MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37965f22c013912043bab3cb214f8219ba54e3c3570132985fc37be5a9e4ba49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37965f22c013912043bab3cb214f8219ba54e3c3570132985fc37be5a9e4ba49
SHA3-384 hash: 24441c5795643d9893a36e62461b25b1efcb493a23680a6378f1aea5196eff4716b9dc934ce8244b8daa32c88adeca48
SHA1 hash: 21772618e91656ca29e8839c7efa028039a45f13
MD5 hash: 592534a045539e2605f3792bb6e3ef06
humanhash: sad-lactose-delta-romeo
File name:RFQ_NTPXXVIII-EAT-ENG-2020-002_PDF.scr
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:329'216 bytes
First seen:2020-07-25 07:08:41 UTC
Last seen:2020-07-25 07:43:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:D6gVShDE44QqzJ+K0IfStTwe0FW3r856mRbv0OvHUvB5:B8m4k7f5e0ar856mF0OvH
Threatray 720 similar samples on MalwareBazaar
TLSH 6C64C019FBA95221C53C4B79C8DFBC445632A9A33193D60F14CD623D5E233CE4A97E8A
Reporter abuse_ch
Tags:AsyncRAT RAT scr


Avatar
abuse_ch
Malspam distributing AsyncRAT:

HELO: fav.server.vps
Sending IP: 184.175.86.138
From: Adler Pelzer <adlers@adlerpelzer.com>
Subject: Quote For RFQ: NTPXXVIII/EAT/ENG/2020/002
Attachment: RFQ_NTPXXVIII-EAT-ENG-2020-002_PDF.IMG (contains "RFQ_NTPXXVIII-EAT-ENG-2020-002_PDF.scr")

AsnycRAT C2:
panda45.duckdns.org:62727 (62.102.148.158)

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32323/
Detection(s):
SecuriteInfo.com.Njrat.26630.30291.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
57 / 100
Link:
https://www.joesandbox.com/analysis/397839
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251100 Sample: RFQ_NTPXXVIII-EAT-ENG-2020-... Startdate: 25/07/2020 Architecture: WINDOWS Score: 57 34 Yara detected AsyncRAT 2->34 36 Sigma detected: Add file from suspicious location to autostart registry 2->36 38 .NET source code contains very large array initializations 2->38 40 2 other signatures 2->40 7 RFQ_NTPXXVIII-EAT-ENG-2020-002_PDF.exe 6 2->7         started        10 pcalua.exe 1 1 2->10         started        12 pcalua.exe 1 2->12         started        process3 file4 26 C:\Users\user\AppData\...\wUU9kTILTQh.exe, PE32 7->26 dropped 28 C:\Users\...\wUU9kTILTQh.exe:Zone.Identifier, ASCII 7->28 dropped 30 RFQ_NTPXXVIII-EAT-...020-002_PDF.exe.log, ASCII 7->30 dropped 14 cmd.exe 1 7->14         started        16 wUU9kTILTQh.exe 2 7->16         started        process5 signatures6 19 reg.exe 1 1 14->19         started        22 conhost.exe 14->22         started        32 Injects a PE file into a foreign processes 16->32 24 wUU9kTILTQh.exe 16->24         started        process7 signatures8 42 Creates an autostart registry key pointing to binary in C:\Windows 19->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37965f22c013912043bab3cb214f8219ba54e3c3570132985fc37be5a9e4ba49/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-25 07:10:09 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g6lf6iwacoisaq52wpfsct4cdg5fjy6dk4atfgc7yn56lkpexjeq._file
Verdict:
malicious
Similar samples:
0eeb561ea16bf80e301847add0363445976f5ab518d23e499cbf1f7ce9e6fc59
AsyncRAT
1cc6b22673f09ee5dd4fa5b54b0244ab8f81ad0064e900d211f62890263a5ab7
AsyncRAT
5515739bd8752264b7ee2a2c9b957d36af9fb16b19d7dd1aef4139f2fe74af47
AsyncRAT
5e21f7f70d7f4328f3d27e4b040ead9ffa6bab8f91dbb1fb9cb211058a4ea961
AsyncRAT
9b471c2935fdd01c7e9d57e78f91d213e6d1b5a44ac1719048d92d02d1976422
AsyncRAT
abf3559102f105717f176c7929b5994a35686be15d37fb91d19d885f79cc1310
AsyncRAT
ac20f8f16efd13ea704488eb43b1a761f9e26bcdc70ac70d57cb15cbdab200bb
AsyncRAT
b05af3b65673a21e658075117c050ce9ebdf47634b64e354a6abf241fc8e8a9e
AsyncRAT
f019485de1ca48a37011e7df076b8e7105e928d4b2695caa1a6780a2a30f45cb
AsyncRAT
fc89e8d722a8625e80e22f5a19ef1371e388e1583e55618f2ea2451dfe356845
AsyncRAT
+ 710 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:asyncrat
Link:
https://tria.ge/reports/200725-gtqfcmdgej/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37965f22c013912043bab3cb214f8219ba54e3c3570132985fc37be5a9e4ba49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

img e3a0c5ff84921410e31181407da48eba052c4f66ce2b9c316b1079384988ade6

AsyncRAT

Executable exe 37965f22c013912043bab3cb214f8219ba54e3c3570132985fc37be5a9e4ba49

(this sample)

  
Dropped by
MD5 f69a73e4bc6f86560e5791a700a63922
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32323/
  
Dropped by
SHA256 e3a0c5ff84921410e31181407da48eba052c4f66ce2b9c316b1079384988ade6

Comments