MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04a31ae8a31bb4144d7392040442f4a38e8301cc550124cc47d012a0eba71bdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04a31ae8a31bb4144d7392040442f4a38e8301cc550124cc47d012a0eba71bdd
SHA3-384 hash: bdf92ca4345c455dd51cfe23c0df939a45ea8f6609b87479bf37a351373f6cb981731025303ac61b2191174668d2fe96
SHA1 hash: 012e3439b1802ef89a389fc0c4ce3fae5941ac4c
MD5 hash: 02947d03e9e642935c54617c1cf3af0e
humanhash: fourteen-river-london-pip
File name:04A31AE8A31BB4144D7392040442F4A38E8301CC55012.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:392'952 bytes
First seen:2021-11-16 22:37:01 UTC
Last seen:2021-11-17 01:09:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:jQv4h9SUz1PGKpbBN9cV1+Tse1y3L1biVVDcXHMZ891ApqEhTiD:jnHz1tBjcVWrE3pbqVDcXHmmAVWD
Threatray 116 similar samples on MalwareBazaar
TLSH T1EF841223DB8E8B11D8059C71751BE0E9DA7FDE8C60D3D38749CE79A586B33A047A160B
File icon (PE):PE icon
dhash icon 28e896a217b2cc44 (1 x AsyncRAT)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
45.144.154.150:1604

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.144.154.150:1604 https://threatfox.abuse.ch/ioc/150768/

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
04A31AE8A31BB4144D7392040442F4A38E8301CC55012.exe
Verdict:
Malicious activity
Analysis date:
2021-11-17 05:27:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/804729b6-b40d-41e1-9fb4-bd7dd9a30570

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206667/
Detection(s):
SecuriteInfo.com.Variant.Bulz.674593.31649.1804.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Launching a process
Creating a process with a hidden window
Forced system process termination
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed quasar
Link:
https://www.filescan.io/uploads/6194328e2695a62af9f19cb9/reports/67fa8530-5f67-4350-a087-8cfb58870df0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer: from SpyEx to ThunderFox
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e303ccdf-961f-48de-a555-b77e7ff30993
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890808
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Drops PE files with benign system names
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Uses dynamic DNS services
Uses powershell Test-Connection to delay payload execution;
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 523277 Sample: 04A31AE8A31BB4144D739204044... Startdate: 16/11/2021 Architecture: WINDOWS Score: 100 68 ipinfo.io 2->68 70 canary.discord.com 2->70 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Antivirus / Scanner detection for submitted sample 2->86 88 9 other signatures 2->88 10 04A31AE8A31BB4144D7392040442F4A38E8301CC55012.exe 3 10 2->10         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\explorer.exe, PE32 10->50 dropped 52 04A31AE8A31BB4144D...A38E8301CC55012.exe, PE32 10->52 dropped 54 C:\Users\user\AppData\Local\...\_Oltvzqo.vbs, ASCII 10->54 dropped 56 2 other malicious files 10->56 dropped 96 Creates an undocumented autostart registry key 10->96 98 Writes to foreign memory regions 10->98 100 Uses powershell Test-Connection to delay payload execution; 10->100 102 2 other signatures 10->102 14 04A31AE8A31BB4144D7392040442F4A38E8301CC55012.exe 10->14         started        19 wscript.exe 10->19         started        21 powershell.exe 8 10->21         started        23 9 other processes 10->23 signatures6 process7 dnsIp8 74 alemdar571.duckdns.org 45.144.154.150, 18, 49767 CMCSUS Germany 14->74 58 C:\Users\user\AppData\Local\Temp\dsyyeq.exe, PE32+ 14->58 dropped 76 Antivirus detection for dropped file 14->76 78 Multi AV Scanner detection for dropped file 14->78 25 cmd.exe 14->25         started        80 Wscript starts Powershell (via cmd or directly) 19->80 28 powershell.exe 19->28         started        30 conhost.exe 21->30         started        32 conhost.exe 23->32         started        34 conhost.exe 23->34         started        36 conhost.exe 23->36         started        38 6 other processes 23->38 file9 signatures10 process11 signatures12 90 Suspicious powershell command line found 25->90 92 Wscript starts Powershell (via cmd or directly) 25->92 94 Bypasses PowerShell execution policy 25->94 40 powershell.exe 25->40         started        43 conhost.exe 25->43         started        45 conhost.exe 28->45         started        process13 dnsIp14 72 192.168.2.1 unknown unknown 40->72 47 dsyyeq.exe 40->47         started        process15 file16 60 C:\Users\...\win32pdh.cp310-win_amd64.pyd, PE32+ 47->60 dropped 62 C:\Users\...\win32crypt.cp310-win_amd64.pyd, PE32+ 47->62 dropped 64 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 47->64 dropped 66 124 other files (none is malicious) 47->66 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04a31ae8a31bb4144d7392040442f4a38e8301cc550124cc47d012a0eba71bdd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 11:11:24 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=asrrv2fddo2bitltsicaiqxuuohigaomkuasjtch2ajkb25hdpoq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0b19c7363002adca6627b79915e7feb2886b9f55c8af305336ef3992171b0978
AsyncRAT
7f6e85893aad47392dd06e9bbf28a8ee85293bcbec12403bae09d1e1f3e727ab
AsyncRAT
8b480ff5797c4d2a4a4c9eeb9207ce3fa89a1d063a72c90faa341e012faf9fd5
AsyncRAT
8ecd676a1e6ac02ed9db01f62c18940038c695d5bf9938f1133dcbeeffb48fb1
AsyncRAT
a024f189799cced8d2b2b164f4cc73b0eb9e12784bc977f182175bb61c17a171
AsyncRAT
fae536169514c5730e6d6d6a582fb988341edd4cc1a62b5a2f172e87dd1708c5
AsyncRAT
+ 106 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat pyinstaller rat
Link:
https://tria.ge/reports/211116-2jslrsfgd6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Unpacked files
SH256 hash:
548bdf81e760e469c356fe522d6cbb057f3ee0447cc7a69fac1aec78e9c239fb
MD5 hash:
2c7eea381f13fc56ea2f6b0cc4f24589
SHA1 hash:
11604d3f3f3a7ff2badf3128e019c78485327f45
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/e21093d1-1753-4dd6-9565-a3a63a5d46cd/
SH256 hash:
851bbe957de7803deacf4f93031a897a0e4237049cedf5ccd406be8baa3aa568
MD5 hash:
58d76dd878707b2c44ea3cf03229272d
SHA1 hash:
425c13720a39ecae98d0085b10d723d59521c955
Link:
https://www.unpac.me/results/e21093d1-1753-4dd6-9565-a3a63a5d46cd/
SH256 hash:
fe743c5d6042cc8d13c52206a9a3fb5d685d2d5a629ec4c1ae24ba6c8e64a114
MD5 hash:
a138832c3f6a1dea58cc6548b98afc63
SHA1 hash:
33ba64847155aeceff180d55ce350f36ec123ea7
Link:
https://www.unpac.me/results/e21093d1-1753-4dd6-9565-a3a63a5d46cd/
SH256 hash:
04a31ae8a31bb4144d7392040442f4a38e8301cc550124cc47d012a0eba71bdd
MD5 hash:
02947d03e9e642935c54617c1cf3af0e
SHA1 hash:
012e3439b1802ef89a389fc0c4ce3fae5941ac4c
Link:
https://www.unpac.me/results/e21093d1-1753-4dd6-9565-a3a63a5d46cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04a31ae8a31bb4144d7392040442f4a38e8301cc550124cc47d012a0eba71bdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206667/

Comments