MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0562bb5cd1a74596a0900d3df786db3371e247dcb1150d86889dbc1187b7c04e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0562bb5cd1a74596a0900d3df786db3371e247dcb1150d86889dbc1187b7c04e
SHA3-384 hash: f715e7e43b7db211786025ae2db71f84e1d3b573e7dbecef3bea48f7874d62b333fe8ce2c8aac8ce4b474dbf53b6a61c
SHA1 hash: 42e402d2c2ba09d06cf1d87e24e24f326fd58581
MD5 hash: 9460afd27c889a00ff5fe4e28cd2c80a
humanhash: charlie-network-coffee-apart
File name:0562bb5cd1a74596a0900d3df786db3371e247dcb1150d86889dbc1187b7c04e
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'311'808 bytes
First seen:2021-09-13 07:46:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:lOGA8h16GMR06hLnLNXxKKWaGQy6C7xd1St8cBipFcUIZnSZ0MXAGfFh:HAm6D06hV7GQy6C7o8c+WNSZ0lI
Threatray 9'285 similar samples on MalwareBazaar
TLSH T11955128E7610759FC627C97BDA981C209A707036570BE243A05325EEAE4E79BCF161F3
dhash icon ae53d212daccccca (8 x Formbook, 4 x AsyncRAT, 1 x NetWire)
Reporter JAMESWT_WT
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0562bb5cd1a74596a0900d3df786db3371e247dcb1150d86889dbc1187b7c04e
Verdict:
Malicious activity
Analysis date:
2021-09-13 08:04:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f439d0f6-e969-4c7f-8d3b-e8866b797fab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187334/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/6174fd64db358dd15ed916e6/reports/731cbf6f-0f84-4b26-a14a-334ef01896da/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce303626-5863-4deb-b9a5-c150ff41b316
Result
Threat name:
AsyncRAT FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849707
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 482139 Sample: qjSBvGbPyK Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 71 www.barefootbirthstl.com 2->71 73 barefootbirthstl.com 2->73 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for dropped file 2->89 91 12 other signatures 2->91 13 qjSBvGbPyK.exe 7 2->13         started        signatures3 process4 file5 63 C:\Users\user\AppData\...\UlszDwXwkoOpzV.exe, PE32 13->63 dropped 65 C:\...\UlszDwXwkoOpzV.exe:Zone.Identifier, ASCII 13->65 dropped 67 C:\Users\user\AppData\Local\...\tmp7887.tmp, XML 13->67 dropped 69 C:\Users\user\AppData\...\qjSBvGbPyK.exe.log, ASCII 13->69 dropped 107 Uses schtasks.exe or at.exe to add and modify task schedules 13->107 109 Injects a PE file into a foreign processes 13->109 17 qjSBvGbPyK.exe 1 4 13->17         started        20 schtasks.exe 1 13->20         started        signatures6 process7 file8 57 C:\Users\user\AppData\Local\...\windows.exe, PE32 17->57 dropped 59 C:\Users\user\AppData\Local\...\security.exe, PE32 17->59 dropped 22 security.exe 3 17->22         started        25 windows.exe 6 17->25         started        28 conhost.exe 20->28         started        process9 file10 93 Multi AV Scanner detection for dropped file 22->93 95 Detected unpacking (changes PE section rights) 22->95 97 Machine Learning detection for dropped file 22->97 99 Tries to detect virtualization through RDTSC time measurements 22->99 30 security.exe 22->30         started        33 security.exe 22->33         started        35 security.exe 22->35         started        37 security.exe 22->37         started        61 C:\Users\user\AppData\Roaming\RjOECz.exe, PE32 25->61 dropped 101 Injects a PE file into a foreign processes 25->101 39 windows.exe 2 25->39         started        42 schtasks.exe 1 25->42         started        signatures11 process12 dnsIp13 111 Modifies the context of a thread in another process (thread injection) 30->111 113 Maps a DLL or memory area into another process 30->113 115 Sample uses process hollowing technique 30->115 117 