MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 118b4580958427b7e9f75bb2e42ff0e786bd63d5ce2d2f1dbdeb8babe98177d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 118b4580958427b7e9f75bb2e42ff0e786bd63d5ce2d2f1dbdeb8babe98177d2
SHA3-384 hash: 11c5266854be37839a817a042bd9d4ec8a348e095faf10c4a8207843fd9b88b6193e83d6cda86fd6e9121e607c23922c
SHA1 hash: 62a84e392ed00c8920b2548bee829075f73e8e06
MD5 hash: 28d058d0a99ecdabe50751a797ed8cb9
humanhash: thirteen-comet-helium-robin
File name:28d058d0a99ecdabe50751a797ed8cb9.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'601'536 bytes
First seen:2021-01-25 19:07:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:B+8o/9FZQRt5gyBLO8mmwRywFUfuDehixZXjnOVgwk:q9wRt4ysUfu6YxRp
Threatray 1'078 similar samples on MalwareBazaar
TLSH 86754D112FC3294BF2B3D67222B297DF9F68BB7A72465E5892591B554C03E812F83D03
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
179.43.140.133:8808

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
28d058d0a99ecdabe50751a797ed8cb9.exe
Verdict:
Malicious activity
Analysis date:
2021-01-25 19:07:40 UTC
Tags:
trojan rat asyncrat opendir
Link:
https://app.any.run/tasks/c2fd486a-15fa-44f5-82e4-2f444349f112

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113773/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Running batch commands
Sending a UDP request
Adding an access-denied ACE
Creating a file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/589862
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343978 Sample: fod1jZt8yK.exe Startdate: 25/01/2021 Architecture: WINDOWS Score: 96 43 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AntiVM_3 2->47 49 3 other signatures 2->49 7 fod1jZt8yK.exe 20 4 2->7         started        process3 dnsIp4 41 pastebin.com 104.23.98.190, 443, 49732 CLOUDFLARENETUS United States 7->41 51 Writes to foreign memory regions 7->51 53 Allocates memory in foreign processes 7->53 55 Adds a directory exclusion to Windows Defender 7->55 57 3 other signatures 7->57 11 WerFault.exe 7->11         started        14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        18 3 other processes 7->18 signatures5 process6 dnsIp7 35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->35 dropped 21 conhost.exe 14->21         started        23 timeout.exe 1 14->23         started        25 conhost.exe 16->25         started        27 timeout.exe 1 16->27         started        37 179.43.140.133, 49736, 8808 PLI-ASCH Panama 18->37 39 179.43.140.144, 49735, 80 PLI-ASCH Panama 18->39 29 conhost.exe 18->29         started        31 conhost.exe 18->31         started        33 timeout.exe 1 18->33         started        file8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/118b4580958427b7e9f75bb2e42ff0e786bd63d5ce2d2f1dbdeb8babe98177d2/
Threat name:
ByteCode-MSIL.Backdoor.Crysant
Create hunting rule
Status:
Malicious
First seen:
2021-01-10 17:38:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgfulaevqqt3p2pxlozoil7q46dl2y6vzyws6hn55of2x2mbo7ja._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c
AsyncRAT
3ef781d62c1d2c6aab1f44ea337439553d249ff98a4b70ded2b21ce1cb39bba4
AsyncRAT
58909bdbe9145136b971a479fe4eb668fcf23278cd14c29b8526ef0627a5ba0f
AsyncRAT
6c595ae0af40886a5d0e907120894e72fadef005a527230b5c28a3e2767789f1
AsyncRAT
7380f791a7bb79b986dba49ba94e0f2e4a16abeccb3a7117d5acf27c3977a530
AsyncRAT
8daa3b16b15dd52ffb99eb0644b52712d889fe9528f8633dd16b4b405b017130
AsyncRAT
944ea69a7adfffb602bdac56556138efc104f6ebeaa6bc9161eac4551ea8fb16
AsyncRAT
9ba6343e794c0e415adb118885c33aa18446c746dd30ec59b4fda2724b2f08d7
AsyncRAT
ab5ea57fdd5bfa91a11db4d85f99a84e342ead177da5744dff012398d153f4ba
AsyncRAT
cc955cd4b419801f0cd833470805f5e4cea9cb0ed765661d359d9df5cf7aea1d
AsyncRAT
+ 1'068 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat evasion ransomware rat trojan
Link:
https://tria.ge/reports/210125-zn8tzn2fg2/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Windows security modification
Async RAT payload
AsyncRat
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
a3b0230cd1b11ba145cabd5924250610288e4b68c81c061754330a6aeff7783c
MD5 hash:
084e758fae2801d137248b7471baf1f0
SHA1 hash:
ac4934d025b94d0581f399c2fb3d32b8783def50
Link:
https://www.unpac.me/results/24a1a60b-0910-4835-bfcd-ff3062ec2f77/
SH256 hash:
89c291173ea3e49eb9892773a304ec2a45209b8cf95209e9285302629be82313
MD5 hash:
a24d58c3987fd02a73cb34d3e13cef90
SHA1 hash:
7549d74bd5ae448d04be158ad43de2f1042761c5
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/24a1a60b-0910-4835-bfcd-ff3062ec2f77/
SH256 hash:
118b4580958427b7e9f75bb2e42ff0e786bd63d5ce2d2f1dbdeb8babe98177d2
MD5 hash:
28d058d0a99ecdabe50751a797ed8cb9
SHA1 hash:
62a84e392ed00c8920b2548bee829075f73e8e06
Link:
https://www.unpac.me/results/24a1a60b-0910-4835-bfcd-ff3062ec2f77/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/118b4580958427b7e9f75bb2e42ff0e786bd63d5ce2d2f1dbdeb8babe98177d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 118b4580958427b7e9f75bb2e42ff0e786bd63d5ce2d2f1dbdeb8babe98177d2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/977285/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113773/

Comments