MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ef781d62c1d2c6aab1f44ea337439553d249ff98a4b70ded2b21ce1cb39bba4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ef781d62c1d2c6aab1f44ea337439553d249ff98a4b70ded2b21ce1cb39bba4
SHA3-384 hash: 9b6bfc4ba88711d6d5967b0f1614fd5ac73387436a76146a3e957b20c655ba4ee9344b6cfb0f59d7b43cafd5efb45c18
SHA1 hash: d8d184b78e5bbf442fa356dc475ac3e7952b76be
MD5 hash: 4b6a74239084f3cd60a0122dd3d0bc3d
humanhash: utah-delaware-bacon-kentucky
File name:INVOICE 01.PDF.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:245'248 bytes
First seen:2020-07-29 06:21:10 UTC
Last seen:2020-07-29 06:40:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:NlWL/W/jO/gC94Nn6Rbk363K6x3jjox8IfD:7oW/jO/gC9SOk3D2y7
Threatray 5'013 similar samples on MalwareBazaar
TLSH AE34CF1423EBC361D9EC8BF506536D4043759EAE8473E2160FEA70CE21BABF1755262B
Reporter abuse_ch
Tags:AsyncRAT exe nVpn RAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hotmail.com
Sending IP: 45.90.222.242
From: Hami TURFANDA <comercialrasmer@hotmail.com>
Subject: PROFORMA INVOICE of New order
Attachment: INVOICE 01.PDF.R24 (contains "INVOICE 01.PDF.exe")

Unknown RAT C2:
79.134.225.55:9654

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34203/
Detection(s):
SecuriteInfo.com.FileRepMalware.15183.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt
Connection attempt to an infection source
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/401284
Signature
.NET source code contains potential unpacker
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ef781d62c1d2c6aab1f44ea337439553d249ff98a4b70ded2b21ce1cb39bba4/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 01:25:30 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h33ydvrmduwgvky7itvdg5bzku6sjh7zrjfxbxwswioodszzxosa._file
Verdict:
malicious
Similar samples:
11d8da5aedad9fde99211e94796aba422762ee6943f359c313626faf2eb0638f
AsyncRAT
27d1e735572f83321a266037a5f451e145008e308d6278c63a6ef106e2d298a5
AsyncRAT
8a020281d5b475372fcf518c8f4a6b913b3a855c458996a9d7b525062ad736ec
AsyncRAT
8e6f297527e6eb70b658b01c08cf16d6e88a1d5716eaf2f3162ab5b972112ba9
AsyncRAT
96b1ce824a3687c29b0cb8663c62a09545eb713a3dcf776c29c9a85a393e5d1c
AsyncRAT
97d23ffd00c0dd37730804366759beb11de41f3f5d245014e976a57d667a5ccd
AsyncRAT
9ba6343e794c0e415adb118885c33aa18446c746dd30ec59b4fda2724b2f08d7
AsyncRAT
cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8
AsyncRAT
d6ba040d10d1fb8e0f6a8b1d5378be566f6d3816bf1a00fb3e0bb6eed29346b2
AsyncRAT
f22ea9b80af6dab15179a98494ece17216381d9b334c6bb2a130040eeafaf614
AsyncRAT
+ 5'003 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat family:asyncrat
Link:
https://tria.ge/reports/200729-c6xclx7f2a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ef781d62c1d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3ef781d62c1d2c6aab1f44ea337439553d249ff98a4b70ded2b21ce1cb39bba4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

rar fd8a1b1ec0a97403acb0706c931bbb78d7c035f56d8ff428b208336aeeb650c8

AsyncRAT

Executable exe 3ef781d62c1d2c6aab1f44ea337439553d249ff98a4b70ded2b21ce1cb39bba4

(this sample)

  
Dropped by
MD5 b6d5ade1f43ffb3fe77023033d682bc7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34203/
  
Dropped by
SHA256 fd8a1b1ec0a97403acb0706c931bbb78d7c035f56d8ff428b208336aeeb650c8

Comments