MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 427254247932e569d3f40be5ce149266b0a87ed13756ab558818dae5dcabb44a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 427254247932e569d3f40be5ce149266b0a87ed13756ab558818dae5dcabb44a
SHA3-384 hash: 93fb75871b7d53aa4c3cfa0183b0f188f9c6bac61b95600ae12db12366a924f8955f84579f2ed33f0e69daad8f66c9ee
SHA1 hash: 148d80f999f069a5fd027eabfc9eae7d08f8e39b
MD5 hash: 5cc4ae3ea66ca80fa701b8e1ff5b8793
humanhash: may-uniform-cola-chicken
File name:Summer_richiesta_di_preventivo_070820.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:253'952 bytes
First seen:2020-08-07 13:26:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:g3RB022geEDN4v8PyHjDwSEaX/WNqPD4Ui59FqsNKhJKrTgHgrzGY6MkElvMcuZr:d2EEDNEHwSEqj4p9FqwoAH6ZcusXY
Threatray 1'918 similar samples on MalwareBazaar
TLSH 73446C3C43080D67D07F4AFC8831421252F5D28324E1E696BEED65E819D3BCA5F6A76B
Reporter abuse_ch
Tags:AsyncRAT exe geo ITA nVpn RAT


Avatar
abuse_ch
Malspam distributing AsyncRAT:

From: Matteo <Matteo@leifheit.com>
Reply-To: Matteo.leifheit@post.com
Subject: Leifheit richiesta di preventivo
Attachment: Summer_richiesta_di_preventivo_070820.z (contains "Summer_richiesta_di_preventivo_070820.exe")

AsyncRAT C2:
185.140.53.9:7003

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-28T20:56:03Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41651/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun by creating a file
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/415312
Signature
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/427254247932e569d3f40be5ce149266b0a87ed13756ab558818dae5dcabb44a/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-07 13:28:07 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijzfijdzglswtu7ubps44fesm2ykq7wrg5lkwvmiddnolxflwrfa._file
Verdict:
suspicious
Similar samples:
06d9da2523f02f99abd5192967db5700ad9b1e8356bc5e290d0f449b6a1e70a4
AsyncRAT
7d02ae5ae3ed3b7a13ff5495174216ea3195764d7154b8e9b4997c74fd08fb09
AsyncRAT
ba0384ca1c6c4fb746650b051f46e3ab0a5c3c06620b6b7f0d8449f05700658d
AsyncRAT
c15c6160e13ca27b7ce41293bfd26c5528953fc569c58b971aab66116c33ade4
AsyncRAT
d0d47f1c08031d4297f713a98d6ca969009df8c0f637110622190d4ff9727106
AsyncRAT
d77164b07cd8222d61dd3918911dc322acb6f08d90802d68b554ff436056c59e
AsyncRAT
f0006754d451556014c91039915ea9505f348f80538e536d30b75c5ef252d73d
AsyncRAT
f0f7f9f3d293065a8554c6b9e4757bf511dd3577636ca1a075e0afd206250e5e
AsyncRAT
f4a1a9d78555e5162dd5aebe870aea13af3a8151d031a6221e5340775457ab8a
AsyncRAT
fba5658815c50ae760c7baf3e1bd1bc7f3f78a7bf71066c4b4502b755b35826c
AsyncRAT
+ 1'908 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat family:asyncrat
Link:
https://tria.ge/reports/200807-mf82285yma/
Behaviour
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Async RAT payload
AsyncRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/427254247932e569d3f40be5ce149266b0a87ed13756ab558818dae5dcabb44a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AsyncRAT

z 7867c54c88c7ff0ae6687c0f6ab6c903e1b42ac9aaa17744c85da6f9a824d5f9

AsyncRAT

Executable exe 427254247932e569d3f40be5ce149266b0a87ed13756ab558818dae5dcabb44a

(this sample)

  
Dropped by
MD5 aeaa127b1568b9a60c166f4822091a66
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41651/
  
Dropped by
SHA256 7867c54c88c7ff0ae6687c0f6ab6c903e1b42ac9aaa17744c85da6f9a824d5f9

Comments