MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4780ad66fe081922301a8a90ca01d2e30c6bd5cfcfbe3d768773e8cf86e864df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4780ad66fe081922301a8a90ca01d2e30c6bd5cfcfbe3d768773e8cf86e864df
SHA3-384 hash: 8c15a0806a1a9444ecd003aff18ab10ec3be6d40f495afccf1f6fa30ad3478cacc55c6eaef883a771e800c87c91822e9
SHA1 hash: daa83187c52c8fd8349e2525cc0754ccdc023fd0
MD5 hash: c094c57d960c5db1a798911c59cb9c91
humanhash: september-skylark-five-apart
File name:net5.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:784'771 bytes
First seen:2021-07-21 12:36:19 UTC
Last seen:2021-07-21 14:05:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 673f72e4c975e9bc9de6ef08fc342097 (1 x AsyncRAT)
ssdeep 12288:wX8HFbaUNurnh5p4apoEKEVjGtH3H8kDrJ5tl2pSF7Wx:wYFOUGnTCapoExjGHJD9u2c
Threatray 2'611 similar samples on MalwareBazaar
TLSH T1CEF46B37AB902004D6AB14B168B2D5360B36FC12940A9D1B7D94F84E18B7D47BA77F2F
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
79.134.225.52:600

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.52:600 https://threatfox.abuse.ch/ioc/161880/

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
net5.exe
Verdict:
Malicious activity
Analysis date:
2021-07-21 12:44:14 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/e21722f0-6ac0-44a9-8b89-60cce691645f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AsyncRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172976/
Detection(s):
SecuriteInfo.com.Variant.Johnnie.366079.8496.24631.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92d4464d-6dcb-4257-abc6-b4566801ed1c
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819484
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Potential malicious icon found
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451894 Sample: net5.exe Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 18 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->18 20 Potential malicious icon found 2->20 22 Found malware configuration 2->22 24 7 other signatures 2->24 6 net5.exe 2->6         started        process3 signatures4 26 Sample uses process hollowing technique 6->26 9 RegSvcs.exe 2 6->9         started        12 RegSvcs.exe 6->12         started        14 RegSvcs.exe 6->14         started        process5 dnsIp6 16 mysubdomain873.duckdns.org 79.134.225.52, 49707, 600 FINK-TELECOM-SERVICESCH Switzerland 9->16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4780ad66fe081922301a8a90ca01d2e30c6bd5cfcfbe3d768773e8cf86e864df/
Threat name:
ByteCode-MSIL.Trojan.Johnnie
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 12:37:07 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i6ak2zx6bamsema2rkimuaos4mggxvopz67d25uhopum7bximtpq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
59826e007d50e1f3dcda5d2cb2ac50ba32f154da98c1348f7fbfee24f6b29841
AsyncRAT
7c991793d6d9d1b21496bfd5867fc3d991a5f0f5013c0733ab57b2ac89f00a10
AsyncRAT
81e96984130042d0ee70ae09a7bc9375974d513938e80877720d251330e4b37e
AsyncRAT
8adeeedad895d174c55f2d43c1985ff77fc533975cfde64f8dfd99782e4c4b9f
AsyncRAT
a412a3bdf6e8891fa60734b53430db5d0ac8dce28a764fd013dd767614790c45
AsyncRAT
ce0530832a781bd0ca193f10973c554c051cbebd189339c2ff31b60638914a89
AsyncRAT
d82330b1d9bfbebbff4d21e9ddd0f86e90ed27031ba29557587d182246301ee5
AsyncRAT
dcaf6810871062a1a5a292c8e46667a8b7de908d292513ef1c443929ce8897c5
AsyncRAT
dcd32e037c7e83fb4114d1d9517830e21ad5738ad4e4ee8b685b49f805d1e8f7
AsyncRAT
ea78060a7dd7e2df3a47591cc7503c7dd637c3169ec4c78250a43f3bd3d4a290
AsyncRAT
+ 2'601 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210721-flh4qcl47x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
mysubdomain873.duckdns.org:600
Unpacked files
SH256 hash:
4139818cf33e0c4ac41a216ab39f9021b5a90a7fc9293b9aa48234f00867223c
MD5 hash:
106954c7ec3bdd044b4d8092fe10aa96
SHA1 hash:
bdedbfb1a7aece6159c0c314fefe50d8842375b6
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/f551a106-218a-4c5a-b967-562890f67cab/
SH256 hash:
4780ad66fe081922301a8a90ca01d2e30c6bd5cfcfbe3d768773e8cf86e864df
MD5 hash:
c094c57d960c5db1a798911c59cb9c91
SHA1 hash:
daa83187c52c8fd8349e2525cc0754ccdc023fd0
Link:
https://www.unpac.me/results/f551a106-218a-4c5a-b967-562890f67cab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4780ad66fe081922301a8a90ca01d2e30c6bd5cfcfbe3d768773e8cf86e864df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172976/

Comments