MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AsyncRAT


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 11 File information Comments

SHA256 hash: 45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe
SHA3-384 hash: 4969324d3c59beec75980debfbe5c48ed1a8997e24f9ae61dcbe1d19991aa88581ee8bbfb35284d1a9c2f7e3d04a1e09
SHA1 hash: 3669c101670b0b373dea1c7729718340196da4bc
MD5 hash: 10135b39a4a6d8717ba8ceec380ef060
humanhash: uncle-fourteen-virginia-ceiling
File name:10135b39a4a6d8717ba8ceec380ef060.exe
Download: download sample
Signature AsyncRAT
File size:49'152 bytes
First seen:2022-08-05 11:05:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (31'209 x AgentTesla, 10'508 x Formbook, 5'466 x SnakeKeylogger)
ssdeep 768:wuK49TH4EjZWUR+ejmo2qrw8sJrKKIixPIAoqVcg0b1G24HftYUpG5ilsga8yBDu:wuK49THf52HtuAo9rbMNYUpnfMdh+
TLSH T161233B003BE9822BF2BE4F789DF22145467AB1673607D64E6CC441D75A13FC19A42AFE
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter @abuse_ch
Tags:AsyncRAT exe RAT


Twitter
@abuse_ch
AsyncRAT C2:
61.14.233.88:7707

Intelligence


File Origin
# of uploads :
1
# of downloads :
327
Origin country :
NL NL
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
asyncrat
ID:
1
File name:
10135b39a4a6d8717ba8ceec380ef060.exe
Verdict:
Malicious activity
Analysis date:
2022-08-05 11:08:33 UTC
Tags:
asyncrat trojan rat

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
–°reating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm asyncrat coinminer fareit greyware njrat packed rat razy samas
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Generic Downloader
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679246 Sample: Uhy4TvdjRw.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 7 other signatures 2->50 9 Uhy4TvdjRw.exe 7 2->9         started        13 svchost.exe 3 2->13         started        process3 file4 36 C:\Users\user\AppData\Roaming\svchost.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\...\Uhy4TvdjRw.exe.log, ASCII 9->38 dropped 54 Drops PE files with benign system names 9->54 15 cmd.exe 1 9->15         started        17 cmd.exe 1 9->17         started        56 Antivirus detection for dropped file 13->56 58 Multi AV Scanner detection for dropped file 13->58 60 Machine Learning detection for dropped file 13->60 signatures5 process6 signatures7 20 svchost.exe 2 15->20         started        24 conhost.exe 15->24         started        26 timeout.exe 1 15->26         started        42 Uses schtasks.exe or at.exe to add and modify task schedules 17->42 28 conhost.exe 17->28         started        30 schtasks.exe 1 17->30         started        process8 dnsIp9 40 61.14.233.88, 49739, 7707 VNPT-AS-VNVNPTCorpVN Viet Nam 20->40 52 System process connects to network (likely due to code injection or exploit) 20->52 32 MpCmdRun.exe 1 28->32         started        signatures10 process11 process12 34 conhost.exe 32->34         started       
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Status:
Malicious
First seen:
2022-08-02 19:22:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
asyncrat
Result
Malware family:
asyncrat
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
61.14.233.88:6606
61.14.233.88:7707
61.14.233.88:8808
Unpacked files
SH256 hash:
45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe
MD5 hash:
10135b39a4a6d8717ba8ceec380ef060
SHA1 hash:
3669c101670b0b373dea1c7729718340196da4bc
Detections:
win_asyncrat_w0 AsyncRAT

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:AsyncRat
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:malware_asyncrat
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:MAL_AsnycRAT
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_Reverse_Run_Key
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key
Rule name:win_asyncrat_j1
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
61.14.233.88:7707 https://threatfox.abuse.ch/ioc/841503

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments