MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37b842cb5ad7a0ce19bd735e14bfd35f2d0708d396dbdf56b32c79448bbbef3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37b842cb5ad7a0ce19bd735e14bfd35f2d0708d396dbdf56b32c79448bbbef3a
SHA3-384 hash: 09c513b81d3eede4ae602e2561df82901fd485626069728ed9e3895c967e9f837ce330a4f3cb22169b49db82ae9daf57
SHA1 hash: 2fef7b5739f09f659aa0fc89a6486edb4f2a3152
MD5 hash: 3562dc2fdb8acb24c13969c7e0877dbb
humanhash: uncle-pennsylvania-double-five
File name:SecuriteInfo.com.Mal.Generic-S.26042.7459
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:431'592 bytes
First seen:2020-11-27 05:48:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 3072:jXrYyv6YwITHBnXvWA6pwbOeer52kDeCe4rCBWQz5ueCciwtC:jXrYy1HHBnXvX6pfBw6
Threatray 483 similar samples on MalwareBazaar
TLSH 1694826C3A8F5F11AF7035F926960A404DFDBF8BE051F2DB0CCA91EAB0922422757D59
Reporter SecuriteInfoCom
Tags:AsyncRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105775/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/548959
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323584 Sample: SecuriteInfo.com.Mal.Generi... Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 58 prda.aadg.msidentity.com 2->58 60 pastebin.com 2->60 62 g.msn.com 2->62 76 Antivirus detection for dropped file 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 6 other signatures 2->82 8 SecuriteInfo.com.Mal.Generic-S.26042.exe 24 7 2->8         started        13 SecuriteInfo.com.Mal.Generic-S.26042.exe 2->13         started        15 SecuriteInfo.com.Mal.Generic-S.26042.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 68 pastebin.com 104.23.98.190, 443, 49726, 49732 CLOUDFLARENETUS United States 8->68 70 hastebin.com 104.24.126.89, 443, 49720 CLOUDFLARENETUS United States 8->70 72 192.168.2.1 unknown unknown 8->72 52 SecuriteInfo.com.Mal.Generic-S.26042.exe, PE32 8->52 dropped 54 SecuriteInfo.com.M...exe:Zone.Identifier, ASCII 8->54 dropped 56 SecuriteInfo.com.M...ric-S.26042.exe.log, ASCII 8->56 dropped 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->84 86 Creates an undocumented autostart registry key 8->86 88 Creates autostart registry keys with suspicious names 8->88 90 3 other signatures 8->90 19 SecuriteInfo.com.Mal.Generic-S.26042.exe 8->19         started        22 powershell.exe 24 8->22         started        24 powershell.exe 10 8->24         started        34 3 other processes 8->34 74 172.67.143.180, 443, 49741, 49742 CLOUDFLARENETUS United States 13->74 26 timeout.exe 13->26         started        28 timeout.exe 15->28         started        30 timeout.exe 17->30         started        32 timeout.exe 17->32         started        file6 signatures7 process8 dnsIp9 64 45.144.30.25, 4404, 49733 HQservCommunicationSolutionsIL United Kingdom 19->64 66 pastebin.com 19->66 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37b842cb5ad7a0ce19bd735e14bfd35f2d0708d396dbdf56b32c79448bbbef3a/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 20:25:18 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g64efs2226qm4gn5onpbjp6tl4wqocgts3n56vvtfr4ujc53545a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0436d6f4b359931843bd7138af740f54ce65b9270adc23d70b6105283f4b48be
AsyncRAT
444338fed0f0499fb9d5a4862b64386472c22329aa75f6c544c6d37b8b5a629f
AsyncRAT
5b0ffdd98aa6a53e13e00b7723f9c8085e7b03356c5ec4e77cc88c9779011b74
AsyncRAT
723e0460b1864769c5779dbee1996e020eb1fac20540f713f4ff2c4346cfab1b
AsyncRAT
7caf87ac1666f10cbbff4cc01d51ec4df556908b2d8d55d5c4f0f3724dceded1
AsyncRAT
a4df3907640f596ab2f05793362a19de2cd01b05b20fd142f46cc47dd61c901c
AsyncRAT
d02744b13cf330e20f47b85ed95d62ed634d9423a9b801a5cb2d694147110103
AsyncRAT
f0f7f9f3d293065a8554c6b9e4757bf511dd3577636ca1a075e0afd206250e5e
AsyncRAT
f9cff9e6050b1536e55014e7eafdc8827fb237e9235ff60265c5d1afaa5d5e6e
AsyncRAT
fba5658815c50ae760c7baf3e1bd1bc7f3f78a7bf71066c4b4502b755b35826c
AsyncRAT
+ 473 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat evasion persistence rat trojan
Link:
https://tria.ge/reports/201127-d2jjdenx66/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Windows security modification
Looks for VMWare Tools registry key
Async RAT payload
Looks for VirtualBox Guest Additions in registry
AsyncRat
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Malware Config
C2 Extraction:
null:null
Unpacked files
SH256 hash:
37b842cb5ad7a0ce19bd735e14bfd35f2d0708d396dbdf56b32c79448bbbef3a
MD5 hash:
3562dc2fdb8acb24c13969c7e0877dbb
SHA1 hash:
2fef7b5739f09f659aa0fc89a6486edb4f2a3152
Link:
https://www.unpac.me/results/97b4de84-f259-4694-b3e7-d0b308669886/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37b842cb5ad7a0ce19bd735e14bfd35f2d0708d396dbdf56b32c79448bbbef3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 37b842cb5ad7a0ce19bd735e14bfd35f2d0708d396dbdf56b32c79448bbbef3a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/858070/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105775/

Comments