MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51
SHA3-384 hash: 6fe41ac3feb114e7b2e53dc30eab69763de0920bd0316db5ae12e49d485bfdf4c45ba646ba5fc61b924b0a71a1375f30
SHA1 hash: a2a0029312e054f01a045b5af463b118779c8951
MD5 hash: f87f3da7e4319dc7c9aa712ad633040e
humanhash: alpha-bravo-emma-asparagus
File name:INVOICE.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:778'752 bytes
First seen:2023-11-21 07:48:59 UTC
Last seen:2023-11-21 09:13:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:HjfLII7ciGmjKPVKu3wKD2NrfcKDd6LgQ58a8okHZcIh6odO7arRiDOUij:DL+l6KPV/w1rflDd6Ld5tiHroodwERi6
TLSH T15BF4239A3E9E875FC6DE46BD141058109779DE324303E31E9BA9347E2027393D6067B3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b269ccaab2dc69b2 (3 x AgentTesla, 2 x Formbook, 1 x AsyncRAT)
Reporter cocaman
Tags:AsyncRAT exe INVOICE

Intelligence

File Origin
# of uploads :
3
# of downloads :
343
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2023-11-21 07:51:08 UTC
Tags:
rat remcos asyncrat remote stealer agenttesla
Link:
https://app.any.run/tasks/9dbe6987-99ab-4d2c-8dc4-66753b11e4b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/459440/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.4490.9019.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/655c60f015cd82a1c998a23f/reports/ed1ac129-6a85-4f2f-9ce2-f0973c75b5f2/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9847c267-2cb5-4cc9-abe3-d96b08c0d2e9
Result
Threat name:
Remcos, AgentTesla, AsyncRAT, Clipboard
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1345627
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1345627 Sample: INVOICE.exe Startdate: 21/11/2023 Architecture: WINDOWS Score: 100 71 mail.globalifb.com 2->71 73 fp2e7a.wpc.phicdn.net 2->73 75 3 other IPs or domains 2->75 105 Snort IDS alert for network traffic 2->105 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 19 other signatures 2->111 10 INVOICE.exe 7 2->10         started        14 PZWVpHoNkCgPF.exe 5 2->14         started        signatures3 process4 file5 63 C:\Users\user\AppData\...\PZWVpHoNkCgPF.exe, PE32 10->63 dropped 65 C:\Users\user\AppData\Local\...\tmpFA4B.tmp, XML 10->65 dropped 113 Uses schtasks.exe or at.exe to add and modify task schedules 10->113 115 Writes to foreign memory regions 10->115 117 Allocates memory in foreign processes 10->117 125 2 other signatures 10->125 16 MSBuild.exe 15 6 10->16         started        21 powershell.exe 21 10->21         started        23 schtasks.exe 1 10->23         started        119 Antivirus detection for dropped file 14->119 121 Multi AV Scanner detection for dropped file 14->121 123 Machine Learning detection for dropped file 14->123 25 MSBuild.exe 14->25         started        27 schtasks.exe 14->27         started        29 MSBuild.exe 14->29         started        signatures6 process7 dnsIp8 67 mail.globalifb.com 68.65.122.101, 26, 49709, 49713 NAMECHEAP-NETUS United States 16->67 69 api4.ipify.org 64.185.227.156, 443, 49706, 49712 WEBNXUS United States 16->69 57 C:\Users\user\AppData\...\svchostservice.exe, PE32 16->57 dropped 59 C:\Users\user\AppData\...\dllhostservices.exe, MS-DOS 16->59 dropped 61 C:\Users\user\AppData\Roaming\...\crss.exe, PE32 16->61 dropped 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->95 97 Tries to steal Mail credentials (via file / registry access) 16->97 31 dllhostservices.exe 1 2 16->31         started        36 crss.exe 16->36         started        38 svchostservice.exe 16->38         started        40 conhost.exe 21->40         started        42 conhost.exe 23->42         started        99 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->99 101 Tries to harvest and steal browser information (history, passwords, etc) 25->101 103 Installs a global keyboard hook 25->103 44 conhost.exe 27->44         started        file9 signatures10 process11 dnsIp12 77 104.129.27.19, 2404, 49708, 49714 ASN-QUADRANET-GLOBALUS United States 31->77 53 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 31->53 dropped 79 Antivirus detection for dropped file 31->79 81 Detected unpacking (changes PE section rights) 31->81 83 Detected Remcos RAT 31->83 93 9 other signatures 31->93 55 C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe, PE32 36->55 dropped 85 Suspicious powershell command line found 36->85 87 Machine Learning detection for dropped file 36->87 89 Drops executables to the windows directory (C:\Windows) and starts them 36->89 46 HWMonitor.exe 36->46         started        49 powershell.exe 36->49         started        91 Multi AV Scanner detection for dropped file 38->91 file13 signatures14 process15 signatures16 127 Antivirus detection for dropped file 46->127 129 Machine Learning detection for dropped file 46->129 131 Creates an autostart registry key pointing to binary in C:\Windows 49->131 51 conhost.exe 49->51         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-21 07:49:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=buwsl5c4acfseoc67d32ehm5khicnhapkwac3i7pgtcsf5xpp5iq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
agenttesla_v4
Create hunting rule
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:asyncrat family:remcos botnet:default botnet:host keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231121-jnnt9sdg6y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Async RAT payload
AgentTesla
AsyncRat
Remcos
Malware Config
C2 Extraction:
104.129.27.19:2404
104.129.27.19:6606
104.129.27.19:7707
104.129.27.19:8808
Unpacked files
SH256 hash:
4dbb75b822bc8b28806ec17f8e9444648e7d549921b98cf3d90ddc506859f2ca
MD5 hash:
a3171a4416349df1ef189d833d2124fb
SHA1 hash:
e2c7133739ddd8f13e120bc1183071411af3263f
Detections:
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/b9aa91a3-1d17-47be-af68-2b8964cf2e7f/
SH256 hash:
6d0d83d060bc279825425757101698e702f3e71c53639270c63b24216fcbcd3f
MD5 hash:
caf9747a01a99245a0b3df133dd85191
SHA1 hash:
c8429f9d5d1d9768e22019fcac5f0d4b59c006a6
Link:
https://www.unpac.me/results/b9aa91a3-1d17-47be-af68-2b8964cf2e7f/
SH256 hash:
940d979a6e48061d85288ff57e6865087d7c0362774bd7d2caebfdc7b02914eb
MD5 hash:
962b8a0da7f38404ae75698d445d2f82
SHA1 hash:
afefd1bc3f70d9a03621a22715ea1001a8d4427b
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
win_asyncrat_unobfuscated
Create hunting rule
win_asyncrat_bytecodes
Create hunting rule
asyncrat
Create hunting rule
Link:
https://www.unpac.me/results/b9aa91a3-1d17-47be-af68-2b8964cf2e7f/
SH256 hash:
3fc435481d7ef0079bdad4dd86185e61a5092a5df4a3e17a75266cf283effaa1
MD5 hash:
ead80ad88662af6f37f0c49fe6e3fb44
SHA1 hash:
dbeb4019c7337347d1c6d0913c9249021cafd849
Link:
https://www.unpac.me/results/b9aa91a3-1d17-47be-af68-2b8964cf2e7f/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/b9aa91a3-1d17-47be-af68-2b8964cf2e7f/
SH256 hash:
265a01e7bc998d125e99f2328b14bd81c5eef978c1a91a5509d82b96de07f9c2
MD5 hash:
cf2a7ecd15de65e1d90a8e032b4355a9
SHA1 hash:
591b7a5c331ab22990d78a1f2e8ef8302da5cc94
Link:
https://www.unpac.me/results/b9aa91a3-1d17-47be-af68-2b8964cf2e7f/
SH256 hash:
06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871
MD5 hash:
b29263b5d35ffce3eef6a54549966724
SHA1 hash:
23d474b87f0698a3c954aeeffc9e2b7777aa8731
Detections:
AgentTesla
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
Gen_Base64_EXE
Create hunting rule
Link:
https://www.unpac.me/results/b9aa91a3-1d17-47be-af68-2b8964cf2e7f/
SH256 hash:
966580db3e888db816e0ee2789fa54f58507bd55629cad32f7a2afb64aa1f82c
MD5 hash:
d3289b0c23634ac5c1faf9d92cf44fb1
SHA1 hash:
7e4b9e1b8db83e1e3ac1ba47b8a778e096e2a78e
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
INDICATOR_EXE_Packed_MPress
Create hunting rule
Remcos
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
Link:
https://www.unpac.me/results/b9aa91a3-1d17-47be-af68-2b8964cf2e7f/
SH256 hash:
0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51
MD5 hash:
f87f3da7e4319dc7c9aa712ad633040e
SHA1 hash:
a2a0029312e054f01a045b5af463b118779c8951
Link:
https://www.unpac.me/results/b9aa91a3-1d17-47be-af68-2b8964cf2e7f/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d2d25f45c00/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:malware_Remcos_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

rar c4335b63b88745fa1a6ac3c8b8af16ef7eac10ee38ee4afe35cd66a469e858cc

AsyncRAT

Executable exe 0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c4335b63b88745fa1a6ac3c8b8af16ef7eac10ee38ee4afe35cd66a469e858cc
  
Dropped by
SHA256 f93b97fc6d433cdfa080d828357c049d4c83a072801a0360abf3537562a03f07
Cape
Cape
https://www.capesandbox.com/analysis/459440/
  
Dropped by
MD5 42147edd19e9c069ba1cf622a7a800ef
  
Dropped by
MD5 dadfe913feb8845c3ca0c9aee732a882

Comments