Queues an APC in another process (thread injection) 30->117 44 explorer.exe 30->44 injected 75 podzeye.duckdns.org 144.126.145.38, 4433, 49740 LOYOLAUS United States 39->75 48 conhost.exe 42->48         started        signatures14 process15 dnsIp16 77 www.nedayerasa.com 44->77 103 System process connects to network (likely due to code injection or exploit) 44->103 105 Uses ipconfig to lookup or modify the Windows network settings 44->105 50 ipconfig.exe 44->50         started        signatures17 process18 signatures19 79 Modifies the context of a thread in another process (thread injection) 50->79 81 Maps a DLL or memory area into another process 50->81 83 Tries to detect virtualization through RDTSC time measurements 50->83 53 cmd.exe 50->53         started        process20 process21 55 conhost.exe 53->55         started       
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0562bb5cd1a74596a0900d3df786db3371e247dcb1150d86889dbc1187b7c04e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 00:17:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
formbook
Create hunting rule
Similar samples:
0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d
AsyncRAT
3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073
AsyncRAT
4ed49588d6356f63895a1674a3ab5351199e4c4a8af4c825cc7d2b7dd79bffbc
AsyncRAT
65a0c46c6663e844e38abc9cb562b1b1e8866be3d1c3616960379693db717463
AsyncRAT
91cdb947644a5a802adac7583a79e7e560da38839489a02e7464730ff66fd004
AsyncRAT
ab96b6ac9080fe40003b5259931da0e8fae1d5e57d602991d8bb06fa712bdd9b
AsyncRAT
b38eadc0a59ed8405656c9445912f644724ed07ce9086e0183a6b086460f20e6
AsyncRAT
f8f02165547227a6692d503cf1203dcaf2d43b58219bb78cb0e42895f49a8121
AsyncRAT
+ 9'275 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:formbook botnet:default campaign:kkt rat spyware stealer trojan
Link:
https://tria.ge/reports/210913-jmjh6agccr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Async RAT payload
Formbook Payload
AsyncRat
Formbook
Malware Config
C2 Extraction:
podzeye.duckdns.org:4422
podzeye.duckdns.org:4442
podzeye.duckdns.org:4433
http://www.hometowncashbuyersgroup.com/kkt/
Unpacked files
SH256 hash:
d29c5520fd4883564f531506633b147f4153eb019f68a458bc98acd76da6c4d4
MD5 hash:
7474aa0747d3e63cdc0ad6160085cb18
SHA1 hash:
32c27407e668bd66382e063a1b9c37f61ef7c334
Link:
https://www.unpac.me/results/5890aab9-7284-46e3-816b-0e76289a2870/
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/5890aab9-7284-46e3-816b-0e76289a2870/
SH256 hash:
405335460192bce34011f2ca877ee3a4ff9fe17f8607a9120ae8948eee9120c3
MD5 hash:
86e9495b7a6a0460521c8aa028637cee
SHA1 hash:
4dc9573d5a639e787c9902d2cff059a8a4cd183b
Link:
https://www.unpac.me/results/5890aab9-7284-46e3-816b-0e76289a2870/
SH256 hash:
b79bb97ef26e00247841bc1ad84baab9c20c0853150072a01599df969a28ba21
MD5 hash:
f63388e4df88780823c9b29d29b63dc9
SHA1 hash:
2e5334b1c9bc07cce58b858e356433a25d334a13
Link:
https://www.unpac.me/results/5890aab9-7284-46e3-816b-0e76289a2870/
SH256 hash:
115a9a516484e019afb234e2c473cb0cf38cd2f97759887166c6ab375bcec0b5
MD5 hash:
43481e0a93b6db262eb7fe65c1bc9d0f
SHA1 hash:
2614d3bc17ee123f088ac4b78ed0cfb55da537f9
Link:
https://www.unpac.me/results/5890aab9-7284-46e3-816b-0e76289a2870/
SH256 hash:
0562bb5cd1a74596a0900d3df786db3371e247dcb1150d86889dbc1187b7c04e
MD5 hash:
9460afd27c889a00ff5fe4e28cd2c80a
SHA1 hash:
42e402d2c2ba09d06cf1d87e24e24f326fd58581
Link:
https://www.unpac.me/results/5890aab9-7284-46e3-816b-0e76289a2870/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0562bb5cd1a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0562bb5cd1a74596a0900d3df786db3371e247dcb1150d86889dbc1187b7c04e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187334/

Comments