZU
remarks: ------------------------------------------
remarks: * This network is used for a VPN service.
remarks: * No logs are stored in any shape or form.
remarks: ------------------------------------------
country: EU
admin-c: NVS100-RIPE
tech-c: NVS100-RIPE
org: ORG-NVS2-RIPE
mnt-by: NINAZU-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-02T13:13:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
4
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38411/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.29005.22383.30107.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/408982
Signature
Connects to a pastebin service (likely for C&C)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db914bd57e726ca85a49a1747e81e86c89c3548ad941727a8d6c7d8b5eafa04f/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 09:31:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3oiuxvl6ojwkqwsjuf2h5apinse4gvek3faxe6unnr6ywxvpubhq._file
Verdict:
suspicious
Similar samples:
34670f14b9ca4fcb265b261d99b7178e489b63bfd9c0c3d06ce633f474aa12c4
AsyncRAT
474af782fd84f7b982a4c49deeaf3431aeadd1e52528dc7dd8e3bb29bde9c40f
AsyncRAT
48f5ec7f8dface6902c82f810be45ae1d8be5f3697afc232743b9153d46883a6
AsyncRAT
7c1edf2a2fd0fc1499931f60cd7363812513b4f410ae32677a7a63c355568ecd
AsyncRAT
af7aa3b76b8d11ba1d518006e2b4ea6d574573bd2bba6594a57825e33f9ed87c
AsyncRAT
b2528047a7c839ca84e666660705feb2bcda640a0d5686d063406446176f3cc0
AsyncRAT
d4cca60154fcc667ada19dffbac16f84b51691a540daf850a766b91bd46544fe
AsyncRAT
daa11a454d19db26e0628d81c0b187667405e26c08bdd466e43565d9b065c952
AsyncRAT
f1044b4d40e2d3df5e586d5c8c58e49fa4795eed6b6afb44b506efe4319f4d0c
AsyncRAT
fd8099db1cfa62c7507e5d163096c9c558b653540cad6f8f0211e12f1f623933
AsyncRAT
+ 322 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat family:asyncrat evasion
Link:
https://tria.ge/reports/200804-re2xykj9je/
Behaviour
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Looks for VMWare Tools registry key
Async RAT payload
Looks for VirtualBox Guest Additions in registry
AsyncRat
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db914bd57e72/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db914bd57e726ca85a49a1747e81e86c89c3548ad941727a8d6c7d8b5eafa04f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

iso cea91c1f969b744c3059034966ef066a650e295f54e108de0e50b0f6794f1087

AsyncRAT

Executable exe db914bd57e726ca85a49a1747e81e86c89c3548ad941727a8d6c7d8b5eafa04f

(this sample)

  
Dropped by
MD5 70f7005224e3f04e59a3ea998426f492
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cea91c1f969b744c3059034966ef066a650e295f54e108de0e50b0f6794f1087
Cape
Cape
https://www.capesandbox.com/analysis/38411/

Comments