MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f7ab746deeed9c37386e614856907f3f528af2fe75e3711d165448f8b6fbfba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f7ab746deeed9c37386e614856907f3f528af2fe75e3711d165448f8b6fbfba
SHA3-384 hash: 838fddd7f5549b4062c7e3279fed4f9093413d0e8b65b1aee92ab8093e5f524a7989028cc4c600740069696467b8ec02
SHA1 hash: 05abcb0aa5e27b5ad09d97ee5b3b1b1bc178dc4f
MD5 hash: 7f602578fcb2ea3b403698c4c211b79b
humanhash: missouri-carbon-seven-north
File name:CONFIRMACION DE TRANSFERENCIA NUSUAL REALIZADA EXITOSAMENTE EL CUAL ENVIAMOS SOPORTE DE VERIFICACION PARA MAYOR SEGURIDAD.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:50'688 bytes
First seen:2020-09-29 17:46:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:hH2xpSq0veCrSu0EwSbF6Bv7oZXT/317gX:8xpSqqRkS5qwXbl7gX
TLSH A833BF0476D4CA45F03FB735D2E34A834BB2ACC33677962AA9D51A0B6F51A408F53F86
Reporter Anonymous
Tags:AsyncRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Generic.mg.7f602578fcb2ea3b.8833.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/477734
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 291315 Sample: EGURIDAD.exe Startdate: 29/09/2020 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for dropped file 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 7 other signatures 2->70 7 EGURIDAD.exe 17 4 2->7         started        12 EGURIDAD.exe 2 2->12         started        14 EGURIDAD.exe 2 2->14         started        16 EGURIDAD.exe 2->16         started        process3 dnsIp4 60 paste.merkoba.com 192.81.135.159, 443, 49718, 49723 LINODE-APLinodeLLCUS United States 7->60 54 C:\Users\user\AppData\...GURIDAD.exe, PE32 7->54 dropped 56 C:\Users\...GURIDAD.exe:Zone.Identifier, ASCII 7->56 dropped 72 Creates an undocumented autostart registry key 7->72 74 Drops PE files to the startup folder 7->74 76 Writes to foreign memory regions 7->76 78 Contains functionality to hide a thread from the debugger 7->78 18 WerFault.exe 23 9 7->18         started        21 InstallUtil.exe 2 7->21         started        24 timeout.exe 1 7->24         started        62 192.168.2.1 unknown unknown 12->62 80 Allocates memory in foreign processes 12->80 82 Hides threads from debuggers 12->82 84 Injects a PE file into a foreign processes 12->84 26 WerFault.exe 12->26         started        32 2 other processes 12->32 28 WerFault.exe 14->28         started        34 2 other processes 14->34 30 WerFault.exe 16->30         started        36 2 other processes 16->36 file5 signatures6 process7 dnsIp8 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->46 dropped 58 andrearodrigues0913.duckdns.org 191.88.254.193, 1880 ColombiaMovilCO Colombia 21->58 38 conhost.exe 24->38         started        48 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->48 dropped 50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 28->50 dropped 52 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 30->52 dropped 40 conhost.exe 32->40         started        42 conhost.exe 34->42         started        44 conhost.exe 36->44         started        file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f7ab746deeed9c37386e614856907f3f528af2fe75e3711d165448f8b6fbfba/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-29 15:47:46 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat persistence family:asyncrat
Link:
https://tria.ge/reports/200929-jmqv67crfe/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Async RAT payload
AsyncRat
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
2f7ab746deeed9c37386e614856907f3f528af2fe75e3711d165448f8b6fbfba
MD5 hash:
7f602578fcb2ea3b403698c4c211b79b
SHA1 hash:
05abcb0aa5e27b5ad09d97ee5b3b1b1bc178dc4f
Link:
https://www.unpac.me/results/53d0e470-08d8-4c73-9e4c-e669769258f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f7ab746deeed9c37386e614856907f3f528af2fe75e3711d165448f8b6fbfba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/66828/

Comments