MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4570649013c21a25f6e926d8e0b37fadd0120425b3e0215a69dd9e00fa358f8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4570649013c21a25f6e926d8e0b37fadd0120425b3e0215a69dd9e00fa358f8a
SHA3-384 hash: 5ea46209fddd133e65f7b557b94ac3ef001d2a7e3359a2aaf087ee215a677e577032f104badbfa3afbb3e539d1fd4fd8
SHA1 hash: b8c4cd167828452f6d3f5dbc398e5a0a78b4b09e
MD5 hash: c2d1a47ee99ff3b641487a9ddfff1449
humanhash: dakota-hydrogen-snake-timing
File name:4570649013c21a25f6e926d8e0b37fadd0120425b3e02.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:410'624 bytes
First seen:2021-03-22 17:20:51 UTC
Last seen:2021-03-22 18:38:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:RAw8FVhgCBwTV83pluV79p8YWw2ddAB6:RAw8FVhgCBwTV83plCuYWwOAB
TLSH 5A94AAA1A97E40C2F29EF4784D80FA3566257D7394E216EFA7C133CBD4713D1688362A
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
46.243.221.55:2703

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.243.221.55:2703 https://threatfox.abuse.ch/ioc/4415/

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4570649013c21a25f6e926d8e0b37fadd0120425b3e02.exe
Verdict:
Malicious activity
Analysis date:
2021-03-22 17:29:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e32533f5-6087-4b72-beb2-7e6778003d0c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126014/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.51203.10591.12948.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file
Moving a recently created file
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Sending a UDP request
Deleting a recently created file
Launching a process
Creating a file in the Windows subdirectories
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53b4690f-a86b-4cd4-a822-67708118052d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/648238
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the startup folder
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell adding suspicious path to exclusion list
Tries to delay execution (extensive OutputDebugStringW loop)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 373083 Sample: 4570649013c21a25f6e926d8e0b... Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 50 dongreg202020.duckdns.org 2->50 52 liverpoolsupporters9.com 2->52 60 Antivirus detection for URL or domain 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Sigma detected: Powershell adding suspicious path to exclusion list 2->64 66 5 other signatures 2->66 8 4570649013c21a25f6e926d8e0b37fadd0120425b3e02.exe 24 16 2->8         started        13 svchost.exe 2 2->13         started        15 svchost.exe 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 56 liverpoolsupporters9.com 104.21.88.100, 49701, 49722, 49723 CLOUDFLARENETUS United States 8->56 42 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 8->42 dropped 44 C:\Users\user\...\MWHJjkPGZHKrkhYB.exe, PE32 8->44 dropped 46 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->46 dropped 48 2 other files (1 malicious) 8->48 dropped 68 Drops PE files to the startup folder 8->68 70 Creates an autostart registry key pointing to binary in C:\Windows 8->70 72 Adds a directory exclusion to Windows Defender 8->72 78 4 other signatures 8->78 19 MWHJjkPGZHKrkhYB.exe 8->19         started        22 cmd.exe 8->22         started        24 powershell.exe 9 8->24         started        26 8 other processes 8->26 74 Query firmware table information (likely to detect VMs) 13->74 76 Changes security center settings (notifications, updates, antivirus, firewall) 15->76 58 127.0.0.1 unknown unknown 17->58 file6 signatures7 process8 dnsIp9 54 liverpoolsupporters9.com 19->54 28 conhost.exe 22->28         started        30 timeout.exe 22->30         started        32 conhost.exe 24->32         started        34 AdvancedRun.exe 26->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 5 other processes 26->40 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4570649013c21a25f6e926d8e0b37fadd0120425b3e0215a69dd9e00fa358f8a/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 11:26:21 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ivygjeatyincl5xje3mobm37vxibebbfwpqccwtj3wpab6rvr6fa._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:asyncrat evasion keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/210322-rm64hjfvye/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
AgentTesla Payload
Async RAT payload
Nirsoft
AgentTesla
AsyncRat
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Malware Config
C2 Extraction:
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:49703
chongmei33.publicvm.com:49746
185.165.153.116:2703
185.165.153.116:49703
185.165.153.116:49746
54.37.36.116:2703
54.37.36.116:49703
54.37.36.116:49746
185.244.30.92:2703
185.244.30.92:49703
185.244.30.92:49746
dongreg202020.duckdns.org:2703
dongreg202020.duckdns.org:49703
dongreg202020.duckdns.org:49746
178.33.222.241:2703
178.33.222.241:49703
178.33.222.241:49746
rahim321.duckdns.org:2703
rahim321.duckdns.org:49703
rahim321.duckdns.org:49746
79.134.225.92:2703
79.134.225.92:49703
79.134.225.92:49746
37.120.208.36:2703
37.120.208.36:49703
37.120.208.36:49746
178.33.222.243:2703
178.33.222.243:49703
178.33.222.243:49746
87.98.245.48:2703
87.98.245.48:49703
87.98.245.48:49746
Unpacked files
SH256 hash:
4570649013c21a25f6e926d8e0b37fadd0120425b3e0215a69dd9e00fa358f8a
MD5 hash:
c2d1a47ee99ff3b641487a9ddfff1449
SHA1 hash:
b8c4cd167828452f6d3f5dbc398e5a0a78b4b09e
Link:
https://www.unpac.me/results/46ce263a-2088-4019-bbf1-c34da562f5da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4570649013c21a25f6e926d8e0b37fadd0120425b3e0215a69dd9e00fa358f8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/126014/

Comments