MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4075e5cedf262f587538979cd6d62ff4b0fc5bdf7f9a4b770ae9e297ea7c9fcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	4075e5cedf262f587538979cd6d62ff4b0fc5bdf7f9a4b770ae9e297ea7c9fcc
SHA3-384 hash:	b5a75fbc170a35e86b4b398e85ff66539b2cfbe61c2d5b62ea4dc0e6d186a8836f03c63b3361c874066c80148d907692
SHA1 hash:	30e31f33e2358f61e9e5a40be55bb181085729f3
MD5 hash:	748b00a8844d4b25f2b3149e6fec4a75
humanhash:	mockingbird-nitrogen-bakerloo-georgia
File name:	4075e5cedf262f587538979cd6d62ff4b0fc5bdf7f9a4b770ae9e297ea7c9fcc
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	1'621'224 bytes
First seen:	2020-06-16 09:28:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f67879fc69d3769efc6303c5bfa88268 (2 x AsyncRAT, 1 x AgentTesla)
ssdeep	24576:ZO/Q4UWpnZ+yIBIJ3+um5O/Q4UWpnZ+yIBIJ3dTP8lH:Zba6Bo+um5ba6BopP8R
Threatray	1'968 similar samples on MalwareBazaar
TLSH	90758D62B1D0C8B2D9331A79AE3B4F705D367E20A529694E27E5FD0C5F763C1342A287
Reporter	JAMESWT_WT
Tags:	AsyncRAT

Code Signing Certificate

Organisation:	www.microsoft.com
Issuer:	Microsoft IT TLS CA 5
Algorithm:	sha256WithRSAEncryption
Valid from:	Oct 21 22:04:04 2019 GMT
Valid to:	Oct 21 22:04:04 2021 GMT
Serial number:	2D000C371562C41D9394087F680000000C3715
Intelligence:	5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	FCBD1CA6373D3296C2E99EF74FCB190D637046AE90B2526B74CEA30707020C03
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/10684/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.GenKryptik.ELRL.1456.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.CryptInjector

Status:

Malicious

First seen:

2020-06-16 00:38:49 UTC

File Type:

PE (Exe)

Extracted files:

290

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ib26ltw7eyxvq5jys6onnvrp6sypyw67p6new5yk5hrjp2t4t7ga._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

AsyncRAT

149be9ee402fe6934e8898ac578f8ded23d397761ab4fa0a976c9d978d489948

AsyncRAT

4457d49095a509a84ce5c9796b7470c03a95638e1f628882cb8f6331b0153efb

AsyncRAT

56f27a73c491313639665758a863f1d00871d0b37077a03bfd5d50a4689d273d

AsyncRAT

5c93e522b96dfd6244f2e82bc06b8b14a8a2505bc05eff035d6acf3e50f69e07

AsyncRAT

b1667a4eee2a104e32fd9071a6de2ee27634d2e181350b329d58f54b12bd2931

AsyncRAT

b9fd1f91754ef3bdf7b66bd7138b2d1a5c9453b07bbdc515d582adfe7890d589

AsyncRAT

e3a18338921238575f176f679030eac3352c24066d8da0602b3c8b4e75bb1bad

AsyncRAT

e45aa38e4f734a6b5e9d8e55d3b71b16e4ae389eb7c857bbdaa98fb47e1d9ef3

AsyncRAT

e678a72b6f30f69daafd945543d4bb3e58152c37f8a7b883ce96b9ddf1c1c482

AsyncRAT

+ 1'958 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

rat family:asyncrat spyware

Link:

https://tria.ge/reports/200624-wll9tk2b7e/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

NTFS ADS

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Modifies the visibility of hidden or system files

AsyncRat

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/10684/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample