MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 238c224cf8d0b76532ae16f8a8d2682436a176909f382b8747e418f42ccaedeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 238c224cf8d0b76532ae16f8a8d2682436a176909f382b8747e418f42ccaedeb
SHA3-384 hash: 505917e7421a6a7dad6be6bb925e4060000babbf2da9e2c52b2fef376566da6a3f9cafaa28611aff791a43f3324c212a
SHA1 hash: 6e5a056761a54e173601c57e26d867789707722e
MD5 hash: b4891e094082425b62776b6c7413f0e5
humanhash: eight-fillet-lion-pip
File name:Invoice.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:547'865 bytes
First seen:2020-07-20 08:29:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 12288:Ued+RQ21hGU0E5NhHbpvc1oaS1RkvppSC8MVR:Z+RbXB0Kv7iopSpSC8Mr
Threatray 560 similar samples on MalwareBazaar
TLSH 3CC4E102FAD184B2E6721D321D7967116B7CB6341E24CB2FB7C44C6DDE71092AA25FA3
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: server0.wynntrade.pw
Sending IP: 159.203.186.80
From: hetaojinhu@hxb.com.cn<sales@wynntrade.pw>
Subject: Accountant, Huaxia Bank
Attachment: Invoice.zip.7z (contains "Invoice.exe")

AsyncRAT C2:
194.5.98.81:3434

Hosted on nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.98.0 - 194.5.98.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-NOR
country: NO
descr: Sandefjord
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-04-26T16:42:54Z
last-modified: 2020-07-14T18:04:10Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28819/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/391088
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247873 Sample: Invoice.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 64 35 Multi AV Scanner detection for submitted file 2->35 37 Initial sample is a PE file and has a suspicious name 2->37 8 Invoice.exe 11 2->8         started        process3 file4 27 C:\Users\user\AppData\...\svchosts.sfx.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\Local\Temp\...\avd.exe, PE32 8->29 dropped 11 cmd.exe 1 8->11         started        13 avd.exe 8 8->13         started        process5 signatures6 16 svchosts.sfx.exe 11->16         started        19 conhost.exe 11->19         started        39 Multi AV Scanner detection for dropped file 13->39 21 cmd.exe 1 13->21         started        23 conhost.exe 13->23         started        process7 signatures8 31 Multi AV Scanner detection for dropped file 16->31 33 Machine Learning detection for dropped file 16->33 25 reg.exe 1 21->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/238c224cf8d0b76532ae16f8a8d2682436a176909f382b8747e418f42ccaedeb/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 08:31:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eogcethy2c3wkmvoc34krutieq3kc5uqt44cxb2h4qmpilgk5xvq._file
Verdict:
malicious
Similar samples:
07d34ae6bb632f04345eb39f5b4221f9a7e37145c55350222fcf191778a28d5e
AsyncRAT
1aca49752cef2bb58d097e0ac96963e32f14e4e6b1e6e24e11125d1e9ef54cf2
AsyncRAT
51c81d6e49ad27baa52a1d1047fe0a5c61c209d39110b81ab07cd2aa30a221ab
AsyncRAT
6ec6d3425cc3bdc664f5938119469a2947ad061dac33fafbd303998c9311a254
AsyncRAT
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
AsyncRAT
8f60548d2cde9e0681d8609aef71f51c820073a2a70e75bfa0fa56e3890d94e0
AsyncRAT
90dd2d39ffc0ebcf1db286191a316c833ddc3111337e1c05e3d847e03e67c377
AsyncRAT
b5c7fbd5e805b6f1a9796c041be4f9829d2157e5b59a6608871511d045b8d79c
AsyncRAT
bc9204be92ac0bd373bc0153d02be668ad82d382ebcc112fa8c252e6f9c67080
AsyncRAT
e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16
AsyncRAT
+ 550 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200720-6d4f8fr8bn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/238c224cf8d0b76532ae16f8a8d2682436a176909f382b8747e418f42ccaedeb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

zip 8581bd6c453b18962ca4a66deb5622de30949bc7417a5b67a8bc10062242c3f9

AsyncRAT

Executable exe 238c224cf8d0b76532ae16f8a8d2682436a176909f382b8747e418f42ccaedeb

(this sample)

  
Dropped by
MD5 23955d1a4acffe118a116e88a1f1321a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8581bd6c453b18962ca4a66deb5622de30949bc7417a5b67a8bc10062242c3f9
Cape
Cape
https://www.capesandbox.com/analysis/28819/

Comments