MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 234f42279e4494e1fe592d5b7ee4b2722fc885d18b6d7878f079e01bb0e123fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 234f42279e4494e1fe592d5b7ee4b2722fc885d18b6d7878f079e01bb0e123fe
SHA3-384 hash: d3701e261954aa73dc9c61eeaf87aa66fcc723b5d829b0cc0a61a3ba8cf5f2ae9e5fc20685388c07df87ed02f397489b
SHA1 hash: fe9a98acfce5d81c301ecc86f536eb6401c78d02
MD5 hash: 3776d8806bf718b55061f24aa5692408
humanhash: oranges-minnesota-golf-zebra
File name:Factura de pago.xlsx.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:646'144 bytes
First seen:2022-06-08 14:35:18 UTC
Last seen:2022-06-09 05:40:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:C632LqsAleLhc9qdWkIYOvNk+7OEGXerrFbEO+488q:jJshcIvH+OzOnFQOt8
TLSH T1D7D4D01276A7CE73E2E60777C1DA4004D7BA9142D6DBE31B224813E59E4B3DECA06787
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:AsyncRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
Factura de pago.xlsx.exe
Verdict:
Malicious activity
Analysis date:
2022-06-08 18:47:49 UTC
Tags:
asyncrat trojan rat
Link:
https://app.any.run/tasks/f4ba4061-ad3a-4965-ae2c-f4139268ff69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277814/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62a0b3dc6aa17a21fc2c9c71/reports/4418edaf-7d48-49ea-be11-8a49417efb3b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8b0ea4e-09b3-43f2-9e6d-ce3049227aca
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009114
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 641608 Sample: Factura de pago.xlsx.exe Startdate: 08/06/2022 Architecture: WINDOWS Score: 100 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 9 other signatures 2->75 10 Factura de pago.xlsx.exe 7 2->10         started        process3 file4 55 C:\Users\user\AppData\...\eUmdOTbNAaGd.exe, PE32 10->55 dropped 57 C:\Users\...\eUmdOTbNAaGd.exe:Zone.Identifier, ASCII 10->57 dropped 59 C:\Users\user\AppData\Local\...\tmp7EB3.tmp, XML 10->59 dropped 61 C:\Users\...\Factura de pago.xlsx.exe.log, ASCII 10->61 dropped 77 Adds a directory exclusion to Windows Defender 10->77 79 Injects a PE file into a foreign processes 10->79 14 Factura de pago.xlsx.exe 6 10->14         started        17 powershell.exe 25 10->17         started        19 schtasks.exe 1 10->19         started        21 Factura de pago.xlsx.exe 10->21         started        signatures5 process6 file7 63 C:\Users\user\AppData\Roaming\images.exe, PE32 14->63 dropped 23 cmd.exe 1 14->23         started        25 cmd.exe 1 14->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        process8 process9 31 images.exe 23->31         started        34 conhost.exe 23->34         started        36 timeout.exe 23->36         started        38 conhost.exe 25->38         started        40 schtasks.exe 25->40         started        signatures10 81 Multi AV Scanner detection for dropped file 31->81 83 Machine Learning detection for dropped file 31->83 85 Adds a directory exclusion to Windows Defender 31->85 87 Injects a PE file into a foreign processes 31->87 42 powershell.exe 31->42         started        44 schtasks.exe 31->44         started        46 images.exe 31->46         started        49 images.exe 31->49         started        process11 dnsIp12 51 conhost.exe 42->51         started        53 conhost.exe 44->53         started        65 91.192.100.7, 49773, 49776, 49779 AS-SOFTPLUSCH Switzerland 46->65 67 192.168.2.4, 137, 138, 443 unknown unknown 46->67 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/234f42279e4494e1fe592d5b7ee4b2722fc885d18b6d7878f079e01bb0e123fe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 14:23:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=enhuej46iskod7szfvnx5zfsoix4rborrnwxq6hqphqbxmhbep7a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:eloasync rat
Link:
https://tria.ge/reports/220608-ryjx3abehm/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
91.192.100.7:8282
Unpacked files
SH256 hash:
822acfa7282236e2bf6de53ebd616d64f69a4c05b204091097d855786626ec38
MD5 hash:
194dbf45a25d5547408ddae7bc382b1f
SHA1 hash:
b6d7df8f6e39791f7e9c855c4c3f73ac63414f4d
Link:
https://www.unpac.me/results/87907384-8be1-493c-a0d7-46397204d186/
SH256 hash:
b4256b88cf18e173386906c31ff25142d6aac63f37a784d6f0ffe0994221e29d
MD5 hash:
db02810eaa9beb40a8bc4852d14d6a3f
SHA1 hash:
262b65e8035903300edffae2e40bac75d1dfd98c
Link:
https://www.unpac.me/results/87907384-8be1-493c-a0d7-46397204d186/
SH256 hash:
a675f303f6e1ed214cb7ae9910246a1d54565da05690b29001d713f2acaad961
MD5 hash:
feed7bf03a05e5d55c945349f4db4399
SHA1 hash:
19021308efc63f8063b7d9b805b2a75ba18b3833
Link:
https://www.unpac.me/results/87907384-8be1-493c-a0d7-46397204d186/
SH256 hash:
1825f812012cfce3edd06a8b5d1869c70a45d71cbc8010d813c7f33734108242
MD5 hash:
b82bac92de4a6f0592cb3fd5026f114c
SHA1 hash:
0fb5e3905ed1843216a9a94277925973e47d4544
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/87907384-8be1-493c-a0d7-46397204d186/
Parent samples :
234f42279e4494e1fe592d5b7ee4b2722fc885d18b6d7878f079e01bb0e123fe
cd470b6e8b2d870b614d3e481406039d2f0b5cec27ed8427b76fba09f4fa692d
a445fedd39770b68dc737401c065552adc66c61c16cdf9eefca61cf686ea7a41
7e78a34550234b3ccd5a7a9a98dc5c123ecad7c06e42f03a89e1faa396d2384f
5b682f3038aea6c3db35ba85a82712a1920adddd5587777742ca711dcd729757
3f140dbc69924c00d56b0797cd7cc50aceea1bf858bbadc05dab6f7ede11821c
3b51dc9ecd141fd30a12ab8a0d4a10bb3b50ec28a80ee64cfc736ca8dd2ba7e2
33910338115a8da407e1a15477e593b07fc645ef619a787bbb51ee77906c6e4c
SH256 hash:
234f42279e4494e1fe592d5b7ee4b2722fc885d18b6d7878f079e01bb0e123fe
MD5 hash:
3776d8806bf718b55061f24aa5692408
SHA1 hash:
fe9a98acfce5d81c301ecc86f536eb6401c78d02
Link:
https://www.unpac.me/results/87907384-8be1-493c-a0d7-46397204d186/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/234f42279e4494e1fe592d5b7ee4b2722fc885d18b6d7878f079e01bb0e123fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

Executable exe 234f42279e4494e1fe592d5b7ee4b2722fc885d18b6d7878f079e01bb0e123fe

(this sample)

  
Dropped by
AsyncRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/277814/

Comments