MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21caa48efbe81da3c1c58b69610c43a0d913eb95d0892f24e7477d6ab446f36c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	21caa48efbe81da3c1c58b69610c43a0d913eb95d0892f24e7477d6ab446f36c
SHA3-384 hash:	47c3ab47ba74d94b3cb07f76f83136d90b7332b2cfa1138cb7aac40bb9450b2b4bd54beab8dd5b8316bd3584e39a8506
SHA1 hash:	8a6ed9e01be08484f2bbf3e7e267ea0298330836
MD5 hash:	b1bb23ee86ed2d0f47765a868779d083
humanhash:	juliet-item-undress-ten
File name:	Invoice ATC20211230.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	88'064 bytes
First seen:	2021-12-29 16:17:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	1536:LBdTEgBbN+xP9cPppv3s54ldQxM/TsLi+vQrpazPcXofYsxzR17TtJeqZx:LBxEgBbNR68d4kX6YsxzRB5JeqZx
Threatray	165 similar samples on MalwareBazaar
TLSH	T14683D051E78A47B1EAF407F274CB8A7262F41F62712BE0AF10993FDA34433594A4AB45
File icon (PE):
dhash icon	62e68c18148ca0e0 (10 x CoinMiner, 7 x AgentTesla, 4 x SnakeKeylogger)
Reporter	GovCERT_CH
Tags:	AsyncRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Invoice ATC20211230.exe

Verdict:

Suspicious activity

Analysis date:

2021-12-29 16:18:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e1328bd4-1a14-4b87-aefd-1faaf0296b81

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

zgRAT

Link:

https://www.capesandbox.com/analysis/216800/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching a process

Creating a process with a hidden window

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

jigsaw obfuscated packed strictor

Link:

https://www.filescan.io/uploads/61cc8a3eec6c6c14a9fbd507/reports/9f87d89f-232c-41ca-9a4e-0e7a5cd9d06a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Quasar RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9fdd3526-757b-4822-b94c-75cb64169005

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/913853

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Drops executable to a common third party application directory

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses dynamic DNS services

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21caa48efbe81da3c1c58b69610c43a0d913eb95d0892f24e7477d6ab446f36c/

Threat name:

ByteCode-MSIL.Trojan.Strictor

Status:

Malicious

First seen:

2021-12-29 16:18:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ehfkjdx35ao2hqofrnuwcdcdudmrh24v2ces6jhhi56wvncg6nwa._file

Verdict:

malicious

Label(s):

asyncrat

AsyncRAT

30c2c6ab4ddd7c5bcd0da13b6b6d7dff544bfb369f6c8a0c3825e54a8852059c

AsyncRAT

84a5f6bd4a13a1926ab7e242b88c8956857be6bc2a4c2d4faa27949c3b3483db

AsyncRAT

90903999baa70b0965698675e67612c0d16ef890394fa822cc11b8b7af8f7ee5

AsyncRAT

d2d45c33e2a117592e32cc56193c281dcb331281f6024a2eb793c756b4a45d89

AsyncRAT

fb866525850ae54290c45e8b03924e453052c5e1f0261467ff2ff35fa8ae7f9d

AsyncRAT

fd1d2de482925060b31bf7aed80909ff2c8f4a5bfa61f8679e70d5670e9bb67e

AsyncRAT

fdddb3226bd01d7623ee1e778326b70acb4a4a88f2284d2f8a7a49af7e8c6edf

AsyncRAT

+ 155 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat rat

Link:

https://tria.ge/reports/211229-tryhzsdfaq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

AsyncRat

Unpacked files

SH256 hash:

21caa48efbe81da3c1c58b69610c43a0d913eb95d0892f24e7477d6ab446f36c

MD5 hash:

b1bb23ee86ed2d0f47765a868779d083

SHA1 hash:

8a6ed9e01be08484f2bbf3e7e267ea0298330836

Link:

https://www.unpac.me/results/522e5152-7952-4621-9454-811b7519c925/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/21caa48efbe81da3c1c58b69610c43a0d913eb95d0892f24e7477d6ab446f36c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

exe 21caa48efbe81da3c1c58b69610c43a0d913eb95d0892f24e7477d6ab446f36c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/216800/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample