MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fec1e11e26b8d1de831b50ff0163dfca3a751e3bb28ea372b54a7c9cc19cff6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fec1e11e26b8d1de831b50ff0163dfca3a751e3bb28ea372b54a7c9cc19cff6
SHA3-384 hash: 9dd9cee3620f056c9845f425cb569ba165c543d320ab9642534d02e5eb6859bf5145220cde36096a4378b5fb9b4c2b35
SHA1 hash: 9064ca55686edead9351d49c911c184caa236ae7
MD5 hash: 3d2af31c95b477dc90f42b825ad7c126
humanhash: uncle-fillet-wisconsin-yellow
File name:Kleinschmidt GmbH Invoices - Payment Receipt..exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:815'104 bytes
First seen:2022-09-19 11:20:48 UTC
Last seen:2022-10-07 13:13:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:Gk4I1/j6U/sWc918LevX14oT61JDC2ya7/yo5tNLCFC7z/7tkW/x2RDXY3/+75f0:0UuscX8LqFY1JD/moblCAz5V/qYPe
TLSH T1DB057C9433E6C806C85A6F35F8D3F1F49AE46D8182EAC60E14D8FD6BB23B35419A1375
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon cccce0d8cce4c0c4 (1 x AsyncRAT)
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
209.127.186.218:6305

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
209.127.186.218:6305 https://threatfox.abuse.ch/ioc/850482/

Intelligence

File Origin
# of uploads :
3
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
Kleinschmidt GmbH Invoices - Payment Receipt..exe
Verdict:
Malicious activity
Analysis date:
2022-09-19 11:22:55 UTC
Tags:
asyncrat trojan rat
Link:
https://app.any.run/tasks/72a117cd-9fb6-4687-a663-dbb279af942e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311294/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.31715.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632851d96aa625318dca0af8/reports/77038665-47df-4146-9fcd-f8bffc99127f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d98905a-895b-4b64-8378-079ced70759c
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072898
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 705440 Sample: Kleinschmidt GmbH Invoices ... Startdate: 19/09/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 13 other signatures 2->51 9 Kleinschmidt GmbH Invoices - Payment Receipt..exe 7 2->9         started        process3 file4 33 C:\Users\user\AppData\...\bVUhnvekcvHWd.exe, PE32 9->33 dropped 35 C:\...\bVUhnvekcvHWd.exe:Zone.Identifier, ASCII 9->35 dropped 37 C:\Users\user\AppData\Local\...\tmp81D3.tmp, XML 9->37 dropped 39 Kleinschmidt GmbH ...nt Receipt..exe.log, ASCII 9->39 dropped 53 Adds a directory exclusion to Windows Defender 9->53 55 Injects a PE file into a foreign processes 9->55 13 Kleinschmidt GmbH Invoices - Payment Receipt..exe 1 2 9->13         started        17 schtasks.exe 1 9->17         started        19 powershell.exe 21 9->19         started        21 2 other processes 9->21 signatures5 process6 dnsIp7 41 209.127.186.218, 49718, 49720, 6305 SERVER-MANIACA Canada 13->41 43 127.0.0.1 unknown unknown 13->43 57 Tries to harvest and steal browser information (history, passwords, etc) 13->57 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures8 process9 process10 29 MpCmdRun.exe 1 23->29         started        process11 31 conhost.exe 29->31         started       
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1fec1e11e26b8d1de831b50ff0163dfca3a751e3bb28ea372b54a7c9cc19cff6/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-09-19 11:11:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d7wb4epcnogr32brwuh7afr57sr2oupdxmuounzlkst4ttazz73a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat spyware stealer
Link:
https://tria.ge/reports/220919-nfzn1seea9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of web browsers
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
127.0.0.1:6305
209.127.186.218:6305
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2f0dd66e-53ae-4094-8263-8d426a869cff
Unpacked files
SH256 hash:
abd13bd12ed8f21d2cd5213ddb7e58a3feadb87d1f999934017b691478ce525e
MD5 hash:
7d17146434cf75cc7078e5f36a2e2506
SHA1 hash:
bfe64f3cde4bc95076226cf76d0154289802a6b5
Link:
https://www.unpac.me/results/c8c8720a-597f-497e-94a0-17c853025d53/
SH256 hash:
049e4540430aad39d99d23276582779a41548c95045610f53c91cd2755807c7f
MD5 hash:
8d3e5a90ffcfddc76e78db99aa938680
SHA1 hash:
745d95ab0c21934fa2a482e66d29c0cdfcafa0b3
Link:
https://www.unpac.me/results/c8c8720a-597f-497e-94a0-17c853025d53/
SH256 hash:
e9e281e862a911ca608042024e59e7b8501765141b2239373bea2e54f26cbbf1
MD5 hash:
aeb6022793350b7bd58641d35ba814dc
SHA1 hash:
26aff4a0b78e1318064925425522082c56e07ec9
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/c8c8720a-597f-497e-94a0-17c853025d53/
SH256 hash:
44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc
MD5 hash:
d012ba9057bf67c7f29871326f2af919
SHA1 hash:
1d5b8b512b37f0e1900496b578117082929654c7
Link:
https://www.unpac.me/results/c8c8720a-597f-497e-94a0-17c853025d53/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/c8c8720a-597f-497e-94a0-17c853025d53/
SH256 hash:
1fec1e11e26b8d1de831b50ff0163dfca3a751e3bb28ea372b54a7c9cc19cff6
MD5 hash:
3d2af31c95b477dc90f42b825ad7c126
SHA1 hash:
9064ca55686edead9351d49c911c184caa236ae7
Link:
https://www.unpac.me/results/c8c8720a-597f-497e-94a0-17c853025d53/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1fec1e11e26b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1fec1e11e26b8d1de831b50ff0163dfca3a751e3bb28ea372b54a7c9cc19cff6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

7z 2894d07aa782dcb0bc5c542447e2aba9d86c0c98fff54a91d19f1444abf95b6f

AsyncRAT

Executable exe 1fec1e11e26b8d1de831b50ff0163dfca3a751e3bb28ea372b54a7c9cc19cff6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/311294/
  
Dropped by
SHA256 2894d07aa782dcb0bc5c542447e2aba9d86c0c98fff54a91d19f1444abf95b6f
  
Dropped by
MD5 507e78b17aa6cf7bd88beb426cffc904

Comments