MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02dd12ec33f4f1d1bbf4f3479ad5bc88be2a1c92f19461e6f25a754e213abc42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02dd12ec33f4f1d1bbf4f3479ad5bc88be2a1c92f19461e6f25a754e213abc42
SHA3-384 hash: 4bb434835e0bbc9a633d706f79d94d2fd2fd08daa6177260e6916cd8074fef5c89298ec0073d0106240649db93359a91
SHA1 hash: 6653542b2204dd4964619b06ee466c1096abe76c
MD5 hash: 73a72a5968b558d7c6d270445e5c25bc
humanhash: single-magnesium-wisconsin-lamp
File name:INVOICE CHNR000076498 AUG 2020.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:156'672 bytes
First seen:2020-08-18 08:44:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 3072:kt8+Xc7i0U25Sk+ADwa/33IrRuw+mqv9j1MWLQXmsolVMSSg:kt8+Xc7i0U25Sk+ADw43oDAOS5
Threatray 295 similar samples on MalwareBazaar
TLSH 58E3CAE16740D124C8977179857BD9A77733A2EE8D68450C6E82FF0FBD22392442B9CB
Reporter abuse_ch
Tags:AsyncRAT DHL exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: box-smtp2.robocision.info
Sending IP: 178.175.148.197
From: DHL MyBill Team <official@cyberbomber.xyz>
Subject: Your Copy Invoice CHNR000076498 with the Requested Paperwork
Attachment: INVOICE CHNR000076498 AUG 2020.zip (contains "INVOICE CHNR000076498 AUG 2020.exe")

AsyncRAT C2:
185.165.153.43:5007

Hosted on nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU2
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-28T20:37:37Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47605/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Enabling autorun by creating a file
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02dd12ec33f4f1d1bbf4f3479ad5bc88be2a1c92f19461e6f25a754e213abc42/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 12:59:03 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=alorf3bt6ty5do7u6ndzvvn4rc7cuhes6gkgdzxslj2u4ij2xrba._file
Verdict:
suspicious
Similar samples:
0dea20e41047659c9a7a7ef93599d0c918fe26e2322db8fb3e9ef333c5a48ca2
AsyncRAT
1c3d30d7637b1a6fb648b1cf1de6c7a8375337327cd243f87d525c109554db7d
AsyncRAT
1d0d8c5370adf00c6dfcebcd398685e53871c2848d6241854cf338149c2bd7c3
AsyncRAT
2bb06f09556b4531015208c97a20dd3b56d6b82b2d3f49a353dc65be55da4623
AsyncRAT
341c2ff06edc558131f9517ebabf0ce7676457cc1d33c5ab7189961d0b28b0b8
AsyncRAT
632fad824e77666d3ccb676808a2f04eb349f1f0f1495e75b37aa47e690ffe14
AsyncRAT
99292ae82aea1cc66b3fbd7e9aa4139af2af3b5ea9be01ca2da1dfadabd24008
AsyncRAT
a16602864c33b68b083a8a404c6500b44bf3247c474071cb7dd4216a39e5347e
AsyncRAT
e45c663a64882bcbb2314a2cf6bd2da6db9b1697df4a9c96c24f4dd834e7b662
AsyncRAT
ebb67fcc05af7a919e225a7a1f8c5bfbd65b28c22f4659527b0afb4f968ccd49
AsyncRAT
+ 285 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat persistence family:asyncrat
Link:
https://tria.ge/reports/200818-2es5rd8kja/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Async RAT payload
AsyncRat
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip c0bb09a2bb2b43708d472d20529eeb049d6de0e078240a8af72d1dde3bfa2342

AsyncRAT

Executable exe 02dd12ec33f4f1d1bbf4f3479ad5bc88be2a1c92f19461e6f25a754e213abc42

(this sample)

  
Dropped by
MD5 e1314021335c86ba459e2ac9402cc6d0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47605/
  
Dropped by
SHA256 c0bb09a2bb2b43708d472d20529eeb049d6de0e078240a8af72d1dde3bfa2342

Comments