MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06d9da2523f02f99abd5192967db5700ad9b1e8356bc5e290d0f449b6a1e70a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06d9da2523f02f99abd5192967db5700ad9b1e8356bc5e290d0f449b6a1e70a4
SHA3-384 hash: 5d697ee0e840744835e7def6e938735dd5e1a9a3cbbe4a610c67eb844b03faccc3018382f5db6be4a9d94019583eafbf
SHA1 hash: 7bdbf325f9be30324735876ff153db96ee185ff4
MD5 hash: 2fd677e034f72a56fccd2ec0772478a7
humanhash: finch-orange-early-louisiana
File name:2fd677e034f72a56fccd2ec0772478a7.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:145'920 bytes
First seen:2020-05-26 09:47:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 3072:NNEaW2Kii8IpnHxacJmZ1KF1PFU2vq5XTVWs0FIzJM+WZLgcGtOa/SH:/nqyIpRacJRF3URMFIzCvZ8FTe
Threatray 438 similar samples on MalwareBazaar
TLSH 33E3CF7D5698AA2BCEAE1AF5D4C10511A379D2530383F3C5CF84B0F9199B3C14AD27A7
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
AsyncRAT C2:
moveforme.ug:6970 (91.193.75.172)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2019-12-05T05:39:00Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 04:01:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
suspicious
Similar samples:
02598592bee4d0e9a9b20966d8843b3541d7041a7e307b091369f0554e28888b
AsyncRAT
1af39187ccacdf73f47da74611b9fb4582ca0d186cfedb27b557899a5eca6b9d
AsyncRAT
38a5466ed6bf2ea0c3e206b7ce9520da9c0104fbe0ddc33012ef73087e0c754c
AsyncRAT
476bb9c473787445f22e5a80de8a48d0bb273817f0d25bec1c491f6fde8b1770
AsyncRAT
5d0e0a36fee02ee2299dc84c2d1b6e6a2b59f68a6f7ccfe00d213704adbb7df5
AsyncRAT
70e19ae033d90f86fa356b14a9545c1444ba59d09037bc61f0e3fb9ae92e4386
AsyncRAT
b1fd1e541922f806d521a8a0925822f85060919230b70c7dfdf6eb7c36b02502
AsyncRAT
b3088a313a00c6774cb853379f427ffaab01a528a4561f814e2c7af24e5bfba2
AsyncRAT
c4a2c8397cfa4f7f16a317aad541b6c48e35c4420249f702b2c6f01faf66ef61
AsyncRAT
f57973fe9b7144fd299f70cc04bcde1e442f6816de323361f1b09cb63c4e41b4
AsyncRAT
+ 428 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat coreentity rat rezer0
Link:
https://tria.ge/reports/201109-bd2xp447zn/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Async RAT payload
rezer0
AsyncRat
CoreEntity .NET Packer
Malware Config
C2 Extraction:
moveforme.ug:6970
xafsavxcfdgbdsfg.ru:6970
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 06d9da2523f02f99abd5192967db5700ad9b1e8356bc5e290d0f449b6a1e70a4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/367171/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/367551/

Comments