MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3309682d4e7fe2d802cbe22c698b31d93e4d35a5ee611aedabc1f6e1f6a96e46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	3309682d4e7fe2d802cbe22c698b31d93e4d35a5ee611aedabc1f6e1f6a96e46
SHA3-384 hash:	aad3c523d2c69d8b87c6e5079ebe273647de3221c6b1f51103a69c79018a90834c88160b08354e822598d82f2c78d3cb
SHA1 hash:	cceea0562c618a95f26ac1efa694fe3cc622fb73
MD5 hash:	d131c464871190f0110952675e1cd52e
humanhash:	lactose-august-nine-artist
File name:	CF09550WJ901.pdf.exe
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	657'920 bytes
First seen:	2020-08-28 05:44:44 UTC
Last seen:	2020-08-28 07:04:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:EvUkDqljanetnCysSVW7DAS5DVCFLo4937Ueyeed:YXMnCyLS5DVCP37Ue9e
Threatray	309 similar samples on MalwareBazaar
TLSH	74E4D04607298B7DCD48B6B82190D0BDD2356E82EB35E1C8DEC76CBA3D5A34DA54C2C3
Reporter	abuse_ch
Tags:	AsyncRAT exe FedEx OVPN RAT

abuse_ch

Malspam distributing AsyncRAT:

HELO: [193.56.28.237]
Sending IP: 193.56.28.237
From: [FedEx TW] <noreply@fedex.com>
Reply-To: no-reply.fedcx@workmail.com
Subject: 聯邦快遞出口貨物放行報單通知-提單號碼HAWB: 811734476057
Attachment: CF09550WJ901.zip (contains "CF09550WJ901.pdf.exe")

AsyncRAT C2:
185.157.162.81:9980

Hosted on OVPN:

% Information related to '185.157.162.0 - 185.157.162.255'

% Abuse contact for '185.157.162.0 - 185.157.162.255' is 'abuse@ovpn.com'

inetnum: 185.157.162.0 - 185.157.162.255
geoloc: 52.3757967 4.875317
netname: NL-OVPN
descr: OVPN Amsterdam
country: NL
admin-c: OIA19-RIPE
tech-c: OIA19-RIPE
status: ASSIGNED PA
mnt-by: MNT-OVPN
created: 2016-11-29T11:53:29Z
last-modified: 2020-06-02T06:29:45Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AsyncRat

Link:

https://www.capesandbox.com/analysis/52161/

Detection(s):

SecuriteInfo.com.Fareit-FYED131C4648711.1874.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

AsyncRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/453191

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Connects to a pastebin service (likely for C&C)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected AsyncRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3309682d4e7fe2d802cbe22c698b31d93e4d35a5ee611aedabc1f6e1f6a96e46/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-08-28 03:25:55 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gmewqlkop7rnqawl4iwgtczr3e7e2nnf5zqrv3nlyh3od5vjnzda._file

Verdict:

suspicious

Result

Malware family:

asyncrat

Score:

10/10

Tags:

rat family:asyncrat

Link:

https://tria.ge/reports/200828-pxha49t6l2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Async RAT payload

AsyncRat

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3309682d4e7fe2d802cbe22c698b31d93e4d35a5ee611aedabc1f6e1f6a96e46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.