MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f18c846952902badceaaf870f321598465a785963e098a621d7660aceffdbec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f18c846952902badceaaf870f321598465a785963e098a621d7660aceffdbec
SHA3-384 hash: df03f22f55e3e44779eb1866bd8c9b0a540c6dbee9afcb8047527755b3b327ad13f406be9fb0303a0f1f4fe409492d1a
SHA1 hash: 04a3a8378e99b63e25f4d83e618e943895dd6ad5
MD5 hash: 2e5b7fe1474016edb2e5af6c23373e5d
humanhash: pasta-pennsylvania-magnesium-nineteen
File name:as.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:1'670'656 bytes
First seen:2021-06-04 16:44:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:WBFQWpQn0e1NPWhAvtTvt4jrfUfbupI0pg3tWPk:+FQRJ1NehAvtTv0QTupIagA
TLSH 5A752AE87250B1AEC487CE32CA541CB4E79078FA470BE60B559776DD9E0EA9BCF140E1
Reporter 0x3c7
Tags:AsyncRAT crime exe PE

Intelligence

File Origin
# of uploads :
1
# of downloads :
629
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
as.exe
Verdict:
Malicious activity
Analysis date:
2021-06-04 16:47:37 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/448c2561-b7c3-4cfc-b498-2e1d779f555b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164638/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.803.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the system32 subdirectories
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla AsyncRAT AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797397
Signature
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected AveMaria stealer
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 429793 Sample: as.exe Startdate: 04/06/2021 Architecture: WINDOWS Score: 100 122 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->122 124 Multi AV Scanner detection for domain / URL 2->124 126 Found malware configuration 2->126 128 14 other signatures 2->128 13 as.exe 7 2->13         started        17 rdpvideominiport.sys 2->17         started        19 rdpdr.sys 2->19         started        21 tsusbhub.sys 2->21         started        process3 file4 96 C:\Users\user\AppData\...\vklnPBCxxp.exe, PE32 13->96 dropped 98 C:\Users\...\vklnPBCxxp.exe:Zone.Identifier, ASCII 13->98 dropped 100 C:\Users\user\AppData\Local\Temp\tmp5FA.tmp, XML 13->100 dropped 102 C:\Users\user\AppData\Local\...\as.exe.log, ASCII 13->102 dropped 140 Detected unpacking (changes PE section rights) 13->140 142 Uses schtasks.exe or at.exe to add and modify task schedules 13->142 144 Injects a PE file into a foreign processes 13->144 23 as.exe 2 5 13->23         started        28 schtasks.exe 1 13->28         started        signatures5 process6 dnsIp7 110 147.124.214.14, 49745, 49751, 49752 AC-AS-1US United States 23->110 92 C:\Users\user\AppData\Local\Temp\tlmhrt.exe, PE32 23->92 dropped 94 C:\Users\user\AppData\Local\Temp\opqnnc.exe, PE32 23->94 dropped 136 Tries to harvest and steal browser information (history, passwords, etc) 23->136 30 cmd.exe 1 23->30         started        33 cmd.exe 1 23->33         started        35 conhost.exe 28->35         started        file8 signatures9 process10 signatures11 146 Suspicious powershell command line found 30->146 148 Bypasses PowerShell execution policy 30->148 37 powershell.exe 14 30->37         started        39 conhost.exe 30->39         started        41 powershell.exe 13 33->41         started        43 conhost.exe 33->43         started        process12 process13 45 tlmhrt.exe 6 37->45         started        49 opqnnc.exe 41->49         started        file14 104 C:\Users\user\AppData\Roaming\VCPJFwAP.exe, PE32 45->104 dropped 150 Detected unpacking (changes PE section rights) 45->150 152 Detected unpacking (overwrites its own PE header) 45->152 154 Machine Learning detection for dropped file 45->154 51 MSBuild.exe 45->51         started        56 schtasks.exe 45->56         started        106 C:\Users\user\AppData\Roaming\xZADbxl.exe, PE32 49->106 dropped 156 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 49->156 58 schtasks.exe 49->58         started        60 opqnnc.exe 49->60         started        62 opqnnc.exe 49->62         started        signatures15 process16 dnsIp17 108 179.43.140.150, 49774, 80 PLI-ASCH Panama 51->108 86 C:\Users\user\AppData\Roaming\kBiJmvDxc.exe, PE32 51->86 dropped 88 C:\Users\user\AppData\Local\...\br[1].exe, PE32 51->88 dropped 90 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 51->90 dropped 130 Hides user accounts 51->130 132 Increases the number of concurrent connection per server for Internet Explorer 51->132 134 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->134 64 kBiJmvDxc.exe 51->64         started        68 conhost.exe 56->68         started        70 conhost.exe 58->70         started        file18 signatures19 process20 file21 84 C:\Users\user\AppData\...\cLJJAPdgxZUd.exe, PE32 64->84 dropped 114 Multi AV Scanner detection for dropped file 64->114 116 Detected unpacking (changes PE section rights) 64->116 118 Detected unpacking (overwrites its own PE header) 64->118 120 3 other signatures 64->120 72 RegSvcs.exe 64->72         started        76 schtasks.exe 64->76         started        78 RegSvcs.exe 64->78         started        80 RegSvcs.exe 64->80         started        signatures22 process23 dnsIp24 112 79.134.225.73 FINK-TELECOM-SERVICESCH Switzerland 72->112 138 Hides threads from debuggers 72->138 82 conhost.exe 76->82         started        signatures25 process26
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3f18c846952902badceaaf870f321598465a785963e098a621d7660aceffdbec/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-04 16:44:11 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4mmqruvfeblvxhkv6dq6mqvtbdfu6czmpqjrjrb25tavtx73pwa._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat spyware stealer
Link:
https://tria.ge/reports/210604-y3rzxvgh6j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
147.124.214.14:6606
147.124.214.14:7707
147.124.214.14:8808
Unpacked files
SH256 hash:
1e7c66f6da06a0ea81371fb98d0e76424a600518b808140279c7ba8e06541ac5
MD5 hash:
8fe0389e4b903545421e42b628186cd2
SHA1 hash:
f6adc3d1a4ac995fad2a49474243d896b0236c2b
Link:
https://www.unpac.me/results/8a2a2c22-af59-43a3-9193-f0f6023bf1cc/
SH256 hash:
3f18c846952902badceaaf870f321598465a785963e098a621d7660aceffdbec
MD5 hash:
2e5b7fe1474016edb2e5af6c23373e5d
SHA1 hash:
04a3a8378e99b63e25f4d83e618e943895dd6ad5
Link:
https://www.unpac.me/results/8a2a2c22-af59-43a3-9193-f0f6023bf1cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f18c846952902badceaaf870f321598465a785963e098a621d7660aceffdbec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_generic_suspicious_hex_string_Jun2021_1
Create hunting rule
Author:Nils Kuhnert
Description:Triggers on parts of a big hex string available in lots of crime'ish PE files.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:susp_hex_string_Jun2021_1
Create hunting rule
Author:3c7
Description:Triggers on suspiciously long hex string that seems to be common in a lot of samples.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AsyncRAT

Executable exe 3f18c846952902badceaaf870f321598465a785963e098a621d7660aceffdbec

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164638/

Comments