MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 081d4cc20e46574bc49b49558940371ce6b0a037d61ee2915e3a16f588de4eb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 081d4cc20e46574bc49b49558940371ce6b0a037d61ee2915e3a16f588de4eb8
SHA3-384 hash: 9f5b65403a1ead27f20d919057673f1c32fa4c4dc03dd672e9cf000bdefc055dc33efbeb666c7c808f0f0b1ebacb3664
SHA1 hash: e150c1788efff84c1290cfece7868ba441a80c3b
MD5 hash: e0af07cb76102ee5401746b282d6ffe5
humanhash: south-october-lion-coffee
File name:e0af07cb76102ee5401746b282d6ffe5.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:373'248 bytes
First seen:2021-08-16 17:15:28 UTC
Last seen:2021-08-16 18:15:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:XOAdR7tUyAiMvrzwjbaKnGP3b0HBqyr1Q0pB/f+yIIB7SOR3DHQKDuXr6SE:+AdR5lAiMDcDGP3b0HzYyI+3EbHE
Threatray 36 similar samples on MalwareBazaar
TLSH T14384220AAE086D6ACF6FDD7714EA4E0043A09D4E5176E1DAFE8A759B2CF3B40311847D
dhash icon e09a676060678ee0 (14 x AsyncRAT, 5 x ValleyRAT, 4 x Formbook)
Reporter abuse_ch
Tags:AsyncRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e0af07cb76102ee5401746b282d6ffe5.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-16 17:19:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92122a13-dcb2-4fb6-afd4-09aa027777de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179644/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.15568.9179.12429.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a file
Launching a process
Creating a process with a hidden window
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bfced100-6730-484b-97c3-850dd39b274f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833732
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/081d4cc20e46574bc49b49558940371ce6b0a037d61ee2915e3a16f588de4eb8/
Threat name:
ByteCode-MSIL.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 13:06:21 UTC
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=baouzqqoizluxre3jfkysqbxdttlbibx2ypofek6hilplcg6j24a._file
Verdict:
unknown
Similar samples:
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
AsyncRAT
3ee82cb6b92599b06273f1a48091fdbab0ca285fb8147501a0392b8a2eba583c
AsyncRAT
503daa99af5a571e42bba412296ce3f6e086ce203359cb27f7d04442d10b2999
AsyncRAT
6bd0f63d69ebaa8e28b21e9b0f5c02e05c1213535b2881d080db1d09082e9f1d
AsyncRAT
6c6f2e9b5fe7b38d57b42e4d03156c5167e4fdfc6a3468856bed81ada7232fb1
AsyncRAT
6ffa008d9c18433dfb729075105f7837874da4b96d22c7718f360558f9aeaa0a
AsyncRAT
79e2a3311700e87e6d5e4d5f8e23f8f6b5500aa9e25e71afb016df130f21bae0
AsyncRAT
abeff15c4406f81d4332fa38897f618ea4c661335e6890b764b73408cfe4f48a
AsyncRAT
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
AsyncRAT
+ 26 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat persistence rat
Link:
https://tria.ge/reports/210816-xm3xjwt2vj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AsyncRat
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
aa41dbaa21e03a0758e7508b9415a6d8b8d93e33a6ff6f2eb6328f61f75c1528
MD5 hash:
786b7deda2cd493ad5a05eab903c900c
SHA1 hash:
2ffb69828587fb0a7095daf7102ba1f3bec6c1f5
Link:
https://www.unpac.me/results/95f2a6ee-3071-4096-b12e-508a809bf6d0/
SH256 hash:
a5b0420a437f9f02e0a881ff1115e2a9aaa35c7b5125920c8d0f213094878f3a
MD5 hash:
22180a48925a07a07b7e48c86ccf2c27
SHA1 hash:
05f7ac6a417119ab15f61edcbe4baf2008f26e8c
Link:
https://www.unpac.me/results/95f2a6ee-3071-4096-b12e-508a809bf6d0/
SH256 hash:
4db88515b4a129b9da897a47b358a19d9979b917fbe3cc8d999ee6380b4fcaf8
MD5 hash:
5eb985417e7f2da7be9449c070b2bae4
SHA1 hash:
027e075288618421fc587cd817f0480f8ea5f369
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/95f2a6ee-3071-4096-b12e-508a809bf6d0/
SH256 hash:
081d4cc20e46574bc49b49558940371ce6b0a037d61ee2915e3a16f588de4eb8
MD5 hash:
e0af07cb76102ee5401746b282d6ffe5
SHA1 hash:
e150c1788efff84c1290cfece7868ba441a80c3b
Link:
https://www.unpac.me/results/95f2a6ee-3071-4096-b12e-508a809bf6d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/081d4cc20e46574bc49b49558940371ce6b0a037d61ee2915e3a16f588de4eb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 081d4cc20e46574bc49b49558940371ce6b0a037d61ee2915e3a16f588de4eb8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1475909/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/948787/
Cape
Cape
https://www.capesandbox.com/analysis/179644/

Comments