MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c4c55d54ade2d944fd18ed704c01bf9e3e62dabdaa54ee7871794ba9565bf28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c4c55d54ade2d944fd18ed704c01bf9e3e62dabdaa54ee7871794ba9565bf28
SHA3-384 hash: 92d04fdf662848f7e1644b25e214338fb1a8e06036c64c70d79e480829b40830025d5f3444d35b7c42affeba22e7b114
SHA1 hash: b321a4d1fb4a97e58a37696a250031aff7bf0242
MD5 hash: 377646f2e60dc8f7077190ec4247af77
humanhash: yellow-triple-golf-tango
File name:order-sample 2020816.scr
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:60'096 bytes
First seen:2020-08-16 08:05:33 UTC
Last seen:2020-08-16 08:32:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'240 x SnakeKeylogger)
ssdeep 1536:ibAIiq8myGI4WUmohnMevYNbKSgFfQtkkQ01r7tWXii:ibAIiq8myGhWUmohnMevYNvgytkkQ0ZI
Threatray 295 similar samples on MalwareBazaar
TLSH 274372027640B725C2A9793C46E6ED2827B4B2FB0B21850DDF51BF5EFE412B1AC486DD
Reporter abuse_ch
Tags:AsyncRAT scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cloudhost-357400.us-midwest-1.nxcli.net
Sending IP: 104.207.254.169
From: GT@tawredat.com
Subject: new order-2020816
Attachment: order-sample 2020816.zip (contains "order-sample 2020816.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46433/
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilF.34152.dm1@aqUobNhi.12947.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/432199
Signature
Binary contains a suspicious time stamp
Initial sample is a PE file and has a suspicious name
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c4c55d54ade2d944fd18ed704c01bf9e3e62dabdaa54ee7871794ba9565bf28/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-16 08:07:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=drgflvkk3ywzit6rr3lqjqa37hr6mlnl3ksu5z4hc6klvflfx4ua._file
Verdict:
suspicious
Similar samples:
12859bb50366c248e9488a8852c0923bcb4135f8fcedcbac19228fe329ff39a7
AsyncRAT
17c38ccce635b7567fb09e4e48c53b5661bdd29e827917a447f0de7741694d71
AsyncRAT
25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1
AsyncRAT
3e9cb7d6eaaa8c07d939eca0bbfd2d670e349de2dd018c8d30ab59b5e19ddc95
AsyncRAT
56f27a73c491313639665758a863f1d00871d0b37077a03bfd5d50a4689d273d
AsyncRAT
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
AsyncRAT
847b3580cba59e7f4b453488c263544f3c481027d2ddf4f9f3988d84afc35c85
AsyncRAT
a4df5e9015f70b47dc4f2e6bae0fbeb9d108979e0cda7ef54aa123a0d33bdf8b
AsyncRAT
c8cc7c1a1210a082960b929c3598521979e16c1c6f5626b8ad29b9618ab5e18c
AsyncRAT
d0d47f1c08031d4297f713a98d6ca969009df8c0f637110622190d4ff9727106
AsyncRAT
+ 285 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat persistence family:asyncrat
Link:
https://tria.ge/reports/200816-nshmjh17rx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Async RAT payload
AsyncRat
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1c4c55d54ade2d944fd18ed704c01bf9e3e62dabdaa54ee7871794ba9565bf28

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip 86a5b9b543bba7f65fb8262810a205c77599bd9faa3f7d131d5b77a5af84586a

AsyncRAT

Executable exe 1c4c55d54ade2d944fd18ed704c01bf9e3e62dabdaa54ee7871794ba9565bf28

(this sample)

  
Dropped by
MD5 b303d01e7356817ed4448642b33876fe
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46433/
  
Dropped by
SHA256 86a5b9b543bba7f65fb8262810a205c77599bd9faa3f7d131d5b77a5af84586a

Comments