MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04f2bf850d32539660ffbadc861a721fc634bdeb6d2d9e09336024716ae9dae9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04f2bf850d32539660ffbadc861a721fc634bdeb6d2d9e09336024716ae9dae9
SHA3-384 hash: 7a77a9b4b3058c328e2d6fd8bbaff4f425109e02d7539f1dd18432cad31d521476f0f231f4b67bc77fe347129df83ced
SHA1 hash: 7002d630e82554db67ca5fd9798e325c4de905a3
MD5 hash: 11b2d351af86cabcdaf4740660fb89b5
humanhash: early-arizona-kitten-queen
File name:NewInquiry.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'154'048 bytes
First seen:2021-06-24 08:56:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:4Ojv+bAaMd3REebAaMd3hZFGAHQtCfqlBYMnPL:7KAaMVRE2AaMVhZDQtCq+M
Threatray 73 similar samples on MalwareBazaar
TLSH 8B35BF806588A4EAE1777F745CB5BAB1096FBFF62721D40C390333574633E426A96C2E
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
158.69.138.23:9909

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
158.69.138.23:9909 https://threatfox.abuse.ch/ioc/153157/

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NewInquiry.exe
Verdict:
Malicious activity
Analysis date:
2021-06-24 09:03:01 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/3ca6036a-4807-4d09-a3a8-15de1f7f56f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167932/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aca96897-4dae-41aa-8297-2993d4c8f7d5
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807364
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439775 Sample: NewInquiry.exe Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 9 other signatures 2->45 7 NewInquiry.exe 6 2->7         started        process3 dnsIp4 35 kingmethod.duckdns.org 158.69.138.23, 49730, 9909 OVHFR Canada 7->35 29 C:\Users\user\AppData\Roaming\HZVIdH.exe, PE32 7->29 dropped 31 C:\Users\user\...\HZVIdH.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\Local\...\tmpA561.tmp, XML 7->33 dropped 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 Adds a directory exclusion to Windows Defender 7->49 12 powershell.exe 25 7->12         started        15 powershell.exe 24 7->15         started        17 powershell.exe 22 7->17         started        19 schtasks.exe 1 7->19         started        file5 signatures6 process7 dnsIp8 37 192.168.2.1 unknown unknown 12->37 21 conhost.exe 12->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04f2bf850d32539660ffbadc861a721fc634bdeb6d2d9e09336024716ae9dae9/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 08:57:16 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=atzl7bingjjzmyh7xloimgtsd7ddjpplnuwz4cjtmashc2xj3luq._file
Verdict:
unknown
Similar samples:
1823dd1d67def7b7f0df8ab785a80afceaaceb5088465304c80ecaa9f293a460
AsyncRAT
2849f8e54789388e2464504860329fc6d42ca47879cc61b8960e7297477cc948
AsyncRAT
2f20c054ff4637f4a052b973cc20d4ca7f80503abde935c68731ef0fdc737319
AsyncRAT
49b0abe332a386c4524d4a5a41e4ca43768e0416d7f3edfc47503314ad1ffc8c
AsyncRAT
515212213cc20758110038963c28d94d9f713bd4ee2d88e2f5eb4a917af0979d
AsyncRAT
60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96
AsyncRAT
961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0
AsyncRAT
b0a8ad4663cb719ab9b915c0e030b4534ee9aa46126ae932e05d761629883038
AsyncRAT
c94cc9b7cdd7d427ec608a607b8fe4515eba0479422b02b7008c3973ebc1dcf3
AsyncRAT
eed9c06050ec45f480528543bba5e3176158763beda21f62220bde77f0bdeb3e
AsyncRAT
+ 63 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210624-zsnyea4a4x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
kingmethod.duckdns.org:5505
kingmethod.duckdns.org:9909
kingmethod.duckdns.org:4404
Unpacked files
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/d67633f7-7552-48f2-a6ae-63f9a592286f/
SH256 hash:
f55328f1c1ef61e64102619eedc8434083cd14c6d69cf47e8c8770533c8968aa
MD5 hash:
28ebc2c3e280fae17ea48a71f3526bc0
SHA1 hash:
8550deb5fde65faaba4209c6d089cf3a2f668c97
Link:
https://www.unpac.me/results/d67633f7-7552-48f2-a6ae-63f9a592286f/
SH256 hash:
e67f4c7bf12c3b9f6b52ad1eafb27aceedf6927c2d06a2025b18f59ff8920d2b
MD5 hash:
d908fc4302717bfd1a9980078d7965f1
SHA1 hash:
06031541ed1a406fec672d9ebc46136590de7a75
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/d67633f7-7552-48f2-a6ae-63f9a592286f/
Parent samples :
2b0002d2114e4a6c46b82c8a3e12f939d5b5ccc588e33a6b70238db5abc751bb
0817ce5fe48ef3a06a493c0981bda758c98bbc9275fc063c8a1103e4cb94c3ce
04f2bf850d32539660ffbadc861a721fc634bdeb6d2d9e09336024716ae9dae9
SH256 hash:
04f2bf850d32539660ffbadc861a721fc634bdeb6d2d9e09336024716ae9dae9
MD5 hash:
11b2d351af86cabcdaf4740660fb89b5
SHA1 hash:
7002d630e82554db67ca5fd9798e325c4de905a3
Link:
https://www.unpac.me/results/d67633f7-7552-48f2-a6ae-63f9a592286f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04f2bf850d32539660ffbadc861a721fc634bdeb6d2d9e09336024716ae9dae9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167932/

Comments