MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02026f0a7193b66036223f82eff070e816ebfbea86af8bb8fa5c92bf6119633f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02026f0a7193b66036223f82eff070e816ebfbea86af8bb8fa5c92bf6119633f
SHA3-384 hash: 18c9cb87782adcf2eaade15ed9d2cec7ef7a92dc7e310681bb5adac625e473c7fa03c8f42bd44bbe1ea3cf6a98d15946
SHA1 hash: 449efe2636816e8a27b4cb6f081b4d78c7e4b6ed
MD5 hash: 7b7db91381b22cf4aa17826c97d621d2
humanhash: fruit-cup-winner-pip
File name:Reference Number -0022393899600.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:659'456 bytes
First seen:2020-11-06 08:09:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:koNYRvz//K4l3PCb3pJ2Qg/lnCFFSXnK:74QlJ2Qg/lCFFf
Threatray 13 similar samples on MalwareBazaar
TLSH C7E486F480EF1062F15F856536AEBEA402B2F1C7DBDA5E080379E6311BBDA523B0564D
Reporter JAMESWT_WT
Tags:AsyncRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/522137
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 310168 Sample: Reference Number -002239389... Startdate: 06/11/2020 Architecture: WINDOWS Score: 84 57 freshg.ddns.net 2->57 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected AsyncRAT 2->65 67 5 other signatures 2->67 9 Reference Number -0022393899600.exe 1 4 2->9         started        12 logs.exe 2->12         started        15 vlc.exe 1 2->15         started        17 vlc.exe 2->17         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 9->51 dropped 53 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 9->53 dropped 55 Reference Number -0022393899600.exe.log, ASCII 9->55 dropped 19 Reference Number -0022393899600.exe 6 9->19         started        69 Multi AV Scanner detection for dropped file 12->69 71 Machine Learning detection for dropped file 12->71 22 vlc.exe 3 15->22         started        25 vlc.exe 17->25         started        27 vlc.exe 17->27         started        signatures6 process7 dnsIp8 49 C:\Users\user\AppData\Roaming\logs.exe, PE32 19->49 dropped 29 cmd.exe 1 19->29         started        31 cmd.exe 1 19->31         started        59 freshg.ddns.net 185.140.53.141, 2256, 49729, 49731 DAVID_CRAIGGG Sweden 22->59 33 cmd.exe 22->33         started        file9 process10 process11 35 logs.exe 29->35         started        37 conhost.exe 29->37         started        39 timeout.exe 1 29->39         started        41 conhost.exe 31->41         started        43 schtasks.exe 1 31->43         started        45 conhost.exe 33->45         started        47 schtasks.exe 33->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02026f0a7193b66036223f82eff070e816ebfbea86af8bb8fa5c92bf6119633f/
Threat name:
ByteCode-MSIL.Infostealer.Maslog
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 09:29:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aibg6ctrso3ganrch6bo74dq5alox67kq2xyxoh2lsjl6yizmm7q._file
Verdict:
unknown
Similar samples:
1643306adbe8c7e38ee965ab974c1d074afc671c0e5aa0c2b50a18cc67036a50
AsyncRAT
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
AsyncRAT
47aaf274ba6635b13798292366c06640a3dff0d314b56aabf0dc4f6d22ab5bd4
AsyncRAT
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
AsyncRAT
c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924
AsyncRAT
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
AsyncRAT
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
AsyncRAT
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
AsyncRAT
e69d8cb762149ef5d9cbc14ba3b4c1a48395c5261f9c404608a37c1807f1e19e
AsyncRAT
ff734df4d09afad52e931fce898a5497b78081fbca44f091e55a3da4b47c1350
AsyncRAT
+ 3 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/201106-244s7jbsrs/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AsyncRat
Malware Config
C2 Extraction:
:
Unpacked files
SH256 hash:
02026f0a7193b66036223f82eff070e816ebfbea86af8bb8fa5c92bf6119633f
MD5 hash:
7b7db91381b22cf4aa17826c97d621d2
SHA1 hash:
449efe2636816e8a27b4cb6f081b4d78c7e4b6ed
Link:
https://www.unpac.me/results/0d4e060f-597e-447b-80ac-1d5a9c3576a4/
SH256 hash:
62d27549d22ba25a5c544ca3fda75de2bb5d771276b166dc4358a25355cce43c
MD5 hash:
39d442b1e50cdc2fe1a2617fdf471d5e
SHA1 hash:
7dbc6cd1223755f505892382346d616014e447a2
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/0d4e060f-597e-447b-80ac-1d5a9c3576a4/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/0d4e060f-597e-447b-80ac-1d5a9c3576a4/
SH256 hash:
d29465558c4e630abeb6af0589ba5dfaf6fd7a40549b8c00d5093b24fb8e2b5c
MD5 hash:
b102995ed68d4ad5204ac23671e884dc
SHA1 hash:
dc621641c85a8f34e28cc5ea026c848f57df5144
Link:
https://www.unpac.me/results/0d4e060f-597e-447b-80ac-1d5a9c3576a4/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments