MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
SHA3-384 hash: 9bd78a87bbd89ef662eaf07a3642a99ab5b7be67934b6b492121aff2fd5b97abbe8aba1771ce809d845b4ccbcbbcf0a7
SHA1 hash: b1f1049d20e8bb2c3eeabec94421500de233b09a
MD5 hash: 877c36519ba0d5bf41fadb5a80b012ad
humanhash: oxygen-fish-fanta-sweet
File name:877c36519ba0d5bf41fadb5a80b012ad.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:347'648 bytes
First seen:2021-04-18 12:57:19 UTC
Last seen:2021-04-18 13:55:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:TKYXbVLi3BWk+pDHWvJRwIpReKpBKB4p6v+COuTsmBRlrjgrJWJRncac6pARP/2w:TKYrVLi3BWRdyhy+Krz9lrjQWARo
Threatray 206 similar samples on MalwareBazaar
TLSH D07457CB6E0412B7CB8DF53441A3B33C5B2B993E2BC39E4ED41B7D4993B669CA442059
Reporter abuse_ch
Tags:AsyncRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
877c36519ba0d5bf41fadb5a80b012ad.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-18 13:03:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/11cc95f9-aa95-437c-84b1-fe86d3452d1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/137706/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.25089.26646.10598.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Launching a process
Creating a file in the %AppData% directory
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/685020
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 391460 Sample: f1MdIMyl48.exe Startdate: 18/04/2021 Architecture: WINDOWS Score: 100 80 api.ip.sb 2->80 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Antivirus detection for dropped file 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 7 other signatures 2->88 9 f1MdIMyl48.exe 16 7 2->9         started        13 Obazzzz.exe 2->13         started        15 Obazzzz.exe 2->15         started        signatures3 process4 file5 66 C:\Users\user\AppData\Roaming\Obazzzz.exe, PE32 9->66 dropped 68 C:\Users\user\AppData\...\f1MdIMyl48.exe.log, ASCII 9->68 dropped 70 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 9->70 dropped 90 Adds a directory exclusion to Windows Defender 9->90 17 RegAsm.exe 9->17         started        21 powershell.exe 24 9->21         started        23 AdvancedRun.exe 1 9->23         started        25 AdvancedRun.exe 1 9->25         started        72 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->72 dropped 27 AdvancedRun.exe 13->27         started        29 AdvancedRun.exe 15->29         started        signatures6 process7 dnsIp8 74 179.43.140.164, 24607, 49713, 49724 PLI-ASCH Panama 17->74 76 pastebin.com 104.23.98.190, 443, 49712 CLOUDFLARENETUS United States 17->76 78 192.168.2.1 unknown unknown 17->78 58 C:\Users\user\AppData\Local\Temp\vbfzlf.exe, PE32 17->58 dropped 60 C:\Users\user\AppData\Local\Temp\qfymjy.exe, PE32 17->60 dropped 62 C:\Users\user\AppData\Local\Temp\pqqqaz.exe, PE32 17->62 dropped 64 C:\Users\user\AppData\Local\Temp\mahuss.exe, PE32+ 17->64 dropped 31 cmd.exe 17->31         started        34 cmd.exe 17->34         started        36 cmd.exe 17->36         started        38 conhost.exe 21->38         started        40 AdvancedRun.exe 23->40         started        42 AdvancedRun.exe 25->42         started        44 AdvancedRun.exe 27->44         started        file9 process10 signatures11 92 Suspicious powershell command line found 31->92 94 Bypasses PowerShell execution policy 31->94 46 conhost.exe 31->46         started        48 powershell.exe 31->48         started        50 conhost.exe 34->50         started        52 powershell.exe 34->52         started        54 conhost.exe 36->54         started        56 powershell.exe 36->56         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmaz4ok5a5xahm5uulmundj2zm3n62irlyczcgizj66y3vwr3vvq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
masslogger
Create hunting rule
Similar samples:
0137042c076d728f11067b31394854e43724b1b588a65d0718d696ac2efd7f3f
AsyncRAT
3ee82cb6b92599b06273f1a48091fdbab0ca285fb8147501a0392b8a2eba583c
AsyncRAT
47aaf274ba6635b13798292366c06640a3dff0d314b56aabf0dc4f6d22ab5bd4
AsyncRAT
770b35e82759eb0107679b50d38f5e40175901c548a5fd8282e116e8d455c418
AsyncRAT
79e2a3311700e87e6d5e4d5f8e23f8f6b5500aa9e25e71afb016df130f21bae0
AsyncRAT
93eefdff4ee4bc7cb7ad565c2f61b45a791568a3f428c936b96f65538656f464
AsyncRAT
a57e3df4a9633d46ac59b6a45a3ad21357acbf5182e841e16a820edf81138bb6
AsyncRAT
d0468ea18c3ec3cc761985436a8d0d299191f27b2288597d29eed413e140cef9
AsyncRAT
dd9fd40438d1819fb9f9d72ddc6f5d06c1651aa6543ca6560819d27a764c68d2
AsyncRAT
ff734df4d09afad52e931fce898a5497b78081fbca44f091e55a3da4b47c1350
AsyncRAT
+ 196 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline family:smokeloader backdoor discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210418-e58gmbh9bj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
Nirsoft
AsyncRat
Modifies WinLogon for persistence
RedLine
SmokeLoader
Malware Config
C2 Extraction:
:
http://greenco2020.top/
http://greenco2021.top/
http://greenco2022.top/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/137706/

Comments